Thursday, September 22, 2016

If You Have ATT.NET Mail, You Are Part Of The Yahoo Password Disaster

On September 22, Yahoo! announced that some 500 million email accounts had been compromised. If you have email that ends in, you very well might have had your email password and other personal information stolen. Here's what you need to know if you're an customer through the company's DSL service, U-Verse, or other products. 
First, some background. It turns out the even though Yahoo! finally got around to letting their users and Verizon, the company getting ready to buy them, know about the breach today, the crime happened in 2014, at least according to Yahoo's official statement:
“We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.”
It's all the rage now to blame rogue governments for any kind of data breach, so it's no wonder that Yahoo is using that tactic. Regardless of who stole the information, it's freely available on the Dark Web, and that means your email information, as well as anything you've associated with the account could end up in the hands of Bad Guys.

If you call AT&T to get some help with this problem, a few things will happen. First you'll be told that they don't know for sure if you're information has been compromised. That's true, but if there's even a slight chance that it has been stolen, changing your password is the smart thing to do. You'll also be told that if you change your email password, it will not affect any password information on other AT&T services such as television or wireless that may be associated with your AT&T account. That is a flat-out lie. In most cases, if you change your email password, everything you have connected to AT&T will have its password changed as well. And there's no way around that happening.
Having all those passwords changed might not be the worst thing in the world. Sometimes refreshing passwords is just good security. However, AT&T won't tell you that once you change your email password, you'll have to change passwords for everything else connected to your AT&T accounts. That means your billing information, any apps that work with your accounts, and other services. It might take an hour or two to fix all the passwords that got changed, so be prepared.

All of that will get you through the first part of the process of trying to protect your email, But what do you do in the long run? Far and away the smartest thing to do is get away from any service running on Yahoo's servers. At some point
AT&T may wise up and change to another email provider, But for now if you want to keep your AT&T address you are stuck with Yahoo. There are dozens of other good free email services out there and unless you rely on your current email address for critical items, you might want to retire it temporarily and use another service.

Another thing you can do is just dump AT&T email for good. It's pretty easy to export all of your data to other services, forward email from AT&T to your new address, and most likely be safer than you are today when it comes to the security of your personal information. That's what I'm doing, and what I'm advising my family to do as well.
A lot of things are different in 2016 than they were before. One of them is that nothing online is as secure as you think it is. Yahoo! taking almost 2 years to tell the world about a breach that affected half a billion customers is proof of that. Do business and use services that you trust, is very strong passwords, and change them a couple times a year. You will probably thank yourself the next time you read the story about a huge data breach.

And, sadly, there WILL be a next time.