It’s new and it’s big.
A billion Yahoo user accounts have been breached, the company announced (December 2016).
The revelation comes on the heels of a separate Yahoo breach affecting 500 million user accounts disclosed in September 2016.
Forensic experts say an unauthorized third party, in August 2013, stole data associated with more than 1 billion user accounts, including names, emails, phone numbers, birthdates, hashed passwords, and in some cases, encrypted or unencrypted security questions and answers, according to the Yahoo statement.
Yahoo hasn’t been able to identify the intrusion associated with this theft, which included data accessed without a password using forged cookies.
However, the company “has connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016,” the December 2016 Yahoo statement read.
The “experts have identified user accounts for which they believe forged cookies were taken or used. Yahoo is notifying the affected account holders, and has invalidated the forged cookies.”
Yahoo notified potentially affected users and stated that it has taken steps to secure their accounts — including invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords.
Yahoo ‘s investigation indicates that the stolen data did not include payment card data or bank account information. Still, an email account can be a treasure trove for cybercriminals.
Once a thief has your email password, it can be used to access a variety of information you may store or have access to in your emails. And if that password is the same one you use for other accounts, thieves could now have access to a variety of personal information — from retirement and bank account statements to personal email exchanges and photos. Your identity can be pieced together by a cybercriminal and possibly used to steal your identity, access financial accounts and more.
And it could take years for damage done to your identity to surface.
Yahoo offers these breach tips
Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account. Do not use the same password for multiple accounts — especially those containing sensitive information like your bank and social media accounts.
Review all of your accounts for suspicious activity.
Be cautious of any unsolicited phishing communications that ask for your personal information or refer you to a web page asking for personal information.
Avoid clicking on links or downloading attachments from suspicious emails.
The company also recommends using Yahoo Account Key, an authentication tool that eliminates the need for a password altogether.