In December 2016, Yahoo announced what is believed to be the largest ever breach of an email provider. Data associated with more than one billion user accounts was stolen in August 2013 but the theft was only recently discovered. That means that the hackers had more than three years to use the data. This follows Yahoo’s September 2016 announcement of a 2014 breach of 500 million user accounts. With these two hacks, “Yahoo has now won the gold medal and the silver medal for the worst hacks in history,” according to Hemu Nigam, CEO of online security company SSP Blue.
Who was affected? According to security expert Bryan Krebs, Yahoo has about 1 billion user accounts. If you had an account in August 2013, it is likely that your account was compromised. You also need to know that Yahoo accounts are used on sites other than Yahoo.com. For example, British telecom (BT) uses Yahoo for their customer email, as have SBCGlobal, AT&T and BellSouth. Also, Verizon.net email addresses were serviced by Yahoo until AOL took over. Rogers customers in Canada may also have Yahoo email addresses. You may have a Yahoo account without the word “yahoo” in the address. And Yahoo credentials are also used to log in to Flickr, Tumbler and many other sites.
It is believed that the stolen user data may have included names, email addresses, telephone numbers, birthdates, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers. The breach is not believed to have included users’ credit card numbers or banking information. Although financial information was not taken, if password and email combinations were used for other accounts hackers could use them to target their accounts and the involved email addresses may be targeted with phishing attacks.
As there are an estimated 3 billion Internet users, a data breach affecting 1 billion accounts affects a significant percentage of the online community. Yahoo has implemented security controls, such as requiring users who had unencrypted security questions to create new ones. They recommend that users change their passwords. They also recommend that passwords and security questions be changed for other non-Yahoo accounts where the same passwords or security questions were used.
In addition to changing passwords and security questions on all accounts using the same data as your Yahoo account, WeLiveSecurity.com also recommends getting a password manager and using two-factor authentication where it is available.