Your Yahoo account info was definitely hacked — here’s what to do
In September 2016, Yahoo revealed a hack that compromised 500 million user accounts. In December, the company revealed yet another hack, this time affecting a record 1 billion accounts. On Tuesday, Yahoo updated that number to all 3 billion accounts its services.
And yes, that includes yours.
The hack exposed names, email addresses, telephone numbers, dates of birth, encrypted passwords and unencrypted security questions. Here’s what you can do now to protect yourself.
Log into your Yahoo account
This might sound obvious, but if you’re like a lot of people, you might not use Yahoo Mail as your primary email account. Yahoo has 1 billion monthly active users on its services overall and just 225 million monthly active users for its Yahoo Mail service, according to figures the company gave CNET in June.
So check the email affiliated with your Yahoo account if you haven’t already. Yahoo has started sending out notifications to users, and you should be receiving one at that account if you were affected by the data breach.
Change your password
If you haven’t changed your password in a few years, do it — now. The company says the passwords that hackers stole were encrypted — scrambled up with a tool called bcrypt. This kind of encryption can potentially be broken with enough persistence, said Brett McDowell, executive director of the FIDO Alliance, a nonprofit group that vets login systems.
That’s especially true “when the attacker can make relatively accurate guesses at what the password might be,” McDowell said. “Yahoo users with relatively weak or obvious passwords should take the recommended precautions.”
I’m looking at you, “passw0rd.”
Ask yourself, ‘Did I use this password somewhere else?’
It’s a common habit. Use the same password for lots of different accounts. If this breach has anything to teach you, it’s that this is a terrible idea.
If you recycled your Yahoo password on a different account, go change your password on that account too. The hackers who have your password could easily try it on a whole bunch of different websites — think bank websites or health insurance websites — to try to access information beyond your Yahoo account.
Don’t let them.
Change your security questions and answers — everywhere
Since the hack exposed security questions that were not encrypted, change them. If you used the same security questions for other sites or services, change those, too. And if you’re unsure, change them anyway.
It’s a headache, but doing so could save you a huge inconvenience in the future. Security questions are often used to verify identity and gain account access, without the help of email verification.
Some security experts go as far as recommending you create random, unique answers to security questions like, “Where was your mother born?” since, often, that information is easy to uncover. That’s a high expectation for most normal folks, so instead…
Enable two-step verification
If you plan to keep your Yahoo account, enable two-step verification. It’s one of the best forms of account security widely available on sites like Yahoo. Two-step means that after you log in with your password (as usual) Yahoo will text you a security code, which you’ll enter in the next step.
This way, only someone who has in-person access to your phone (you) can access your account — even if the password entered was correct.
As with changing your security questions on all services, take the time to enable two-step verification on other websites, like Facebook, Google, Twitter and so on.
Think twice before deleting accounts
Yes, it’s tempting to want to wash your hands and sever ties with Yahoo after such an egregious violation. But doing so can actually open you up to additional security headaches. That’s because Yahoo deleting your account lets Yahoo recycle your old email address — thus letting someone spam every site they can find with “forgot password” requests and/or otherwise impersonate you using a known (albeit out-of-date) alias.
Better to leave the account inactive — but with two-step verification turned on.