Security

One-billion-user Yahoo breach: What to do now

Jonathan Hunt reports from Los Angeles

 

If you held one of the billion Yahoo accounts that were compromised in a 2013 data breach, we're sorry. Your name, email address, date of birth, phone number and Yahoo password and security questions were known to hackers for three years, and you can't go back now and clean that mess up.

But you can certainly minimize your risk from future data breaches. Here's what to do in the wake of Yahoo's colossal mistake.

Don't trust password-reset emails coming from Yahoo. Spammers and scammers will be all over this bad news, and will send out lots of fake emails prompting you to reset your Yahoo password. Here's what the real email from Yahoo will look like.  

Even if you do get a real-looking email, however, don't click on any links in the message. Instead, go to the Yahoo FAQ page regarding this breach for more information, and go here to reset your Yahoo password , following our password-creation instructions in the next step.

Make sure every password on every online service you use is strong and unique. You want something that's at least 14 characters long and incorporates digits, punctuation marks and capital letters. We've got further tips on creating a strong password . We recommend using a password manager to keep track of all those strong, unique passwords.

Turn on two-factor authentication, also known as two-step verification, on every online account that permits it. This means that even if a hacker has your password, he won't get in unless he has your phone too.

Setting up two-factor authentication varies from service to service, but here's how to enable Yahoo's:

  • Click the gear icon on the top right corner of every Yahoo page.
  • Click Account Info at the bottom of the pop-up menu.
  • Click Account Security in the left-hand navigation bar of the page you land on.
  • Toggle Two-Step Verification.
  • Enter your mobile telephone number.  Make sure you have your cellphone handy.
  • Choose to have Yahoo send you an SMS text message or call you.  You'll get a text or an automated call that will give you a PIN of at least three digits.
  • Enter the PIN into the pop-up box and click Verify.

Consider deleting your Yahoo account. Between the billion-user breach revealed Wednesday and the 500-million-user breach revealed in September, it's pretty clear that Yahoo didn't emphasize security. If you use Yahoo as your primary webmail provider, switch to Google's Gmail or Microsoft's Outlook.com, which are run by companies that take user security seriously.