New York, NY - December 15, 2016 - Attorney General Eric T. Schneiderman urged all New Yorker to take immediate steps to protect their personal information online, in the wake of Yahoo’s recent disclosure that a third party had breached its servers and accessed the personal data of over 1 billion users. This follows news of a 2014 breach of Yahoo’s servers which compromised the data of a reported 500 million users.
The Attorney General’s office is in touch with Yahoo, and is currently examining the circumstances of the breach and Yahoo’s disclosure of the breach to law enforcement.
“This latest breach of Yahoo’s servers is a stark reminder that big data hacks are increasingly becoming the new normal,” said Attorney General Schneiderman. “In light of that reality, I urge all New Yorkers to take essential steps to increase security of their personal information online and identify whether or not they’ve been the victim of identity theft.”
The data compromised includes email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information.
The Attorney General urges anyone with a Yahoo account to change their passwords and security questions -- not only with Yahoo accounts, but for any other accounts which you use the same or similar information. The A.G. also recommends that consumers review all online accounts for suspicious activity; be cautious of any unsolicited communications that ask for personal information, including those that provide a hyperlink or attachment where you are requested to click, or refer you to a web page asking for personal information.
In light of the risks posed by data security breaches, individuals should remain vigilant and take action to protect themselves against breaches.
The Attorney General’s Office would also like to remind consumers about these common sense ways to protect themselves:
- Create strong passwords for online accounts and update them frequently. Use different passwords for different accounts, especially for websites where you have disseminated sensitive information, such as credit card or Social Security numbers.
- Carefully monitor credit card and debit card statements each month. If you find any abnormal transactions, contact your bank or credit card agency immediately.
- Do not write down or store passwords electronically. If you do, be extremely careful of where you store passwords. Be aware that any passwords stored electronically (such as in a word processing document or cell phone’s notepad) can be easily stolen and provide fraudsters with one-stop shopping for all your sensitive information. If you hand-write passwords, do not store them in plain sight.
- Do not post any sensitive information on social media. Information such as birthdays, addresses, and phone numbers can be used by fraudsters to authenticate account information. Practice data minimization techniques. Don’t overshare.
- Use two-factor authentication. Take advantage of a websites offering of two-factor authentication, which uses a second piece of information besides username/password, that only the user would know, to authenticate the user prior to access to the account.
- Always be aware of the current threat landscape. Stay up to date on media reports of data security breaches and consumer advisories.
Under New York law, businesses with New York customers are required to inform customers and the Attorney General’s Office about security breaches that have placed personal information in jeopardy. The Attorney General’s Office investigates data breaches to determine if customers were properly notified of the breach and if the entity had appropriate safeguards in place to protect customers’ data. The Attorney General recently proposed new legislation to make consumer information more secure.