Every Yahoo account was exposed in previous hack!Investigation into the 2013 Yahoo breach, a story we’ve been following since August of last year, has finally concluded and its findings are worse than anyone could have imagined – every Yahoo account that existed in August of 2013 was exposed. Although the company originally announced in December of 2016 that only 1 billion accounts were breached, its new parent company, Verizon Communications Inc., just revealed that a total of 3 billion user accounts were exposed — that’s triple the amount initially reported — making it the largest breach ever. What’s more, the August 2013 breach was followed up by a 2014 Russian hack that affected 500 million Yahoo user accounts. Since the 2013 breach impacts all of the Yahoo accounts that existed in August of that year, we’re breaking down everything you need to know if one or more of your accounts is involved.

Are the 2013 and 2014 hacks related?

That is the million dollar question that some are asking. Yahoo, now part of Verizon’s Oath brand, maintains that both the August 2013 hack and the 2014 Russian hack are separate, which, frankly, puts the company in a very embarrassing position. Regardless of the whether or not the hacks are connected, the fact is that at some point in Yahoo’s history, all of its users were hacked. Given the extent of both the 2013 and 2014 breaches, it’s safe to assume that if you’ve used Yahoo in the last four years, your information was leaked.

What was taken from Yahoo’s servers?

Yahoo says that the August 2013 breach may have revealed user’s names, email addresses, telephone numbers, dates of birth, hashed passwords and security responses (both encrypted and unencrypted). It’s important to note that since all Yahoo accounts that existed in August of 2013 were affected, this means that users of services like Flickr, Tumblr or even fantasy sports have been impacted, as well. It should also be pointed out that, while some of the leaked account details might be obscured or encrypted (specifically passwords), the protocols used to secure these details are out of date, meaning that this information might as well be stored in plain text given how easily hackers can decode them with today’s technology.

What should you do if have a Yahoo account?

Although this announcement might come as a shock, don’t panic or act rashly. Your best course of action, in the long run, is to consider the following:

1. Don’t delete your Yahoo account(s) before taking some security steps. After this revelation, your first instinct might be to just disassociate from anything Yahoo related, forever. As relatable as that sentiment might be, you’ll want to make sure you take some security steps before you deactivate your account, because all of your account information was leaked. These security steps include changing your password and enabling two-step verification, which brings us to our next points.

2. Change all your passwords. Yahoo forced a password reset with one of its earlier breach announcements, but if you haven’t changed the passwords on any other accounts – especially those that have the same password as your compromised Yahoo account – or you didn’t receive the forced password change, you should change them immediately. In addition, you’ll want to change your other passwords for good measure — such as online banking password, your Netflix password and any other online account is connected to this email or was at one point.

If you need help coming up with strong, unique passwords for every account, you may want to consider using a password manager. These services not only act as a digital vault for all of your passwords, but they can also generate strong passwords for you. Visit our guide to password managers if you want to learn more about what these services offer.

3. Change your security questions and answers. These questions are a hacker’s key to resetting your passwords, as a strong password is worthless in the face of easy-to-guess password reset questions. Since your Yahoo security questions and answers were likely revealed, it’s wise for you to change them, along with other accounts that may have the same security questions and answers. Ideally, you should not answer any security question honesty, as some of the answers, such as your mother’s maiden name or your father’s middle name, can easily be found in public record search engines or on social media. Although this makes things a little more challenging for you to remember, making up answers may protect your account.

4. Set up two-factor authentication (2FA). We always talk about 2FA because it’s a powerful security measure. If you aren’t already aware, 2FA requires you to have two factors, a password and something else (usually a one-time code), to log into your accounts. Oftentimes, the second factor is something only you have access to, such as a text message sent to your physical phone. Because someone cannot log into the account without both factors, it’s hard for them to break into your account — and receiving a notification when you haven’t attempted to log into your account can give you a head’s up that someone is trying to gain access. In addition to changing your passwords, you should activate this feature with every account you use, not only your Yahoo account.

5. Know where your information is online. With hackers eager to break into everything you own so they can learn a little bit more about you, it’s important for you to know where your information is online. As such, you’ll want to Google yourself to see what your attack surface, or the devices and accounts hackers can use to get personal information from you, looks like. If you come across any old accounts you no longer use, such as old Myspace and LiveJournal accounts, consider deleting them, as leaving such accounts active could trace back to you in unexpected ways. Similarly, it may be worth looking at your social media habits because you may be unknowingly revealing your own personal information.

6. Know that victims can potentially sue for compensation. In a small victory, a U.S. judge recently ruled that Yahoo can face litigation for the consequences caused by its breaches, meaning that any lawsuits against Yahoo can go forward. Although you may not want to go hire an attorney and start a suit yourself, you can stay alert for news of any class-action lawsuits against Yahoo, as some will likely pop up in the coming months.

Why are we just learning about the true extent of this hack?

Data breach discovery and reporting is a fairly slow process. Verizon’s annual Data Breach Investigations Report has consistently found that internal discovery of breaches can take weeks or months. Given a large number of factors that go into investigating breaches, this isn’t too surprising. Good hackers know how to cover their tracks and mislead, which can lengthen investigations. Additionally, not every organization is going to have the same type of resources for investigating breaches. In the case of Yahoo, it is strange that the former tech giant took more than two years to report a breach, but some experts suspect that over the past few years Yahoo sacrificed security for consumer convenience. Given that resources within the organization were diverted away from security initiatives, it’s possible that this hindered any attempts at a timely response to these breaches or the ability to spot them early.

The Yahoo breaches, while frightening, provide important lessons for other organizations and consumers. The key takeaway is that cybersecurity is essential to both organizations and consumers. Another takeaway is that breach alerts and announcements can be vague (usually intentionally) or incomplete — something Equifax’s latest announcement has also taught us. While we knew the 2013 breach investigation process was incomplete when it was first announced in December of last year, few would have guessed that every Yahoo user had their account compromised. As such, whenever a breach has been announced, a consumer’s best defense is to beef up their cybersecurity, like changing your passwords, even if it isn’t confirmed or known who was impacted.

Follow our Yahoo breach blog to keep up with this breach, and stay tuned to our data breach blog to learn about the top breach-related stories and find out how to protect yourself.