News, search, and email giant Yahoo made an announcement today about a hack that has affected an estimated one billion users, or roughly most of its customers worldwide. This is not to be confused with the September 2016 news that the email accounts of 500,000 users had been hacked in 2014; the latest breach is believed to have affected its fans a year prior to the September event.
Why is this newsworthy if both hacks occurred more than two years ago? Because some of the information that is now “out there” is permanent, as far as securing all of your online accounts goes.
There is good news. The newly announced August 2013 breach does not appear to have impacted anyone’s payment information, meaning no credit card or bank account information is believed to have been compromised. Unfortunately, the information that was accessed seems to include names, email addresses, birthdates, phone numbers, and encrypted passwords, as well as unencrypted security questions.
The birthdates and security questions are the first troublesome part of this incident. Your birthdate is a permanent fixture, unless you wish to “change” your birthdate for internet security reasons. Likewise, your security questions—like the name of the city where you were born or the name of your first pet—are typically permanent pieces of information; again, you can create a brand-new persona with fake answers to those questions, but that requires you to remember which web account you gave which answer should you ever need to use the questions to login.
Your security questions are important because they let you change your password if you don’t have access to it. That means that the hackers could potentially change your password if you don’t change your questions. Of course, it may be too little too late for you to change that information. Once the hackers have gained access to the city of your birth—such as Pittsburgh, PA—changing it won’t stop them from using this knowledge to gain access to your other existing accounts if they share the same security questions.
The compromised phone numbers can be problematic as well. Two-step authentication, a security process that requires you to use a secondary form of login before you can access something like your mobile payment app, often relies on your mobile phone number. Unless you want to contact your cellular service provider and change your cellphone number as a precautionary measure, that’s semi-permanent, too.
So what do Yahoo users need to do right now? Change your passwords and your chosen security questions immediately. If you have any online retail accounts or bank accounts that relied on those same security questions, it’s a good idea to change those passwords too. In all fairness, changing your passwords routinely in the event of undisclosed data breaches is a good idea. Taking a few moments to secure your accounts will help keep you one step ahead of the latest data breach.
As always, anyone who believes their identity has been stolen or their personal data has been compromised is invited to connect with the ITRC through our 24-hour toll-free call center at (888) 400-5530, or on-the-go with the new IDTheftHelp app for iOS and Android.