It sounds like a nightmare scenario, and it is. Three months after its September admission that around 500 million accounts were hacked in 2014, Yahoo disclosed yesterday that 1 billion accounts were hacked in a completely separate incident in August 2013. For context, that's more than three times the population of the United States, and about one third of all the people using the Internet all over the world. And the hackers didn't just get email addresses and passwords--they got a mountain of personal information about Yahoo users as well. Verizon, which announced its planned acquisition of Yahoo this summer now says it will reconsider in light of these breaches.
Yahoo's security notice about the incident explains that the company is "notifying potentially affected users." Leaving aside the logistical challenges of getting word out to about a seventh of the world's population, consider the fact that, at the time of the hack, Yahoo claimed to have 800 million active users. Obviously, it had some inactive ones as well, but you should assume that if you had an account in August 2013, it was hacked.
And the hackers may now know a whole lot about you. In addition to email addresses and passwords, the they gained access to birth dates, home addresses, telephone numbers, and security questions and answers, Yahoo says. The one sliver of good news: Yahoo says credit and debit card information was not stolen.
If you were among the 1 billion whose accounts were hacked, which given the numbers seems highly likely, here's what you need to do about it:
1. Change your Yahoo password and security questions.
If you haven't changed these since 2013, now's the time. In any case, Yahoo will likely force you to change your password on account of the breach.
2. Change passwords and security questions at other accounts.
You should probably change your passwords for accounts that you signed up for with your Yahoo email address. Also, if you are using the same password for any other services or sites as you do for Yahoo, change those as well. It's probably smart to change your security questions at any other site if they're the same ones you used for your Yahoo account.
3. Use two-factor authentication.
You should use two-factor authentication, which uses two different ways to make sure it's really you, for every site or service that offers it. Typically, after you enter your password, a code is sent to your smartphone or other device. It's worth taking this extra step because even really good passwords alone don't provide much security anymore.There are too many computers out there fast enough to cycle through every possible letter, number, and symbol combination very quickly.
Yahoo itself offers a service called Account Key which bypasses the password and allows you to sign in simply by confirming the sign-in from your phone. Since you're not entering a password, this amounts to single factor authentication. Still, confirming with your phone gives you a lot more security than a password would.
4. Do we need to say it? It's time to ditch Yahoo.
The company is a train wreck. If the Verizon deal goes through Yahoo's new corporate parent may change it in unexpected ways. If the deal doesn't go through, the company may be broken up and sold off in pieces.
If that isn't enough to convince you it's time to bail, consider that Yahoo executives not only failed to tell anyone about the breach for more than three years--they didn't know about it themselves. It was discovered, belatedly, by law enforcement, which sent information about the hack to Yahoo. While the company's management and security team were supposed to be watching, hackers managed to steal information on a billion accounts and no one noticed. If that makes you feel like it's time to close your account, here's a link that will help.