Yahoo has officially confirmed that all 3 billion user accounts were compromised and hacked in the 2013 data theft incident. Yahoo has first revealed about the August 2013 data theft in December 14, 2016. With over 3 billion accounts now confirmed as hacked, Yahoo has now updated the FAQ and security steps that users should follow regarding their account.
In December 2016, Yahoo had claimed that one billion of the approximately three billion accounts which were existing in 2013 were compromised. It had then sent users emails asking them to update their password, security questions and answers, etc as well. Users who are still on their Yahoo account and have had one for a long time should keep in mind these steps for the security of their accounts.
Yahoo data theft was in 2013, so why should I secure my account now?
As Yahoo has confirmed, all 3 billion accounts were compromised at the time. This means even if the data theft happened in 2013 and you didn’t secure the account in 2016, yours is still vulnerable to hacking. Yahoo says in 2016 they had asked users to change passwords and it had “invalidated unencrypted security questions and answers.” The old security questions can’t be used to access the account anymore.
Information stolen includes “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.” Yahoo claims passwords in clear text, payment card data, bank account information was not stolen, but if you think yours is still at risk, time to alert the bank.
How serious was the Yahoo data breach?
Yahoo’s 2013 data breach was not just about the volume of data that was stolen, given that nearly 3 billion accounts were compromised. However, hackers had also managed to create forged cookies, which would have given them free access to a user’s account without the need for a password. Yahoo in its SEC filing at the time had said some unauthorised third-party got access to their “proprietary code” to learn how to fake cookies.
How to know the email from Yahoo asking to change password, secure account is actually from Yahoo?
Yahoo says “the email from Yahoo about this issue will display the Yahoo icon Purple Y icon when viewed through the Yahoo website or Yahoo Mail app.” Also the email DOES NOT ask users to “click on any links or contain attachments and does not request your personal information.” Emails asking for personal information, downloading attachments, etc are not from Yahoo says the company.
Changing password is a must. Also change the security questions. And if you’re not convinced about the security, then you can close the account.