So, Yahoo! has been hacked, and 500m records abstracted, allegedly by a “state-sponsored” agency. Apart from worrying what you might have kept on Yahoo!, and whether using the same password for your social media account and your bank account was really a good idea, what does this mean for you?
First off it’s a reminder that there’s no such thing as an impregnable system. Our computer architecture is an evolved mishmash of thousands of elements, some of them tens of years old, a lot of them written for free by academics or hobbyists, with many of the standards stemming from a time when it hadn’t occurred to anybody that not everyone would play nicely together. Protecting it is a full-time job, with a lot of headaches; if you’re up against the best and brightest, with the deep pockets of a state behind them, you’re only going to fight a delaying action at best.
But to be honest, being hacked by a state agency isn’t really the problem. For a start, thanks to Edward Snowden, we know that a good deal of the West’s internet traffic is already intercepted by our own security agencies. More importantly, state agencies are unlikely to try to steal your money or use your systems as zombies to attack others – although both do happen – so unless you’re involved with critical national infrastructure or serious trade secrets, it’s probably not worth worrying too much about North Korea, Russia or the NSA.
However, the trouble with the tech world is that it’s leaky. Whatever exploit the “state-sponsored agency” used to hack Yahoo will be in the hands of criminals sooner rather than later. Genies don’t go back into bottles. So if you don’t pay attention to the means used to break into these high-profile targets and patch your systems or update your processes accordingly, someone who is interested in stealing from you, holding you to ransom, or exploiting your network to attach others will be along shortly, armed with only slightly dog-eared state secrets.
So, yes, do please change your passwords – and do try to use passphrases or have different passwords for every site – but above all, find out what Yahoo! got wrong and avoid making the same mistake yourself.