Yahoo breachAny uncertainty as to whether or not Yahoo experienced a data breach has been put to rest, as the company released a statement today confirming what many already suspected. Earlier this year in August, the rumors began circulating that there had been a massive Yahoo breach when a well-known deep web cybercriminal posted a sale of 200 million user accounts online. Now, nearly two months later, it’s come to light that not only was there a data breach but the real numbers are far larger than initially suspected — all told, Yahoo estimates that the data associated with at least 500 million accounts was stolen. Keep reading to learn what data was lifted in this breach, what Yahoo is doing in response and how you can protect and secure your account and your information.

Hashed passwords included in stolen data

According to Yahoo’s statement, the user data potentially exposed in this breach includes names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, both encrypted and unencrypted security questions and answers. Both the personal data as well as the encrypted information are big deals in their own ways, especially since as users of Internet services we want to believe we can rely on encryption to protect us. No unsecured passwords, payment card data or bank account information was accessed or stolen during the Yahoo breach, according to the company.

Yahoo is notifying all affected users and urging password resets

The response by a company is telling in the aftermath of a data breach, and so far Yahoo has promised to notify all affected users by email as well as invalidate all unencrypted security questions and answers so they can’t be used to access accounts. In addition, the company is urging all users who haven’t changed their password since 2014 to do so — though, truth be told, it’s a wise idea for all Yahoo account holders to change their passwords and security questions, as well as review their accounts for any suspicious activity that could indicate it’s been compromised, such as unfamiliar emails in your sent folder. Some websites opt to force password resets on all account owners in the event of a breach, but Yahoo isn’t doing so, which means until you log in and reset your password on your own, your account potentially remains at risk.

As with most data breach announcements, Yahoo has also assured its users that it is working with law enforcement to investigate the matter and doing what it can to beef up security to prevent future breaches.

So, who’s responsible for the Yahoo breach?

Although some might assume this was the actions of a garden-variety hacker, the investigation has indicated that the breach was performed by a state-sponsored actor — meaning, someone working on behalf of a government. The breach itself is believed to have occurred in 2014. We’ve seen this type of data breach increasing in frequency, with various hacks from late 2014’s Sony breach, thought to be perpetrated at the hands of North Korea, to the recently unearthed Democratic National Committee breach, which was traced to Russian government intelligence services. Yahoo assured its users that there’s no evidence that the state-sponsored hacker is currently in the company’s network.

Here’s what you can do to protect your account

Whether this stolen data has been on the Internet black market for quite some time or is still yet to be released, we may never know. However, there are some ways that all Yahoo users can secure their accounts and protect themselves (and their information).

1. Change everything. When it comes to a data breach, sometimes just changing your account’s password is good enough, but in this instance since everything from passwords to security questions and answers to phone numbers were stolen, that’s not going to cut it. Change your password, and be sure to choose something long and strong, while also making sure to select new security questions to answer. In addition, it’s wise for anyone with two-factor authentication activated to change the phone number used for activation or turn it off altogether for the time being. If you’ve never activated two-factor authentication, go ahead and do so now. You might also consider taking Yahoo’s password-free Security Key option for a spin.

2. Be on alert for suspicious activity. It’s definitely important to look for signs of compromise on your account, such as emails you don’t remember sending, but you also need to keep in mind that many scammers like to pop out of the weeds whenever a data breach is announced and use it to their own advantage. Yahoo will be contacting all affected users by email, and you can see what that email is supposed to look like here. Be on the lookout for copycat emails or other attempts to prey on your desire to secure your account, as these could be phishing emails trying to take advantage of your heightened concern.

3. Consider purchasing identity theft protection. Because a significant amount of personal information, including names, birthdays and phone numbers, as well as the answers to security questions (which can be quite sensitive), was stolen in this breach, it doesn’t hurt to be extra cautious. Identity theft protection services can help you out in situations like this by monitoring various channels, including the Internet black market, for your details and notifying you if something is picked up. Additionally, you can keep an eye on your credit reports and take comfort in the knowledge that if your identity is stolen, you’ll have assistance with the reporting and identity restoration process every step of the way. Learn more about these services by reading our in-depth reviews.

Unfortunately, data breaches are a way of life for everyone these days. It’s tempting for individuals as well as businesses to go numb or experience cyber fatigue when it comes to these incidents, but the best way to combat cybercriminals is to remain vigilant and practice stringent security standards whenever possible. Learn more about protecting yourself in the wake of data breaches, scams and other things that go bump in the night by following our identity theft protection blog.