By now I'm sure that you have heard of the massive data breach at Yahoo. The breach happened back in 2014 but we didn't find out about it until recently. Information that may have been stolen includes email addresses, names, telephone numbers, hashed passwords, birthdays and even encrypted or unencrypted security questions and answers.
When the breach was finally reported, Yahoo confirmed that at least 500 million of its users were affected. But is that number accurate? A former Yahoo insider says that number could be more than double!
An anonymous former executive with Yahoo told Business Insider that the data breach could have actually affected up to 3 billion accounts. The exec said that Yahoo's back-end system is organized in such a way that the number of compromised accounts could be much larger than reported. The number could actually be between 1 billion and 3 billion.
What makes the number of potentially affected accounts so high is Yahoo's use of one main user database (UDB) for authentication. When a customer accesses any Yahoo account like email, finance or fantasy sports, all of their usernames and passwords are verified through the UDB.
The former exec says the UDB is massive. When the hack took place in 2014, there were an estimated 700 million to 1 billion monthly active users of Yahoo products. There were also many inactive accounts that were not deleted. Currently, Yahoo has over 1 billion monthly active users globally.
Yahoo has not said how the breach happened, or when it was discovered for that matter. It is under investigation.
What you need to do
Even if you don't have a Yahoo account that you know of, you may still be affected by the hack if you use any of these Yahoo-owned services:
- Tumblr, a blogging service
- Flickr, a photo sharing site
- Play Fantasy Football via Yahoo Sports
- Use your Yahoo account to access Yahoo-branded services like Yahoo Messenger, Yahoo Shopping, Yahoo Music, etc.
- Your smart TV uses Yahoo Smart TV services (usually associated with the Vizio brand)
If you have any of these accounts, please review your credentials as soon as possible and secure your account by changing your passwords. Click here to find out how to change your credentials on these other accounts.
To secure your Yahoo account, here's what you need to do:
1. Change your Yahoo password now
As advised by Yahoo, if you haven't done so, change your Yahoo account password now, especially if you haven't updated it since 2014.
2. Change your Yahoo secret questions and answers
To do this, sign into your Yahoo account, go to the Account Info page and then, Sign-in and Security.
3. Enable Two-step Verification
After changing your Yahoo password and secret questions, we recommend turning on two-step verification for your Yahoo account.
Two-factor verification will send a security code SMS to your smartphone whenever someone tries to log in to your Yahoo account from an unknown device. This code, together with your password, will add extra layers of security to your account.
To turn this on, go to your Yahoo Account Info page >> Account Security >> Click "Two-step verification" to "On" >> Enter your phone number. Click Send SMS and enter the code supplied by text message to verify your number.
4. Set up a Yahoo Account Key
Beyond Two-step Verification, you can also setup a Yahoo Account Key. This will eliminate any need for a password to log in to your Yahoo account. With an Account Key, to sign in to a Yahoo service, you'll just need your username and the sign-in notification sent to your mobile phone. Here are the various ways to do this.
5. Use a password manager
You can also use a third-party password manager to automatically create unique and complex passwords for you across multiple sites.
We suggest an offline, free password manager, such as Keepass to keep all of your passwords safely secured.