Yahoo's latest disclosure of a data breach involves more than one billion accounts, making it the largest in history. And though the cyber attack happened in 2013, there are still things you can do to protect yourself.
First off, it's probably a good idea to stop using your mother's maiden name as a security question.
According to Yahoo's announcement on Wednesday, the information stolen in the 2013 attack includes names, phone numbers, encrypted passwords, and, in some cases, unencrypted security questions that can be used to reset a password not only on Yahoo, but on other sites as well.
The answers to security information may be the most sensitive data. Many online social, banking, and shopping services use the same security questions, and if consumers answer the questions honestly, the Yahoo data breach could enable hackers to change the passwords for non-Yahoo accounts.
"The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information," Yahoo wrote in a statement on its website. "Payment card data and bank account information are not stored in the system the company believes was affected."
Wednesday's announcement comes just three months after Yahoo revealed that more than half a billion accounts had been targeted in 2014 in what it called a state-sponsored attack.
"We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016," wrote Yahoo's Chief Information Security Officer, Bob Lord on the company's website.
Yahoo is stepping up its response to this most recent data breach, forcing users to change their passwords. In attack announced in September, the company urged, but did not require, users to change their passwords.
Yahoo has sent email notifications to most users of the compromised accounts. But if you haven't been notified and are worried your information may have been stolen, here are some warning signals:
-- You're not receiving any emails.
-- Your Yahoo Mail is sending spam to your contacts.
-- Your account info or settings were changed without your knowledge.
-- You see logins from unexpected locations on your recent activity page.
Still, whether your Yahoo account has been hacked or not, all users should follow these three steps to boost their online security. There are more tips on protecting your privacy and security in our extensive guide.
Kill Ghost Accounts
One of the first questions about the massive hack is whether Yahoo even has a billion users to hack. Some users may have had multiple accounts, driving up the number.
But it’s also true that many people who currently have Gmail or other accounts may once have created a Yahoo account, one that has been unused for years.
Such accounts are a security liability: Consumers are getting no value from them, but can be victimized by a data breach. It's wise to delete unused accounts, not just at Yahoo, but everywhere.
And that's not just about email accounts. The same advice applies to mobile apps and accounts for shopping, household budgets, social media, and so on.
Change Security Answers
The “basic security questions” that websites use for password recovery are a weak link in your digital defenses. Why? Because the answers don’t change from site to site.
Some of the answers—what's your mother's maiden name?—can probably be gleaned from your Facebook postings. And they could be the most valuable data stolen in a data breach like the one Yahoo just reported.
And, by the way, this is the same kind of data stolen in the previous Yahoo data breach.
“What’s disconcerting to me is the breach of the password-recovery data,” Lujo Bauer, a security researcher and associate professor at Carnegie Mellon University, told us at that time.
You can use a password manager to generate random strings of characters to insert in the security answer boxes. Or, simply make up fake information that you record somewhere.
The general principle is to treat the security answers with the same care you apply to your password. Writing down your real hometown is like using the same password for every account, and making it a bad one, at that.
Beware Phishing Attacks
Hackers armed with information from this data breach may send out e-mails or even call on the phone hoping to lure consumers into giving up passwords or other personal information.
If past data breaches are a guide, consumers may even receive emails that appear to be from Yahoo, asking for further data to help fix the problem. Never provide passwords or PINs over the phone or through email.
And if you want to check the activity on a bank or other online account, type the URL into the browser yourself; don't follow a link from an email.
Copyright © 2005-2016 Consumers Union of U.S., Inc. No reproduction, in whole or in part, without written permission. Consumer Reports has no relationship with any advertisers on this site.