Identity Protection Blog

Finance Blogs » Identity Protection Blog » Yahoo breach is 3 years old. You’re still at risk

Yahoo breach is 3 years old. You’re still at risk

By Mike Cetera ·
Thursday, December 15, 2016
Posted: 3 pm ET
Yahoo breach is 3 years old. You're still at risk

Mike Cetera/

Yahoo says your account has been hacked. Again.

The company in September disclosed that a "state-sponsored actor" stole the account information of more than 500 million users. In the newly disclosed breach, Yahoo says an "unauthorized third party" stole data from more than 1 billion accounts. The company believes the two breaches are unrelated.

This latest hack actually occurred more than three years ago, in August 2013, but Yahoo learned of the breach just last month when law enforcement approached the company with suspected user data in hand.

The amount of time that has passed since this breach occurred shouldn't be cause to relax. Even if you haven't been victimized, you still could be.

"The damage has not already been done," says Robert Siciliano, a Boston-based security expert and CEO of "You have to consider this is a billion records. It will take any criminal organization a lifetime to get through a billion records."

FREE TOOL: Check your credit report today for signs of unauthorized accounts in your name.

Names, dates of birth stolen

Siciliano says criminals are brokering the account data online, selling it blocks of 10,000. "It has been for sale and continues to be for sale," he says.

In a statement and a note emailed to Yahoo account holders, the company said the stolen information includes:

  • Names
  • Email addresses
  • Telephone numbers
  • Dates of birth
  • Encrypted passwords
  • Security questions and answers (encrypted and unencrypted)

"The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information," the company wrote. "Payment card data and bank account information are not stored in the system the company believes was affected."

Still, the stolen data can be used to commit identity theft and for phishing campaigns aimed at stealing more sensitive data or gaining direct access to financial accounts. What's more, criminals can use the security question data to try to break into accounts on other websites.

CARD SEARCH: Reward yourself with a great new rewards credit card.

5 steps you should take now

  1. Change your Yahoo password.

"Consumers can only hope that their data has not been currently accessed by a criminal," Siciliano says. "That being said, they should change all their passwords. They should look at the security questions they have on those accounts and determine if any of those security questions are similar to ones used on other accounts."

You might also consider setting up a password manager. It's a hassle, but it will make it more difficult for the bad guys to get into your other accounts.

  1. Review other accounts -- including credit cards and bank accounts -- for suspicious activity. Pull your credit report to look for signs of unauthorized accounts in your name.

"Go check your credit report and review to make sure all that information is yours," says Heather Battison, a vice president at TransUnion, one of the three major credit bureaus. "You need to check that information regularly because that's a living document that’s going to change."

  1. Avoid clicking on links or downloading attachments.

This advice used to be limited to emails you receive from someone you don't know, but another recent data breach -- that of the Democratic National Committee's email -- should teach us all that you probably shouldn't click on links even from a trusted source.

    1. Turn on two-factor authentication on all of your accounts, including Yahoo.

 When you access your account from a new device, two-factor authentication prompts Yahoo to text you a one-time code you'll need to input in order to get into your account. "As long as you have that in place, in general, consumers should be in pretty good shape," Siciliano says.

    1. Conduct a broad review of the security questions and answers you use.

Look to pick obscure questions that have answers that are difficult to find elsewhere. And make sure you're answering different security questions across the various websites you use that require them. "If the criminal knows the answer to them, they can essentially use that data against you to access other accounts that you have," Siciliano says.  

Bankrate wants to hear from you and encourages comments. We ask that you stay on topic, respect other people's opinions, and avoid profanity, offensive statements, and illegal content. Please keep in mind that we reserve the right to (but are not obligated to) edit or delete your comments. Please avoid posting private or confidential information, and also keep in mind that anything you post may be disclosed, published, transmitted or reused.

By submitting a post, you agree to be bound by Bankrate's terms of use. Please refer to Bankrate's privacy policy for more information regarding Bankrate's privacy practices.
1 Comment
April 08, 2017 at 5:07 pm

cheap jersey 4 ʏou chewp jerseys china

Add a comment

(Comments may take 5-10 minutes to appear)