On September 22, 2016, Yahoo announced that it discovered evidence of a data breach that occurred back in 2014. Although this data breach occurred a long time ago, news about it is taking center stage for a couple reasons.
For one, the data breach is enormous in size — hackers stole information from at least 500 million user accounts, according to Yahoo. The stolen data included names, email addresses, telephone numbers, birthdates, passwords, and security questions and answers. At this time, Yahoo officials believe that payment card and bank account data was not stolen, as that information was not stored in the system that was hacked.
Besides the massive size of the data breach, the Yahoo attack is noteworthy because of claims that the company intentionally waited to tell its investors and the public about it. Several U.S. senators have demanded that Yahoo provide a briefing to the U.S. Congress about the ongoing investigation of the breach. One U.S. senator has even asked the U.S. Securities and Exchange Commission to investigate the matter.
While the ramifications for Yahoo will be significant if the claims are true, it will take a while for the truth to be uncovered. At this time, there are much more pressing matters that Yahoo account holders and anyone else who uses the Internet need to be concerned about.
If you have a Yahoo account, you need to take immediate action in order to avoid becoming an identity theft victim. Even if you do not have a Yahoo account, you should still take measures to protect your online accounts from future data breaches.
What You Should Do If You Have a Yahoo Account
Yahoo has emailed potentially affected users about the data breach and has posted additional information about it on the Account Security Issue FAQs web page. Yahoo has also invalidated unencrypted security questions and answers so that they cannot be used to access accounts.
If you received this email, you need to immediately change your password as well as your security questions and answers. If you have a Yahoo account but did not receive the email, Yahoo recommends changing your password, assuming you have not done so since 2014.
You might also want to change the passwords of your other online accounts in case you used your Yahoo password (or a variation of it) for them. Hackers know that people often reuse passwords, so they may try to use your Yahoo password on other websites.
You also need to be aware that other cybercriminals might try to take advantage of this data breach. Pretending to be from Yahoo, they may send you an email that asks you to provide personal information, click a link, or open an attachment. Doing so could result in you becoming a cyberattack victim.
Yahoo’s email will display the Yahoo icon when viewed through Yahoo’s website or Mail app. More important, it will not ask you to provide personal information, click a link, or open an attachment. You can see copies of the emails that Yahoo has sent out for various geographic regions on the Yahoo Security Notice web page.
How to Protect Your Online Accounts from Future Data Breaches
Even if you have not been affected by the Yahoo data breach, you might be the victim of one in the future. While there is nothing you can personally do to prevent data breaches in organizations, you can take a few measures to protect your personal data if one occurs:
- Do not reuse passwords. You should create a unique, strong password for each online account. That way, if one of your online accounts is hacked, cybercriminals will not be able to access the others.
- Use two-step verification. When possible, use two-step verification (aka two-factor authentication) for your online accounts. It adds another layer of security, making it harder for hackers to gain access to your account, even if they know your password.
- Use incorrect or nonsensical answers to security questions. Cybercriminals like to check social media sites to get personal information that might help them answer security questions such as “What is your favorite food?” and “Where did you go to high school?” By giving incorrect or nonsensical answers, you can prevent hackers from changing your password and hijacking your account.