If you’re still reeling over the Equifax hack, consider this: its 145.5 million potential victims look like chump change compared to what’s happening with Yahoo users. Parent company Verizon announced yesterday (Oct. 3) that “following an investigation with the assistance of outside forensic experts” a 2013 hack estimated to have affected 1 billion user accounts actually affected every single account that existed at the time—a staggering 3 billion.
Names, email addresses, hashed passwords, birthdays, phone numbers, and, in some cases, security questions and answers could have all been compromised.
If you had a Yahoo account in 2013, here’s what you need to know to protect yourself.
Deleting your account isn’t enough.
First off, deleting your account “doesn’t change the fact that your personal data has already been compromised,” says George Avetisov, CEO of biometric authentication company HYPR.
Secondly, Yahoo users reported having trouble deleting their accounts. In February, several users told ZDNet that when they tried to leave the service, their accounts stayed open for weeks or months after the company confirmed that they would be closed.
If you’ve already deleted your account, attempt to login and ensure that it has actually been deleted, advises Alex Heid, chief research officer at cybersecurity rating and monitoring platform SecurityScorecard. If it has been, you still need to follow through with protecting yourself in other ways (outlined below). If not, move on to the next step.
Change your password and enable 2-factor authentication.
2FA essentially ties your account to a device, such as your phone, and makes it more difficult for any hacker to login remotely. Even though activating it won’t do anything to protect already stolen information, it does “ensure that a malicious hacker can’t just use your Yahoo credentials to access other online portals,” Avetisov says.
If you already had 2FA before the hack, you’re better protected than others, but you should still change your passwords.
Check all of your online accounts.
The breach’s impact is not just contained to your Yahoo account. “What’s important now is limiting fallout across other accounts that may use identical passwords,” says Dimitri Sirota, co-founder and CEO of enterprise privacy-management platform BigID.
Block off an hour or two to comb through all of your online accounts: Change your passwords and security questions for each of them, and validate that none of them have had unusual activity.
You should also avoid reusing passwords. Consider getting a password manager, such as LastPass or KeePassX, says Heid, so you can diversify your credentials without worrying about forgetting them. (I personally use 1Password.)
Yes, you should follow these steps even though the hack happened in 2013.
“The fallout from this breach will be felt for years,” says Avetisov. Especially for users who reuse passwords across multiple services and platforms, the personal information stolen in the Yahoo attack could be used to mount attacks years down the line. “That’s why it’s important for Yahoo users to take a proactive approach and eliminate any risks by changing all passwords immediately.”