Yahoo says your account has been hacked. Again.
The company in September disclosed that a "state-sponsored actor" stole the account information of more than 500 million users. In the newly disclosed breach, Yahoo says an "unauthorized third party" stole data from more than 1 billion accounts. The company believes the two breaches are unrelated.
This latest hack actually occurred more than three years ago, in August 2013, but Yahoo learned of the breach just last month when law enforcement approached the company with suspected user data in hand.
The amount of time that has passed since this breach occurred shouldn't be cause to relax. Even if you haven't been victimized, you still could be.
"The damage has not already been done," says Robert Siciliano, a Boston-based security expert and CEO of IDTheftSecurity.com. "You have to consider this is a billion records. It will take any criminal organization a lifetime to get through a billion records."
Names, dates of birth stolen
Siciliano says criminals are brokering the account data online, selling it blocks of 10,000. "It has been for sale and continues to be for sale," he says.
In a statement and a note emailed to Yahoo account holders, the company said the stolen information includes:
- Email addresses
- Telephone numbers
- Dates of birth
- Encrypted passwords
- Security questions and answers (encrypted and unencrypted)
"The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information," the company wrote. "Payment card data and bank account information are not stored in the system the company believes was affected."
Still, the stolen data can be used to commit identity theft and for phishing campaigns aimed at stealing more sensitive data or gaining direct access to financial accounts. What's more, criminals can use the security question data to try to break into accounts on other websites.
CARD SEARCH: Reward yourself with a great new rewards credit card.
5 steps you should take now
- Change your Yahoo password.
"Consumers can only hope that their data has not been currently accessed by a criminal," Siciliano says. "That being said, they should change all their passwords. They should look at the security questions they have on those accounts and determine if any of those security questions are similar to ones used on other accounts."
You might also consider setting up a password manager. It's a hassle, but it will make it more difficult for the bad guys to get into your other accounts.
- Review other accounts -- including credit cards and bank accounts -- for suspicious activity. Pull your credit report to look for signs of unauthorized accounts in your name.
"Go check your credit report and review to make sure all that information is yours," says Heather Battison, a vice president at TransUnion, one of the three major credit bureaus. "You need to check that information regularly because that's a living document that’s going to change."
- Avoid clicking on links or downloading attachments.
This advice used to be limited to emails you receive from someone you don't know, but another recent data breach -- that of the Democratic National Committee's email -- should teach us all that you probably shouldn't click on links even from a trusted source.
— Mike Cetera (@MikeCetera) December 13, 2016
- Turn on two-factor authentication on all of your accounts, including Yahoo.
When you access your account from a new device, two-factor authentication prompts Yahoo to text you a one-time code you'll need to input in order to get into your account. "As long as you have that in place, in general, consumers should be in pretty good shape," Siciliano says.
- Conduct a broad review of the security questions and answers you use.
Look to pick obscure questions that have answers that are difficult to find elsewhere. And make sure you're answering different security questions across the various websites you use that require them. "If the criminal knows the answer to them, they can essentially use that data against you to access other accounts that you have," Siciliano says.