Find out if your Yahoo account was hacked (and what to do next) – CNET

Now Playing: Watch this: Find out if your Yahoo account was hacked

The Yahoo hack is the biggest publicly disclosed data breach of all time.

Getty Images

In September 2016, Yahoo revealed a hack that compromised 500 million user accounts. In December, the company revealed yet another hack, this time affecting a record 1 billion accounts. On Tuesday, Yahoo updated that number to all 3 billion accounts its services.

And yes, that includes yours.

The hack exposed names, email addresses, telephone numbers, dates of birth, encrypted passwords and unencrypted security questions. Here’s what you can do now to protect yourself.

Log into your Yahoo account

This might sound obvious, but if you’re like a lot of people, you might not use Yahoo Mail as your primary email account. Yahoo has 1 billion monthly active users on its services overall and just 225 million monthly active users for its Yahoo Mail service, according to figures the company gave CNET in June.

So check the email affiliated with your Yahoo account if you haven’t already. Yahoo has started sending out notifications to users, and you should be receiving one at that account if you were affected by the data breach.

Change your password

If you haven’t changed your password in a few years, do it — now. The company says the passwords that hackers stole were encrypted — scrambled up with a tool called bcrypt. This kind of encryption can potentially be broken with enough persistence, said Brett McDowell, executive director of the FIDO Alliance, a nonprofit group that vets login systems.

That’s especially true “when the attacker can make relatively accurate guesses at what the password might be,” McDowell said. “Yahoo users with relatively weak or obvious passwords should take the recommended precautions.”

I’m looking at you, “passw0rd.”

Ask yourself, ‘Did I use this password somewhere else?’

It’s a common habit. Use the same password for lots of different accounts. If this breach has anything to teach you, it’s that this is a terrible idea.

If you recycled your Yahoo password on a different account, go change your password on that account too. The hackers who have your password could easily try it on a whole bunch of different websites — think bank websites or health insurance websites — to try to access information beyond your Yahoo account.

Don’t let them.

Change your security questions and answers — everywhere

Since the hack exposed security questions that were not encrypted, change them. If you used the same security questions for other sites or services, change those, too. And if you’re unsure, change them anyway.

It’s a headache, but doing so could save you a huge inconvenience in the future. Security questions are often used to verify identity and gain account access, without the help of email verification.

Some security experts go as far as recommending you create random, unique answers to security questions like, “Where was your mother born?” since, often, that information is easy to uncover. That’s a high expectation for most normal folks, so instead…

Enable two-step verification

If you plan to keep your Yahoo account, enable two-step verification. It’s one of the best forms of account security widely available on sites like Yahoo. Two-step means that after you log in with your password (as usual) Yahoo will text you a security code, which you’ll enter in the next step.

This way, only someone who has in-person access to your phone (you) can access your account — even if the password entered was correct.

As with changing your security questions on all services, take the time to enable two-step verification on other websites, like Facebook, Google, Twitter and so on.

Delete old accounts you don’t use

While you’re thinking about all the accounts you have out there, ask yourself why you even have them. Are you still using that wedding planning website, five years after your nuptials? No, I didn’t think so. Delete that account! Have you fallen out of the habit of posting Harry Potter fanfic on that one goofy website you loved 10 years ago? Delete that account too!

That way, when random websites are compromised, you don’t have to ask yourself whether you’re at risk.

…including Yahoo

If your Yahoo account was hacked and you never use it, consider deleting it. Here’s our guide to deleting your Yahoo (and Flickr) account and moving to Google.

Originally published Sept. 23, 2017.
Update, Oct. 3 at 2:10 p.m. PT: Adds new information on Yahoo hack.

iHate: CNET looks at how intolerance is taking over the internet.

It’s ComplicatedThis is dating in the age of apps. Having fun yet?

Leave a Reply

Your email address will not be published. Required fields are marked *