In September, Yahoo announced what was at the time thought to be the biggest data theft ever, with 500 million accounts breached. It turns out that was just the tip of the iceberg: we've just learned that another 1 billion Yahoo accounts were compromised in an earlier—likely unrelated—attack in August 2013. While hackers didn't get any financial information, they did acquire logins, encrypted passwords, birth dates, secret questions and answers, and other personal data.
And while we know—or should know—not to reuse passwords across multiple sites, the other data is concerning. Security questions and answers, which typically use basic factual information to verify your identity, is especially concerning because we often do use those details across multiple accounts. (And we're learning that to stay secure, we shouldn't answer those questions truthfully.)
Yahoo is making affected users change their passwords and, in some cases, update their security questions, but you should do more—even if your account, wasn't among those hacked. Here are the steps Yahoo users should take immediately:
Change your password.
If you've ever used your Yahoo password as the password to login to any other sites or services, change those account passwords.
If you used the same answers to secret questions on other sites, you need to change those answers. If you aren't sure what secret questions and answers you've used, it's a good time to go through and update the answers everywhere.
For extra security, turn on two-factor authentication for your Yahoo account.
If you don't have a Yahoo account, there's no reason to be complacent. More breaches will happen, and you can take steps to protect yourself now. This is what we recommend for all Internet users:
Never share passwords between accounts. If you have accounts using the same passwords, change them now, before a security breach at one site means all of your passwords are compromised.
Follow our tips for creating a strong password.
Use a password manager to help make the process of managing multiple passwords simple. Don't write your passwords down and definitely don't keep them on a Post-it note stuck to your monitor.
Use two-factor authentication for sites that support it. This requires you to enter your username, password and an additional code (typically texted to your phone) in order to sign in—and it means that even if hackers get your password, they can't get into your account. Check this list of services that support two-factor authentication to find out if your frequently-used sites are on the list.
Lie when answering secret questions. (This is information you can also keep track of using a password manager.)
Delete accounts you don't use anymore. While this may or may not keep you safe from a new hacking attack if any of your data is kept on file, there's no need to keep personal data stored on a service you don't use anymore.
Whether you've been affected by this hack or not, beware of scams in the coming weeks. With a huge security breach like this we're certain to see scammers sending emails and making phone calls trying to convince you that your account has been compromised—and you need to give them your personal information to fix it. But while such messages sound important, they can be a fast track to having your information stolen again. Never give out personal information in response to an unsolicited email or phone call, no matter how legitimate it seems. Instead, contact the company directly to be sure you're taking appropriate measures—and not simply handing over your data to another scam.
Now, get to changing those passwords, everyone!
[Image credit: Yahoo mail on phone via BigStockPhoto]