In what quite possibly could be the largest data breach in history, Yahoo confirmed Thursday that at least 500 million user accounts have been exposed.
Information stolen in late 2014 by what Yahoo calls ‘a state-sponsored actor’ “may have included names, email addresses, phone numbers, dates of birth, hashed passwords…, and in some cases, encrypted or unencrypted security questions and answers,” according to a Yahoo statement.
“The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected,” the statement read.
Yahoo is notifying potentially affected users and has taken steps to secure their accounts — including invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords.
Are you a Yahoo user? Here’s what you can do now to protect yourself:
Assume you were affected and change your password on your Yahoo account.
Are you a password re-user? If you’ve used the same password on other accounts, change them. It’s best to use a unique password for each online account, but at least make sure you’re using unique passwords for your email and other sensitive accounts—including those that are financially related.
Yahoo asks users to consider using Yahoo Account Key, “a simple authentication tool that eliminates the need to use a password.”
You may also want to consider using a password manager or two-factor authentication for your online accounts, which provides an extra layer of security. For example, after typing in your username and password, a code would be texted to your cell phone and you would need that code to log on to the account.
Beware of phishing. Fraudsters often take advantage of what’s going on in the news to send out phishing emails, hoping to trick you into taking action. In this case, a savvy fraudster might send you an email referencing this data breach, encouraging you to click on a link to change your password or asking for your personal information. That link may take you to a site that looks legitimate—for a bank or even Yahoo—but is a fake, intended to capture your login credentials.
As you consider your various accounts, think about which ones you no longer need. It might be a good idea to close them. Otherwise, you may be offering up user names and passwords, not to mention whatever other personal information those accounts hold, to the next hacker.
And it could take years for damage done to your identity to surface.
Enrolling in an identity theft recovery program and monitoring service like LifeLock can help protect your identity going forward. Protective coverage like this not only adds an extra layer of safety, but also gives you peace of mind knowing your identity is being proactively watched around the clock, regardless of whether the next data breach hits close to home.
Recently, Myspace users that set up an account during or before 2013 were notified of a data breach that is reported to have impacted 360 million accounts and 427 million passwords, according to a Motherboard report.
In comparison, LinkedIn's breach in 2012 compromised more than 100 million accounts, Motherboard also reported.
Additional information on the Yahoo breach that impacts half a billion users is available on the Yahoo Security Issue FAQs page.
-Cory Warren contributed to this report.