On September 22, 2016, Yahoo disclosed that data from 500 million Yahoo user accounts was breached back in 2014, possibly by a state sponsored attacker. This breach would include users of Yahoo Mail, Yahoo Finance, Yahoo Fantasy sports, and many other Yahoo services . The breached account information can include names, email addresses, passwords, dates of birth, telephone numbers and answers to some security questions. There are reports that Flickr accounts that were linked to Yahoo IDs may also be impacted.
If you have a Yahoo account and haven’t changed the password since 2014, chances are that Yahoo will prompt you to enter a new password as soon as you log ion. If not, at a minimum, here’s what you should do:
- Change your password immediately (consider using a passphrase)
- Update your security questions and answers
- Check your Yahoo accounts (email, calendar, groups, etc.) for any signs of suspicious activity e.g. checking outgoing emails
- Yahoo is recommending people turn on its two-factor authentication tool: Yahoo Account Key
If you are using the Yahoo passwords for other sites, change the passwords at those sites too. Typically, cyber-attackers will obtain a list of user names and passwords and then test them across many sites to see where they will work. They target online bank accounts and credit cards but also online game sites for points and loyalty points at hotel chains and airlines.
For more information, please visit the following links: