On Wednesday, Yahoo announced an enormous data breach, believed to be the largest ever for an email provider, according to the Associated Press. While data breaches have become depressingly common, the incident reported by Yahoo is especially worrisome because of the enormous scope of those affected, as well as the sensitive nature of information leaked.
Here’s everything you need to know about the hacks:
More than 1 Billion Users Affected
Yahoo says that “data associated with more than one billion user accounts” was stolen in August 2013. That is a separate, unrelated episode from the 2014 incident that Yahoo announced in September 2016, in which personal information was stolen from 500 million users.
The 2014 incident was at the time considered the biggest data breach ever — but the 2013 hack, reported this week, obviously blows the 2014 data breach away in terms of how many users are impacted.
Very Sensitive Information Leaked
“The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers,” Yahoo says of the 2013 data breach. A “hashed password,” Yahoo says in the new security notice, involves a special safety measure in which a mathematical function “converts an original string of data into a seemingly random string of characters.” Yahoo also says that it’s in the process of investigating how hackers created forged cookies, which allow them to access user accounts without the requirement of a password.
The breach apparently didn’t extend to users’ credit card numbers or bank accounts — although information such as one’s date of birth, email, and telephone number can be used in identity theft and phishing scams. “The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information,” Yahoo said. “Payment card data and bank account information are not stored in the system the company believes was affected.”
Most alarming of all, the breaches may have put information related to national security at risk. Bloomberg reported that upward of 150,000 U.S. government and military employees — including members of the FBI, CIA, White House, and others working with extremely sensitive information — are among those affected by the Yahoo hack, because they gave Yahoo their work email addresses as backups in case they were ever locked out of their Yahoo accounts. Now that information is in the hands of cybercriminals.
“It’s a leak that could allow foreign intelligence services to identify employees and hack their personal and work accounts, posing a threat to national security,” the Bloomberg article noted.
How to Know If You’ve Been Hacked
Whenever someone is a victim of a data breach, the company involved typically must reach out and alert each affected individual. Of the newly reported 2013 breach, Yahoo says, “We are notifying potentially affected users and posting additional information on our website. Additionally, we are taking steps to secure users’ accounts, including requiring users to change their passwords. Yahoo has also invalidated unencrypted security questions and answers so that they cannot be used to access an account.”
Do not take alerts such as these lightly, even if the affected account is one you rarely use. If your email provider suggests you change your password, security questions, or other information, just do it. If you use that same Yahoo password elsewhere — something you’re not supposed to do, but many people do anyway — the safest step is to change those passwords too.
To Protect Yourself From Scams, Be Vigilant
While this is always true, it’s especially important for victims of the breach: Be on guard when receiving unsolicited communications. This goes even when it comes to what seems to be your email provider or bank alerting you of a data breach. Hackers have been known to send such messages as ploys to get users themselves to expose sensitive information. Yahoo says that its messages will always show the company’s “Y” icon as proof of legitimacy.
Be aware that messages that are legitimate almost never ask you to click on links or download attachments, and financial institutions will never request that you provide PINs, account numbers, passwords, and the like via email. “If an email you received about these issues prompts you to click on any links, download an attachment, or asks you for information, the email was not sent by Yahoo and may be an attempt to steal your personal information,” Yahoo says. “Avoid clicking on links or downloading attachments from such suspicious emails.”
In order to be proactive and ward off future hacks, create secure passwords, and change them regularly — every six months or so. If you ever suspect an email message or phone call might be a scam, the standard advice is to look up the company’s phone number and call it directly to check if it was, in fact, reaching out to you.
Remember: Unless you’re 100% sure who you’re communicating with, never, ever reveal even seemingly harmless personal information — let alone Social Security numbers, bank account numbers, or other info that could pose obvious dangers in the hands of a criminal.