Earlier this week, Yahoo announced that the data breach reported earlier this year did not impact 200+ million users as originally thought. The reality is that up to three billion accounts may be compromised –which is essentially Yahoo’s entire customer base. What does this news change? How does it impact you? What should you do now? Let’s walk through the answers to those questions.
What changed: In July 2016, Yahoo officially released information about a data breach that it believed involved the personal information on 200-400 million users, or more. This week, it notified the world that its original estimate was incorrect. In reality, up to three billion users were in the data files that the attackers have stolen, which means that nearly everyone who’s used Yahoo services is going to be impacted by this situation.
How does it impact you?
The data stolen includes (but isn’t limited to):
- Email addresses
- Physical addresses
- Birth dates
- Account security questions and your answers to them
- Any other information you gave Yahoo in your profile on any of their sites
- Passwords, which were encrypted when stolen, but have been at least partially decrypted now
What this means to the average user is that the hackers probably have your password, and they do have everything they need to get into your account. Even if your password wasn’t decrypted yet (and a large number of them have been already), an attacker could take all the remaining information and pretend to be you in order to get a “password reset” from Yahoo and gain access to anything you have in your Yahoo account and any services.
Also, since the passwords have already been decrypted for a lot of accounts (200 million known to be available as plain text just so far), hackers can break into any site where you used the same username and password or email and password combination without trying to gain access via password reset procedures.
As they have your name, username, email, and security questions and answers; someone can impersonate you and get multi-factor authentication disabled on your Yahoo account. Essentially, they call in, tell the phone representative that they’ve lost their phone or changed their number, answer the security questions and provide your home address, and get the MFA protection removed or changed to their own phone.
What you should do now
If you have ever used a Yahoo service where you had to log in, then immediately do the following:
- Change your password on ALL sites that used the same email address/username and password as your Yahoo account. Also, choose new Security Questions and answers, so that an attacker can’t use your old ones to overcome security protocols. Change this information on Yahoo as well.
- Use a password manager to keep track of login information, so you can avoid using “Log in with Yahoo” or Facebook or other services. Instead, set up individual accounts for each site and use a password manager so you aren’t forgetting them or writing them down.
The first step makes sure that if an attacker does get your credentials from this breach, they cannot use them on any other site. Step 2 makes sure you’re automatically protected from getting hacked across multiple sites should another site or service suffer an attack like this in future.
While you cannot stop this kind of attack from happening (unless you work for Yahoo in its digital security division), taking these steps can lock an attacker out of your accounts on Yahoo and other sites.
Finally, after every major breach like this, scammers begin to blast out emails and phone calls to try to get people who may not have been breached to give up secure information. Don’t click on links in emails that look like they’re from Yahoo or give control of your computer to a caller. Instead, if you think the email might be legitimate, go to Yahoo manually in your web browser and then find the information you need in your profile.
Stay safe, stay sane, and start now to protect your online identity from being compromised due to one site letting information get away from them.
This article originally appeared on October 5, 2017 in betanews