In what quite possibly could be the largest data breach to date, Yahoo confirmed in September 2016 that at least 500 million user accounts have been exposed.
Information stolen in late 2014 by what Yahoo calls ‘a state-sponsored actor’ “may have included names, email addresses, phone numbers, dates of birth, hashed passwords…, and in some cases, encrypted or unencrypted security questions and answers,” according to a Yahoo statement.
“The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected,” the statement read.
Yahoo is notifying potentially affected users and has taken steps to secure their accounts — including invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords.
Are you a Yahoo user? Here’s what you can do now to help protect yourself:
Assume you were affected and change your password on your Yahoo account.
Are you a password re-user? If you’ve used the same password on other accounts, change them. It’s best to use a unique password for each online account, but at least make sure you’re using unique passwords for your email and other sensitive accounts—including those that are financially related.
Yahoo asks users to consider using Yahoo Account Key, “a simple authentication tool that eliminates the need to use a password.”
You may also want to consider using a password manager or two-factor authentication for your online accounts, which provides an extra layer of security. For example, after typing in your username and password, a code would be texted to your cell phone and you would need that code to log on to the account.
Beware of phishing. Fraudsters often take advantage of what’s going on in the news to send out phishing emails, hoping to trick you into taking action. In this case, a savvy fraudster might send you an email referencing this data breach, encouraging you to click on a link to change your password or asking for your personal information. That link may take you to a site that looks legitimate—for a bank or even Yahoo—but is a fake, intended to capture your login credentials.
As you consider your various accounts, think about which ones you no longer need. It might be a good idea to close them. Otherwise, you may be offering up user names and passwords, not to mention whatever other personal information those accounts hold, to the next hacker.