Yahoo is facing a massive security issue on its hands as the company confirmed the biggest ever data breach in history with over 500 million mail accounts hacked and user data being stolen by cyber-criminals. The hacking took place in 2014, and Yahoo has taken two years to inform users about this issue, which is a serious problem in itself.
Yahoo is blaming a state-sponsored actor for this hacking and data breach, and says this is an ongoing investigation. According to Yahoo’s Chief Information Security Officer Bob Lord, they don’t think “the state-sponsored actor is currently in Yahoo’s network,” but in light of the data breach Yahoo is asking all users to change their passwords and secure their accounts. So what should you do as a Yahoo user in order to protect your account. We break it down for you below.
First up: What information has been stolen from Yahoo?
Based on the statement put out by Yahoo’s CISO the extent of data stolen is vast and it is a serious data breach. With 500 million accounts being targeted, this is possibly one of the biggest data breach in history.
Yahoo says “account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.” The last bit is particularly important because it means hackers have gotten their hands on security questions and it looks in some cases there are unencrypted leaving the accounts completely vulnerable. So a user will need to change their password and security questions as well in order to secure their Yahoo account.
Yahoo say “stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.” Of course, this is still an ongoing investigation, and for those who have credit card or bank information linked with Yahoo, it’s time to review that data and secure it as well. Yahoo says it working closely with law enforcement on this matter.
So what is Yahoo doing for users?
Yahoo says it has begun notifying “potentially affected users.” The content of the email Yahoo is sending to those users will be available at this here (yahoo.com/security-notice-content).
And users need to “promptly change their passwords and adopt alternate means of account verification.” Yahoo has also invalidated unencrypted security questions and answers so they cannot be used to access an account, so you’ll need to change these as well.
Anyone who has not changed their password since 2014, needs to do this immediately. When you log in to your Yahoo account you should get the Security notice, which will ask you to change to your account security information.
Yahoo adds, “We continue to enhance our systems that detect and prevent unauthorized access to user accounts.”
What should a Yahoo user do?
First up “change your password and security questions and answers,” on Yahoo. If you use the same questions or passwords for any other account as you do on Yahoo, you need to go and fix those as well. Remember it is bad practice to use the same security questions, passwords for different accounts.
Also Yahoo says a user should review their accounts for suspicious activity. Check if emails have been sent which you didn’t send, monitor your credit card activity as well.
Also ignore mails that ask for your personal information or refer you to a web page asking for personal information. Just mark them as Spam. Also don’t download links or attachments from unknown senders or suspicious email ids.
Yahoo is also asking users to consider using “Yahoo Account Key”, which is an authentication tool that eliminates the need to use a password altogether.
How will I know if my Yahoo account is compromised?
Yahoo is sending users an email and posting additional information on their website. Even if you don’t see the message asking you to change the account information, it’s better to do so especially if you have a lot of personal mail on Yahoo.
Is my Tumblr account also going to be affected?
Yahoo says the “systems from which the data was stolen contained no Tumblr user data at the time of the theft.” But if you’re worried about your Tumblr blog being compromised, go ahead and change the password, and the account information as well. Don’t keep the password or security questions similar to any other account for this Tumblr account.
Is there a Yahoo helpline I can call?
All the information on the account and data breach can be found on help.yahoo.com, and direct customer support is also present there. However, Yahoo warns users should not engage “with fraudulent online fee-based, toll-free-number services PRETENDING to be Yahoo support.” All support is via the official Yahoo help website.