Yahoo's mega breach shows how vulnerable data is

NEW YORK -- The revelation of Yahoo's latest hack underscores what many Americans have known for years: All those emails, photos and other personal files stored online can be stolen easily, and there's little anyone can do about it.

The only saving grace is the attackers apparently did not exploit the information for fraud. But their true motives remain a mystery.

While there are a number of straightforward measures all users should take to protect themselves, relatively few people actually do. And in this case, doing so wouldn't really have mattered; even the most scrupulous individual countermeasures could only limit the damage.

"Yahoo users could have had immaculate computer security and still been the victim here," said Will Ackerly, chief technology officer at Virtru, a computer-security firm he co-founded after working for eight years at the National Security Agency.

"Short of using encryption, there's no way to keep your email from being compromised in this kind of hack."

The mega breach disclosed Wednesday exposed more than a billion user accounts, the largest such attack in history. The company said the attack happened in August 2013, although Yahoo discovered it only recently.

Worse, the company's announcement followed a similar announcement in September about a 2014 hack Yahoo ascribed to an unnamed foreign government. That breach affected 500 million accounts.

Some experts believe the record-breaking amount of data stolen in the breach announced Wednesday also points to state-sponsored hackers in search of a specific target, which could be why three years later, the data still hasn't been spotted for sale on the web.

Neither Yahoo breach has been linked to online fraud or any specific repercussions for Yahoo users.

But their disclosure closely follows U.S. intelligence concerns about Russian hacking of Democratic emails during the presidential campaign -- not to mention recent attacks on a major health insurer, a medical lab-test company and the government office that manages millions of federal employees.

"The lesson is clear: No organization is immune to compromise," said Jeff Hill, director of product management for cybersecurity consultant Prevalent.