Yahoo's Biggest Data Hack: What You Should Do Now

These three steps can help you protect your security

Lisa Werner#121365

Update: On April 10, Yahoo proposed a $117.5 million settlement involving data breaches in 2013 and 2014 that affected about 200 million consumers. This could be the largest ever settlment for a data breach, but the terms still need to be approved by U.S. District Court Judge Lucy Koh.

Those funds will be largely used to compensate consumers who would get free credit monitoring from All Clear, while those already paying for credit monitoring could be eligible for a cash payment. Account holders who paid up to $50 annually for Yahoo's premium e-mail account could also be eligible for a refund of up to 25 percent.

Consumers who spent time protecting their identities or were otherwise inconvenienced would be able to seek reimbursement for their time at a rate of $25 per hour, capped at 15 hours for a total of $375. No timetable for Judge Koh's decision has been set, but in January she rejected Yahoo's previous $50 million settlement offer as insufficient. This story was originally published on Dec. 15.

Yahoo's latest disclosure of a data breach involves more than one billion accounts, making it the largest in history. And though the attack—which actually happened in 2013—is only now being reported, it's not too late for Yahoo users to protect themselves.

First off, it's probably a good idea to stop using your mother's maiden name as a security question.

According to Yahoo's announcement on Wednesday, the information stolen in the 2013 attack includes names, phone numbers, encrypted passwords, and, in some cases, unencrypted security questions that can be used to reset a password not only on Yahoo, but on other sites as well.

The answers to security information may be the most sensitive data. Many online social, banking, and shopping services use the same security questions, and if consumers answer the questions honestly, the Yahoo data breach could enable hackers to change the passwords for non-Yahoo accounts.

"The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information," Yahoo wrote in a statement on its website. "Payment card data and bank account information are not stored in the system the company believes was affected."

Wednesday's announcement comes just three months after Yahoo revealed that more than half a billion accounts had been targeted in 2014 in what it called a state-sponsored attack.

"We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016," wrote Yahoo's Chief Information Security Officer, Bob Lord on the company's website.

Yahoo is stepping up its response to this most recent data breach, forcing users to change their passwords. In the attack announced in September, the company urged, but did not require, users to change their passwords.

"We are notifying potentially affected users and have taken steps to secure their accounts, including requiring users to change their passwords," Yahoo says on its website. "Yahoo has also invalidated unencrypted security questions and answers so that they cannot be used to access an account."

Whether your Yahoo account has been hacked or not, all users should follow these steps to boost their online security. (There are more tips on protecting your privacy and security in our extensive guide.)

Kill Ghost Accounts

One of the first questions about the massive hack is whether Yahoo even has a billion users to hack. Some users may have had multiple accounts, driving up the number.

But it’s also true that many people who currently have Gmail or other accounts may once have created a Yahoo account, one that has been unused for years.

Such accounts are a security liability: Consumers are getting no value from them, but can be victimized by a data breach. It's wise to delete unused accounts, not just at Yahoo, but everywhere.

And that's not just about email accounts. The same advice applies to mobile apps and accounts for shopping, household budgets, social media, and so on.

Keep in mind that terminating a Yahoo account doesn't lead to your personal information being deleted right away. Yahoo's website explains that user data remains on the company's servers for about 90 days, and that backups of that data may be retained indefinitely.

Change Security Answers

The “basic security questions” that websites use for password recovery are a weak link in your digital defenses. Why? Because the answers don’t change from site to site.

Some of the answers—what's your mother's maiden name?—can probably be gleaned from your Facebook postings. And they could be the most valuable data stolen in a data breach like the one Yahoo just reported.

And, by the way, this is the same kind of data stolen in the previous Yahoo data breach.

“What’s disconcerting to me is the breach of the password-recovery data,” Lujo Bauer, a security researcher and associate professor at Carnegie Mellon University, told us at that time.

You can use a password manager to generate random strings of characters to insert in the security answer boxes. Or, simply make up fake information that you record somewhere.

The general principle is to treat the security answers with the same care you apply to your password. Writing down your real hometown is like using the same password for every account, and making it a bad one, at that.

Beware Phishing Attacks

Hackers armed with information from this data breach may send out e-mails or even call on the phone hoping to lure consumers into giving up passwords or other personal information.

If past data breaches are a guide, consumers may even receive emails that appear to be from Yahoo, asking for further data to help fix the problem. Never provide passwords or PINs over the phone or through email.

And if you want to check the activity on a bank or other online account, type the URL into the browser yourself; don't follow a link from an email.

This article has been updated with additional information.

You’ve Been Hacked

Have you experienced suspicious activity on your online accounts? On the "Consumer 101" TV show, Consumer Reports expert Thomas Germain explains how to take back control of your digital privacy.

Allen St. John

I believe that technology has the power to change our lives—for better or for worse. That's why I’ve spent my life reporting and writing about it for outlets of all sorts, from newspapers (such as the Wall Street Journal and the New York Times) to magazines (Popular Mechanics and Rolling Stone) and even my own books ("Newton’s Football" and "Clapton’s Guitar"). For me, there's no better way to spend a day than talking to a bunch of experts about an important subject and then writing a story that'll help others be smarter and better informed.