Privacy Commission Advisory on Yahoo Breach

Wazzup Pilipinas!

The National Privacy Commission (NPC), an independent body mandated to administer and implement the Data Privacy Act of 2012, and to monitor and ensure compliance of the country with international standards set for data protection, would like to reiterate the recommendations of Yahoo and cybersecurity experts to Yahoo users to change their passwords on their Yahoo accounts.

This follows after the compromise of half million user accounts from Yahoo’s servers in 2014 that was only discovered and confirmed by Yahoo this week. Below is what was posted on Yahoo’s email log-in page about the Account Security issue :

“We have confirmed, based on a recent investigation, that a copy of certain user account information was stolen from our network in late 2014 by what we believe is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. “

Other than changing their Yahoo log-in credentials, the NPC also recommends that Yahoo users change log-in credentials of their other online accounts where they might have used their Yahoo email for account verification purposes. The security questions on Yahoo might also have been compromised and it would be a good idea to revise the security questions or disable that feature. The NPC also recommends activating two-part authentication to gain first time access to your account. Two-part authentication uses a phone number you provided to verify your identity.

According to Privacy Commissioner Raymund Enriquez Liboro; “A compromised email account can be an avenue for a hacker to gain access to other personal on-line accounts of an individual, from social media sites to on-line payment portals. That is why it is important to maintain good password hygiene, use pass phrases with numbers or special characters instead of single words, take note of log-in attempts into your account/s that weren’t initiated by you, and change your password/s two to three times a year, or as many times as you change your toothbrush” Commissioner Liboro added.

It was revealed at a Microsoft Cybersecurity Summit for government agencies that it takes an average of 502 days for system administrators to detect a security breach.