The company said on Thursday at least 500 million user accounts
were affected by a massive data breach. The hack happened in 2014, when
"state-sponsored actor" stole account information, including names,
emails, passwords, telephone numbers and answers to some security
questions.
So what should you do if you have a Yahoo account?
First and foremost, you'll want to change your password immediately.
All Yahoo account holders should also change their security questions
and answers.
If your account is one Yahoo suspects was compromised, you'll be
prompted to enter a new password as soon as you log on. If you used the
same password on other accounts, change those, too.
Here are other steps to take to secure your online accounts.
Change passwords often
Yahoo is asking anyone who hasn't changed their password since 2014 to
update it. This is good advice for everyone: Passwords should be changed
often. You won't always get a timely notice from a company that an
account was compromised -- and sometimes it might not even know about a
hack until much later. In this case, it took two years for the company
to confirm the breach.
Never use the same password twice
If hackers get the
password for one of your online accounts, they can try to use it to
access your other accounts that take the same credentials.
Pick better passwords
Consider using a phrase instead of single words that are more easily
guessed. Don't go for common phrases like cliches: Pick a combination of
words that don't go together -- i.e. rather than "herecomesthesun," go
for something like "waterfiresnowsunshine".
Avoid using common passwords like 1-2-3-4-5-6 or p-a-s-s-w-o-r-d, and include a mixture of numbers, letters and characters.
Use a password manager
Since strong unique passwords are a huge pain to memorize, try a
password manager like 1Password or LastPass. These platforms generate
and store passwords and security answers for every account you have, so
you only have to remember a single master password.
Update those security questions
If you forget a password, using security questions is an easy way to
gain access back into your own account -- its not like you'll ever
forget your mom's maiden name. But some Yahoo security answers and
questions were a part of the breach. The company has already disabled
any unencrypted security answers on its accounts.
If you
frequently use the same security questions and answers for other online
accounts, you'll want to change those, as well. Attackers could use the
information taken from Yahoo to obtain access to other online accounts
that contain even more sensitive information.
Avoid choosing
the obvious questions and don't provide answers that are easy to find
online through Google searches or social media sites.
Be alert
The company is urging users to look through their Yahoo accounts
(email, calendar, groups, etc.) for any signs of suspicious activity.
Although it doesn't say what to look for, start by checking outgoing
emails.
Be extra careful about clicking on links or opening downloads from
unknown email addresses. If anyone emails asking for your password, it's
a red flag -- even if it looks like it's coming from a legitimate place
like Yahoo or a bank. Never share any account information or passwords
over email.
Turn on two-factor authentication
On its own, a password isn't a strong line of defense. Adding a second
type of authentication, like a one-time code sent over text message or
generated by an app, can greatly secure your online accounts.
Yahoo is recommending people turn on its two-factor authentication tool:
Yahoo Account Key. It even eliminates the need to memorize a Yahoo
password.
If you use the Yahoo Android or iOS app, log in to
your account, go to your profile and select Account Key. You can also
set it up in a web browser. Each time you try to access your account,
Yahoo will send a confirmation to your phone.
While it's certainly an extra step, make it a part of your daily routine. Next time there's a story about a massive data breach
, you'll be glad you did.