Data Breaches

One Billion Yahoo Accounts Breached. Users Should Take Action.

By Joe Gervais, a Symantec employee

Yahoo says that someone has stolen information associated with more than 1 billion user accounts. Even if you have a Yahoo account that you haven’t used in years, there is reason to be concerned about this Yahoo breach. That’s because an old, unused email account may contain personal information that can be valuable to identity thieves now or even years later.

In a statement December 14, 2016, Yahoo said the hacked user account information may have included names, telephone numbers, dates of birth, hashed passwords (using MD5 hashing—which is weak protection that’s easily crackable) and, in some cases, unencrypted security questions and answers.

Yahoo says it believes that the data was stolen in August 2013.

Here are a few scenarios that illustrate how users may be affected following such a breach.

Login credentials and security questions used elsewhere

If attackers were able to obtain your credentials—username and password—from a breach, it’s important to consider where else you used those credentials: Social media? Your bank account? Your retirement plan?

There’s more to consider. How about your security questions and answers that so many sites use to reset your current passwords? An attacker might be able to use the security questions and answers from your breached Yahoo account to access your other accounts.

Email accounts contain a lot of information

Consider your profile settings. Your profile may contain your full name, home address, phone number, date of birth, backup email addresses—all valuable information for an identity thief.

Is that old account a password recovery address for other online accounts? If so, an identity thief would only have to request a password reset and select the old account as the delivery method. How would they discover where you have other online accounts? Well, it’s possible there are the emails in the breached email account. In addition, a thief could use your profile information and additional details gathered in a web search.

Don’t let what’s personal become public

It may not stop there. Think about the content of your email and related chat messages, including attached photos. What if they were posted on the Internet for everyone to see? Such messages also might include private conversations, bank and credit card statements, health information, or purchasing history.

And what about your list of contacts? An identity thief could now pretend to be you and send your contacts anything, including harassing messages and malware.

So what can you do? Log into those old accounts and clean them up, by deleting emails, chat messages and profile information. If you decide you’re not going to use the old account anymore, delete the account.

And before you see that next headline mentioning a data breach at a site you haven’t used in ages, do yourself a favor: Log in and take action.

Editor’s note: This content was lightly edited and updated on Jan. 22, 2018.

 

Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.

Start your protection,
enroll in minutes.