For the second time this year, Yahoo has revealed that hackers have obtained data about a huge number of its users’ accounts. In September the company said that account information for more than 500 million users was stolen in 2014. Now the company says it was hit by an even larger hack a year earlier.
In 2013 hackers obtained information for 1 billion accounts. Yahoo learned about the hack in November, 2016 when law enforcement supplied the company with evidence.
In some cases, there’s also evidence that hackers may have used that data to forge cookies and access some accounts without a password.
All told, there’s no time like the present to change your Yahoo password and security questions… and take a closer look at how you use passwords generally.
The hackers who hit Yahoo obtained user information including names, email address, phone numbers, birthdates, and hashed passwords. Some encrypted or unencrypted security questions and answers were also stolen, but no clear text passwords or payment information were stolen.
Still, in addition to sending messages to everyone affected by the hack, Yahoo says it’s also taking extra steps to let users know if a forged cookie was used to access their accounts without a password.
Since the disclosure of this hack comes more than three years after the fact, the damage may already be done in many cases: hackers may have already accessed data from your account or used your information in other ways. And the disclosure of a second massive hack surely isn’t doing much to help Yahoo’s reputation at a time when Verizon is engaged in a deal to acquire the company for billions of dollars.
If you’ve ever had a Yahoo account, you may want to login and change your password, even if you don’t actively use that account anymore.
It’s also a good idea to change passwords and security questions for any other service where you use the same password or one that’s similar. And you should also stop doing that!
It can be difficult to remember unique, strong passwords for all the different apps and services you use. But there are a few ways you can use unique passwords without too much pain.
One is to use a password manager such as LastPass, Dashlane, KeePass, 1Password, or RoboForm. Some of these are services that run in the cloud, allowing you to access your passwords from multiple devices.
If trusting all of your passwords to a cloud service scares you at a time when we keep hearing about hacks, I don’t blame you. But you can strengthen security a bit by requiring multi-factor authentication. Many services give you the option of requiring more than just a password to login: you may have to enter a code received by text message or in a smartphone app, for instance.
If all else fails, you could do what security expert Jeremiah Grossman does: keep all of your passwords on an encrypted USB flash drive. Then you just need to remember the password to unlock the drive any time you need to view one of the long, random strings of characters. It’s not particularly convenient, and you’re out of luck if you lose the USB drive. But it’s a pretty tough-to-hack system.