Yahoo accounts hackedIt’s bad enough when a company experiences one major data breach, but two in a span of a few months is downright devastating. Yahoo users learned on Dec. 14 that their account data may have been stolen in yet another breach, which has double the potential user impact as the incident announced in September. We’ve outlined everything you need to know about this breach, what Yahoo is doing about it and how you can protect yourself in the aftermath.

Is this related to the breach reported on in September?

The breach announced this week is thought to be separate from the one we reported on in September, which involved the data of more than half a billion accounts. This breach encompasses over 1 billion user accounts, eclipsing the September breach and placing Yahoo firmly in the history books for all the wrong reasons. As security company SSP Blue’s CEO, Hemu Nigem, put it to CNN Money, “Yahoo has now won the gold medal and the silver medal for the worst hacks in history.” There is a chance that there could be some overlap between the data breaches, as in its own statement, Yahoo admitted that there were indications that some of the activity discovered could be connected to the “state-sponsored actor” the company blamed for the September breach. However, for the most part, it seems these security breaches are separate intrusions.

What do I need to know about this data breach?

According to Yahoo, it was approached by law enforcement with data files that a third party had claimed were stolen from Yahoo. Following an investigation by Yahoo and outside forensic experts, it was determined that in August 2013, an unknown third party had accessed at least 1 billion user accounts. Information potentially accessed includes names, email addresses, phone numbers, hashed passwords, dates of birth and both encrypted and unencrypted security questions and answers. No financial data was accessed or stolen, but one supremely worrying aspect of this data breach is that, according to Yahoo, the hackers were able to figure out how to forge cookies, enabling them to access targeted user accounts without the need for a password.

For those who don’t know, cookies are files created when you visit a website and stored on your computer, which include information about your visit to the site (including any volunteered information, such as your name or login details). Only the website that creates a cookie is supposed to be able to read it, which is how you are able to remain logged into your account for a website on your specific computer, but not on all computers. The forged cookies created by the Yahoo hackers not only enabled them to log into a person’s account undetected without having their password, but they also let them remain logged in — sometimes indefinitely.

Yahoo says it invalidated the forged cookies and is notifying all affected users affected, noting in its FAQ on the breach that these cookies were taken or used in 2015 and 2016. The site is also forcing password changes on affected users and invalidating unencrypted security questions and answers to prevent them from being used to access users’ accounts.

How can users make sure their accounts are secure?

Even if you took precautions after the previous breach was announced in September, it’s important to beef up your account security again, since there’s no telling whether or not your account was exposed in one or both of these breaches. Given the numbers of both, it’s safe to assume that most Yahoo accounts have been exposed at some point in the past few years. Here are some tips for users wanting to make sure they stay safe.

1. Change your security information. It might seem like a no-brainer, but the first thing you should do if you have one or more Yahoo-related accounts is to log in and change all of your security information. It’s not enough to simply change your password — since the answers to people’s security questions were also accessed in this breach, you should also change those as well. Yahoo is urging users to try out its password-free Account Key feature, but it’s understandable that you might be skeptical about trying out a new feature from a company that has a reputation for poor security. You might want to consider enabling Yahoo’s two-factor authentication feature and using a password manager to assist with creating complex, unique passwords for all of your accounts and storing them safely.

2. Be on alert for suspicious emails and account activity. Anytime there’s a data breach, especially one that exposes your email address and other personal information, it’s wise to look out for phishing emails and any other messages that are out of the ordinary. Yahoo has contacted users impacted by the breach via email (read the content of that message here), but you should be aware that scammers may try to piggyback on this and send out emails impersonating Yahoo to try and trick you into clicking links or downloading attachments. Always examine any official-looking email for clues that it’s a fake, such as misspellings or extra characters in the email address or grammatical mistakes. It’s also wise to avoid clicking on any links in emails you receive — if you want to log into your Yahoo account to change your information, you can just as easily type the address into your browser and navigate to the account details section on your own. You may also want to check for suspicious activity on your accounts, such as emails being sent that aren’t from you or changes to your settings that you didn’t make.

3. Change your passwords for other accounts. It can be easy to forget how interconnected our online accounts can become. Most online services and websites require you to provide an email address upon signup, and many of them let you use your email address to recover your login information if you forget it. Therefore, someone who has cracked your email account potentially has unfettered access to your entire online existence. If your Yahoo account was connected in any way to other accounts you have, now is the time to change your passwords for all of those accounts. It might be a pain, and it might take some time to do, but in the end, what’s a little extra time when it comes to security? As always, remember to never use the same password twice. It’s also wise to think about your username choices, as these can expose you to cybercriminal attacks in ways you might not realize.

4. Consider jumping ship. Complacency is one of the driving forces behind our current cybersecurity woes. Consumers and business owners alike are growing weary of data breaches, and many people continue to use services and shop at stores even after they’ve been exposed for their security flaws. However, it’s clear by how long ago these breaches occurred, the breadth of how many users were impacted and how long it’s taken Yahoo to respond that this is a company which is dealing with serious security issues — and may continue to do so for quite some time. Therefore, it might be time to close down your Yahoo account — something security expert Brian Krebs has urged his followers to do — and set up shop somewhere else on the Internet.

To keep up on the latest news in cybersecurity and online privacy, follow our identity theft protection blog.