Seriously, what in the world is going on at Yahoo? The tech company reported a data breach in September that actually happened in 2014. Yahoo claimed that 500 million users were affected in that attack, but in reality it could have affected up to 3 billion accounts, making it the largest breach ever reported.
Until now. Yahoo reported late Wednesday that it has been hit with another massive data breach, and this one is bigger than the one reported in September.
Over 1 billion Yahoo user accounts were hacked back in 2013. That's almost every Yahoo customer worldwide. Simply unacceptable!
Yahoo Security Notice
Yahoo actually reported two separate security events on Wednesday. The first was the data breach that occurred in 2013 and the second was a more recent incident involving forged cookies that could allow scammers to access users' accounts without a password.
Here is the security notice Yahoo released describing what happened in both incidents:
"Law enforcement provided Yahoo in November 2016 with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. Yahoo has not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016. We are notifying potentially affected users and have taken steps to secure their accounts, including requiring users to change their passwords. Yahoo has also invalidated unencrypted security questions and answers so that they cannot be used to access an account.
"Separately, our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, the outside forensic experts have identified user accounts for which they believe forged cookies were taken or used in 2015 or 2016. The company is notifying the affected account holders, and has invalidated the forged cookies. We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on September 22, 2016."
Yahoo is also recommending customers to take these actions:
- Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.
- Review all of your accounts for suspicious activity.
- Be cautious of any unsolicited communications that ask for your personal information or refer you to a webpage asking for personal information.
- Avoid clicking on links or downloading attachments from suspicious emails.
Next steps you should take immediately!
In the most recently reported breach, stolen user account information may include email addresses, names, telephone numbers, dates of birth, hashed passwords and encrypted or unencrypted security questions and answers. At this time it's not believed that the stolen information included passwords in clear text, payment card data, or bank account information. Payment card and bank account information are stored in a separate system, which wasn't breached.
This is the second massive breach reported by Yahoo in the last few months. We just can't advocate keeping your Yahoo account at this point. It just seems too risky with all of the company's security problems.
With that said, here is how you can close your Yahoo account:
- Go to the "Terminating your Yahoo account" page.
- Read the information under "Before continuing, please consider the following information."
- Confirm your password - if you forgot your password, you can recover it with the Yahoo Sign-in Helper.
- Click Terminate this Account.
Remember, if you do close your Yahoo account, you will not be able to use services associated with it. If you decide to keep it, which we do not recommend, at the very least make sure you have a strong password. Here are three proven formulas for creating hack-proof passwords.
When Yahoo's massive breach was revealed in September, there were several updates in the following days. Keep checking in with our Happening Now section for any updates related to the newly reported breach.