Yahoo Confirms Another Major Data Breach; More Than 1 Billion Users Affected

[allheart55 Cindy E]

 

 

Remember how, just three months ago, Yahoo had to admit that data for more than 500 million of its users had been compromised in 2014? It seems ridiculous to refer to something that hit 500 million people as the smaller of anything, but it turns out that was only the second overwhelmingly huge data breach Yahoo suffered in recent years. This week, it's admitting a previous, even larger intrusion that hit more than a billion — yes, with a B — user accounts.

 

This breach happened in 2013, Yahoo writes, and is likely distinct from the other breach they disclosed in September. The stolen data, however, comprises the same categories, including:

 

Names

 

E-mail addresses

 

Telephone numbers

 

Dates of birth

 

Hashed passwords

 

Encrypted and unencrypted security questions and answers

 

Yahoo also believes that some bad actors got access to proprietary code in order to forge cookies that let them log into users™ accounts without even having a password, stolen or otherwise. The forged cookie incident, the company says, is probably related to the breach it reported in September.

 

Yahoo says it will be notifying potentially affected users,� but since that number is in the billions it seems safe to assume that means basically everybody. All potentially affected users (again, basically everyone) will be required to reset their password, and will have their existing unencrypted security questions and answers invalidated.

 

Don't consider yourself a Yahoo user? You still might be: in addition to all the Yahoo!-branded services and platforms the company offers, it also acquired Flickr in 2005 and Tumblr in mid-2013.

 

As for what users can do, good old-fashioned security rules mostly apply:

 

If you have a Yahoo account, change the password on it now

 

If you ever used the same password anywhere else as on your Yahoo account ever, change those now

 

Enable two-factor authentication (that thing where you get a secondary code texted to you) on every one of your accounts that you can

 

Consider using a password manager

 

If you use Yahoo as a login service for any other service, consider changing your accounts there, too

 

The FTC also maintains a step-by-step, customizable guide for consumers who have been the victim of data theft at IdentityTheft.gov, which is a useful resource if you've been part of basically any hack, breach, or other, more severe data loss.

 

News of this second breach is unlikely to go over well with, well, basically anyone. Yahoo was already facing Senate inquiries over the half-billion accounts hacked in 2014. And then there's that whole merger with Verizon thing, which is already looking troubled after it turned out that someone at Yahoo may have known about the 2014 hack more than two years before it was publicly disclosed.

 

Anything that affects the value of Yahoo in a big negative way can be a material event� that lets Verizon walk away. Verizon leadership has already said that the 2014 hack may well be such a material event, so it's hard to see how another billion-user hack a year earlier wouldn't be as well.

 

Source: Consumerist

[AWS]

I am so glad I stopped using my Yahoo email account. Lucky for me I never used it for anything important when I did use it.

[allheart55 Cindy E]

I'm happy that don't use Yahoo any more either.

[Tony D]

Just make sure any password or secret answers you used for your Yahoo account aren't used for other accounts. If so, change the passwords and secret answers at the other places.

[plodr]

Since the breech happened in 2013 and I've changed my password numerous times since, I doubt whether anyone got anything useful.

Also, Yahoo disabled the secret questions/answers. I use different passwords everywhere. I also never tell the truth on the secret questions so someone would really have to guess at my answers because they are not true facts anyone could find on the internet. Example of something I might use for an address 1234 Main Street, Sin City North Dakota.

 

Every time I've checked to see who has accessed my account, it appears to be our locale.