Yahoo did the unthinkable yesterday. It broke its own record for the biggest security breach ever, when it announced that a billion users’ details were hacked three years ago. This is a separate incident from the previous record-setting, 500 million improperly accessed accounts that it revealed in September 2016.
In light of these massive security lapses, a number of questions are being asked, such as: Is the Verizon deal dead? How do you close your Yahoo account? And actually—why doesn’t Yahoo just do everyone a favor and close itself down?
That last question isn’t as outrageous as it sounds. Consider that Yahoo reported that it has over a billion users in its most recent annual report and you get a sense of how big a screw up this latest hack is. It’s even more damning when you consider that the hack happened in August 2013 and Yahoo reported just 800 million active monthly users (pdf) that year.
Paradoxically, even if Yahoo removed itself from this earth today and told its users—of Flickr, Yahoo Mail, and other services—to entrust their data to other providers, the problem of insecure accounts is likely to be made worse, not better.
That’s because users still engage in the self-destructive behavior that deepens damage from a hack: password reuse. Even though it’s bad for security, people cannot resist using the same password across multiple online services. One estimate puts password reuse as high as 49%, meaning people use one password for every two online services. “It’s clear that passwords are the weakest link,” says Martijn Verbree, a partner in KPMG’s cybersecurity practice.
If Yahoo shut down, its users would simply go to a new service and there would be nothing to stop them from reusing their old Yahoo password. By contrast, staying with Yahoo means those accounts that were breached would be forced to reset their passwords, among other security measures.
Since generating and remembering a bunch of long, complex, passwords is difficult, security experts recommend using a password manager. These apps generate unique, complex passwords for each online service, and handle them all for you. “If you’re using a password manager, you simply change the single affected password and get on with your day,” says Ron Winward of security vendor Radware.
Yahoo’s security measures may be as watertight as a sieve, but at least a forced password reset means you can’t reuse that comfortable, old, password—that’s now in the possession of a hacker.