Think you weren't affected by Yahoo's massive account breach? Think again-Yahoo's parent company just revealed that no account was left untouched by the 2013 attack.
Yahoo's parent company, Oath, revealed in a press release that every single Yahoo account was affected by a massive 2013 breach. That report triples the number of compromised accounts from one billion to three, and encompasses all Yahoo sites, Flickr, Rivals.com, fantasy sports, and Tumblr.
If you had an account on any Yahoo affiliated site in 2013 you are affected—no exceptions. That doesn't mean you need to worry about someone hijacking your email, stealing your company's Flickr photos, or tanking your fantasy football team.
Here's what Yahoo users can do to protect themselves. Quite frankly, these aren't optional actions at this point. If you have a Yahoo account that's more than four years old you need to choose at least one of these options for securing yourself.
Yahoo: the breach that keeps on giving
In 2016 the world learned that hundreds of millions of Yahoo account credentials were for sale on the dark web.
Along with account credentials, hackers captured names, email addresses, telephone numbers, dates of birth, and security questions and their answers—basically everything a phishing attack needs to succeed.
SEE: The 18 most frightening data breaches (TechRepublic)
Yahoo admitted that 500 million accounts were stolen in 2014, then the number grew to a further one billion stolen in 2013. After that we learned that a further 32 million accounts were compromised from 2015 to 2016 in a forged cookie attack.
The latest revelation means none of that matters.
How to protect your account
The best way to protect yourself is to completely get rid of your Yahoo account. You don't need to worry about losing all your emails if you move to Google—Gmail has a handy import feature that is discussed in detail, along with steps to close your Yahoo account, in this CNET article.
Keep in mind that closing your Yahoo account will lose you access to all the sites associated with it. That includes fantasy sports, email, Tumblr, and Flickr. That's not necessarily feasible for everyone, especially those who use Flickr for business portfolios.
SEE: The Four Volume Cyber Security Bundle (TechRepublic Academy)
If you're in a position where erasing yourself from Yahoo isn't possible, you need to take steps to protect your account. Yahoo has done a lot of that for you, such as flagging accounts for a forced password change and invalidating compromised security questions.
It isn't a bad idea to take that into your own hands—better safe than sorry.
You can login to Yahoo here to change your password or security questions.
As an added precaution, consider adding a Yahoo Account Key—it's a two-factor authentication method that requires you to verify your login on a mobile phone. You won't need to type your password after setting it up, either: Just type your username to log in to Yahoo like you normally would and you'll get an approve/deny request on your smartphone.
If you have additional questions about updating your security settings in light of the 2013 breach you can find answers on Yahoo's FAQ page for the subject.
It wasn't just your Yahoo account that was affected
In the panic to secure Yahoo accounts it's easy to forget that other personally identifying details were leaked as well. Other email addresses, phone numbers, birth dates, and especially security questions, can be used to gain access to other accounts.
In short, this total breach of Yahoo's accounts is terrifying not for the compromised accounts, but for all the personally identifying information that has been exposed. That information could be used to gain access to countless other accounts, causing headaches for roughly three billion people—that's 40% of the total population of the world.
Don't stop at securing your Yahoo account. Make sure you keep an eye out for suspicious activity on other accounts, questionable emails, and unexpected changes to your financial records. Update the security settings on those other accounts while you're at it too—especially if you've used the same security questions.
The top three takeaways for TechRepublic readers:
- Yahoo's parent company recently announced that the 2013 security breach affected every single Yahoo account that existed at the time.
- Yahoo users who had an account in 2013 need to take steps to secure it by logging in and changing passwords and security questions. Affected users should also add a Yahoo Account Key for an added layer of security.
- The total account breach at Yahoo also exposed a considerable amount of personally identifying information. Affected users should secure other accounts and keep an eye out for suspicious activity.
- Forrester: What can we learn from a disastrous year of hacks and breaches? (TechRepublic)
- Yahoo says all 3 billion accounts hit by 2013 hack (ZDNET)
- 66% of SMBs would shut down or close if they experienced a data breach (TechRepublic)
- Deleting your Yahoo email account? Yeah, good luck with that (ZDNET)
- Special report: How to choose and manage great tech partners (free PDF) (TechRepublic)
- Identity theft protection policy (Tech Pro Research)