It’s new and it’s big.
A billion Yahoo user accounts have been breached, the company announced Wednesday.
The revelation comes on the heels of a separate Yahoo breach affecting 500 million user accounts — disclosed in September.
Forensic experts say an unauthorized third party, in August 2013, stole data associated with more than 1 billion user accounts, including names, emails, phone numbers, birthdates, hashed passwords, and in some cases, encrypted or unencrypted security questions and answers, according to the Yahoo statement.
Yahoo hasn’t been able to identify the intruder of the theft, which included data accessed without a password using forged cookies.
However, the company “has connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on Sept. 22, 2016,” the Yahoo statement released Wednesday read.
The “experts have identified user accounts for which they believe forged cookies were taken or used. Yahoo is notifying the affected account holders, and has invalidated the forged cookies.”
Yahoo is notifying potentially affected users and has stated that it has taken steps to secure their accounts — including invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords, according to Yahoo’s Chief Information Security Officer Bob Lord.
Yahoo believes that the investigation indicates that the stolen data did not include payment card data or bank account information, an email account can be a treasure trove for cybercriminals.
Once a thief has your email password, it can be used to access a variety of information you may store or have access to in your emails. And if that password is the same one you use for other accounts, thieves could now have access to a variety of personal information — from retirement and bank account statements to personal email exchanges and photos, your identity can be pieced together by a cybercriminal and possibly used to steal your identity, access financial accounts and more.
And it could take years for damage done to your identity to surface.
Enrolling in an identity theft recovery program and monitoring service like LifeLock can help protect your identity going forward. Having protection like this will give you peace of mind knowing your identity has proactive protection, regardless of whether the next data breach hits close to home.
Yahoo offers these tips for account holders following the breach of 1 billion users
- Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account. Do not use the same password for multiple accounts — especially those containing sensitive information like your bank and social media accounts.
- Review all of your accounts for suspicious activity.
- Be cautious of any solicited phishing communications that ask for your personal information or refer you to a web page asking for personal information.
- Avoid clicking on links or downloading attachments from suspicious emails.
- Delete email and other accounts you no longer need.
The company also recommends using Yahoo Account Key, an authentication tool that eliminates the need for a password altogether.