It’s much worse than we thought. We already knew that 1 billion Yahoo accounts were impacted by a 2013 hack, but new evidence places that number is much, much higher. Yahoo is now sending out a notice that all 3 billion of its accounts were impacted by the breach.
Yahoo is now a part of Oath after it was purchased by Verizon for 4.5 billion dollars and merged with AOL. During that integration process, new evidence was discovered by forensic experts. It indicated that every account was impacted in the August 2013 hack, not just the 1 billion Yahoo had previously disclosed. That’s every single account whether it was used for email access, Flickr, Fantasy Football, or something else.
Verizon is in full damage control mode now. In a statement released to the media, Chief Information Security Officer Chandra McMahon had this to say:
Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats. Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.
Verizon and Yahoo have also made it clear that no clear-text passwords, credit card data, or bank account information has been stolen. For affected accounts, Yahoo previously said that “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers” may all be included in the stolen data.
When the hack was announced in 2016, Yahoo invalidated all forged cookies and unencrypted security questions and answers. It also triggered password resets for those affected accounts and for accounts that hadn’t changed passwords in a while. Yahoo has now provided some simple steps for users to protect themselves in the wake of this breach:
- Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo Account.
- Review your accounts for suspicious activity.
- Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
- Avoid clicking on links or downloading attachments from suspicious emails
If you do decide to stick with Yahoo, it also recommends that you use Yahoo Account Key to forgo the password process entirely.
Between the hacks of Equifax, Yahoo, Target, and Home Depot, it seems like everyone’s data is up for grabs at the moment. We strongly suggest using complex passwords or using a password manager like LastPass, Enpass, or 1Password. It won’t keep you completely safe, but it will help secure your accounts.
Also, keep an eye on your credit report too. While no social security numbers or financial information may have been breached in the Yahoo attack, the same can’t be said for the Equifax hack. You can download Credit Karma for free to watch out for suspicious activity or pull your free credit report from Annual Credit Report. Beyond that, you can place a fraud alert on your credit file or completely freeze your credit. You’ll have to contact each agency individually to go through that process.