In what is believed to be one of the biggest data breaches of all time, Yahoo has confirmed that at least half a billion user accounts were hacked in 2014 by a so-called "state-sponsored" actor. If you have used Yahoo in the past there's a good chance your credentials are now in the hands of hackers – so what should you do next?
Yahoo said that names, email addresses, telephone numbers, dates of birth, security questions and scrambled passwords were all compromised in the cyberattack. The firm, which is currently in the process of being bought by Verizon, said it is now notifying all impacted users. However, there are a number of steps you should quickly take immediately to ensure your details stay safe.
How to check if you are affected
To check if your credentials are impacted, log into your Yahoo email account and check for an urgent security letter from the Yahoo team. While the technology giant has started to issue these to all compromised users, you can also visit the firm's website to see a full copy of the notice.
Change your passwords
The first thing you should do is change your username and password – especially if you have not done so since 2014 when the hack reportedly occurred. Yahoo is advising all its users to promptly update their credentials and security questions/answers as these were both compromised and are likely in circulation on the Dark Web. It is vital to create a password is unique, long, original and contains a mixture of symbols, characters and numbers.
Stop reusing passwords on other accounts
If you have ever used your Yahoo password on other personal accounts – be it for social media, banking or other website profiles – it is urgent they are all changed now. Password reuse remains one of the most common ways that hackers gain access to personal accounts – so why leave the front door wide open?
"I recommend immediately changing not only your Yahoo password, but more importantly any other accounts for which you might have used the same credentials," said Jeremiah Grossman, security expert with SentinelOne, who previously worked at Yahoo. "Attackers will most certainly take this set of credentials and try them against multiple accounts until they are successful."
Check your bank accounts for suspicious activity
Yahoo has issued a strong warning to users about the potential of phishing attacks or email fraud. Suspicions should be raised if any email that appears to be sent from Yahoo itself asks for any personal information or banking details – this is likely to be scam.
"Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information and avoid clicking on links or downloading attachments from suspicious emails," said Bob Lord, Yahoo's chief information security officer.
Add an extra layer of security to your online accounts
With such a spike in major data breaches of late – with other victims including Tumblr, Myspace, and LinkedIn – you should start using two-factor authentication on all of your online accounts. This process allows you add an extra layer of protection by adding a phone SMS or secondary email address that is then needed before you can log into your accounts. Yahoo specifically is asking all its users to consider using Yahoo Account Key, which is the company's own authentication tool.
Close unused accounts
If you have an old Yahoo account that is no longer in use, now would be a good time to delete it. While not using the account reduces the risk of you being actively targeted by phishing scams your personal information is still linked to your profiles – names, addresses and telephone numbers to be exact. They may be old but as a precautionary measure you should still remove as much unnecessary data from the web as possible.
What will happen next?
Yahoo is currently investigating the scope of the breach alongside cybersecurity experts at the FBI. Despite claiming a "state-sponsored" actor was responsible for the hack, it has still provided little evidence to back this up – something it will need to do urgently if this assertion is to be taken seriously. The company has gone public and it remains to be seen what the impact will be for both the future of the business and the ongoing takeover negotiations with Verizon.
"An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries," said Lord. "Through strategic proactive detection initiatives and active response to unauthorised access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure."