In what is believed to be one of the biggest data breaches of all time, Yahoo has confirmed on 14 December that at least one billion user accounts were hacked in August 2013. The breach is believed to be separate from the previously reported incident, when 500 million accounts were compromised.
In a statement, Yahoo confirmed that names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers were all compromised in the cyberattack.
While details are still coming to light, Yahoo has said it believes an "unauthorised third party" was able to access the firm's proprietary code and learn how to forge cookies. This could allow the hacker to access users' accounts without the need for a password. The firm, which is currently in the process of being bought by Verizon, said it is now notifying all impacted users.
If you have used Yahoo in the past there's a very good chance your credentials are now in the hands of hackers – so what should you do next?
How to check if your Yahoo account is affected
To check if your credentials are impacted, log into your Yahoo email account and check for an urgent security letter from the Yahoo team. While the technology giant has started to issue these to all compromised users, you can also visit the firm's website to see a more information about the notice. "Yahoo is notifying potentially affected users and has taken steps to secure their accounts, including requiring users to change their passwords," it said. "Yahoo has also invalidated unencrypted security questions."
How to change your Yahoo passwords
The first thing you should do is change your username and password – especially if you have not done so since August 2013 when the hack reportedly occurred. Yahoo is advising all its users to promptly update their credentials and security questions/answers as these were both compromised. It is vital to create a password is unique, long, original and contains a mixture of symbols, characters and numbers.
Stop reusing passwords on other accounts
If you have ever used your Yahoo password on other personal accounts – be it for social media, banking or other website profiles – it is urgent they are all changed now. Password reuse remains one of the most common ways that hackers gain access to personal accounts – so why leave the front door wide open?
"I recommend immediately changing not only your Yahoo password, but more importantly any other accounts for which you might have used the same credentials," said Jeremiah Grossman, security expert with SentinelOne, who previously worked at Yahoo. "Attackers will most certainly take this set of credentials and try them against multiple accounts until they are successful."
Check your bank accounts for suspicious activity
Yahoo has issued a strong warning to users about the potential of phishing attacks or email fraud. Suspicions should be raised if any email that appears to be sent from Yahoo itself asks for any personal information or banking details – this is likely to be scam.
The new Yahoo statement stressed: "Yahoo encourages users to review all of their online accounts for suspicious activity." In an FAQ page outlining the scope of the hack, it added: "Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information."
Add an extra layer of security to your online accounts
With such a spike in major data breaches of late – with other victims this year including Tumblr, Myspace, and LinkedIn – you should start using two-factor authentication on all of your online accounts. This process allows you add an extra layer of protection by adding wither a phone SMS or secondary email address that is then needed before you can log into your accounts. Yahoo specifically is asking all its users to consider using Yahoo Account Key, which is the company's own authentication tool.
Close unused accounts
If you have an old Yahoo account that is no longer in use, now would be a good time to delete it. While not using the account reduces the risk of you being actively targeted by phishing scams your personal information is still linked to your profiles – names, addresses and telephone numbers to be exact. They may be old but as a precautionary measure you should still remove as much unnecessary data from the web as possible.
What will happen next?
Yahoo, which has suffered a series of major security issues this year, is still in the process of investigating the full scope of the hack. Despite claiming a "state-sponsored" actor was responsible for the hack, it has still provided little evidence to back this up – something it will need to do urgently if this assertion is to be taken seriously.
The Yahoo statement said: "The company is notifying the affected account holders, and has invalidated the forged cookies. We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on 22 September 2016."
In November, Yahoo admitted in an SEC filing that the ongoing Verizon takeover deal may be in jeopardy due to the ongoing hacking revelations. "There is no assurance that the sale transaction will be consummated in a timely manner or at all," it said. "In addition, the anticipated benefits of the sale transaction may not be realised."
Previously, after the previous hack was made public, speculation arose that Verizon bosses may seek a $1bn discount. "We will evaluate as the investigation continues through the lens of the overall Verizon interests, including consumers, customers, shareholders and related communities," it said in a statement.
This article was originally published on 22 September.