In September, Yahoo disclosed that at least a half billion Yahoo accounts were jeopardized by hackers. Names, email addresses, passwords, telephone numbers, dates of birth, security questions and answers, and more were “scraped” from Yahoo accounts in 2014. Now, in December, Yahoo has disclosed again that in August 2013, “an unauthorized third-party accessed our proprietary code to learn how to forge cookies.” The 2013 breach stole data from more than 1 billion user accounts. The information included names, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers, but not, says Yahoo, payment card data and bank account information. So if you’re a former or current Yahoo account holder, what does that mean to you and what can you do about it?
Updated on 12-14-2016 by Bruce Brown: Updated to include information released in December 2016 about an additional 1 billion Yahoo accounts accessed in August 2013.
Well first off, take a breath. If nothing horrible has happened to your email or other password protected accounts so far, chances are you’re actually OK, for the moment anyway. But just because nothing has happened yet, that doesn’t mean you’re safe. Sometimes hackers themselves or people who buy hacked account info hoard the data for years before taking action.
So, if you had a Yahoo account anytime before the beginning of 2015, there are several steps you should take to be prudent, whether or not you use your Yahoo account now.
A general warning: Before you start to change passwords or anything else with your accounts, be very careful with any email you receive about the Yahoo security issue. Nothing Yahoo sends will ask you to click links or download attachments. Yahoo will not ask you to supply personal information via email. Even if you receive an email that looks like it’s from Yahoo, if you are asked to click a link, download an attachment, or provide personal information, the email was not actually sent by Yahoo and may be from someone trying to steal your personal information.
Change your password
Now let’s start with the different actions levels to take, from immediate to very soon.
If you have a Yahoo account, change your password and disable your security questions today. How do you do that? To start, be sure you know your current password — you’ll need it to make changes in any security settings.
In the upper right-hand corner of the Yahoo screen click on the little gear icon. If you see a menu item for “Settings,” that’s not it. Look for “Account Info,” which will probably be at the bottom of the menu. Next, click “Account Security.” At this point you will likely be required to enter your current password.
In the Account Security screen that comes up next, you will see “Change password” and “Disable security questions” in blue type while the other options are in black type. Yahoo has highlighted those two with blue letters because both were potentially compromised. Passwords were taken from all hacked accounts and unencrypted security questions and answers were stolen from many accounts.
When you click Change Password, you’ll see a new screen on which to enter a new password twice. Be sure to make up a brand new password, not one you use on any other account. More on that below.
Also remember you will need to reset your password on other devices where your old password — which will no longer work — may be stored. For example, you may check your email on a smartphone, tablet, or an ebook reader — if so you’ll need to reset each one.
Update: More than one reader has reported that when they tried to reset their Yahoo password using the standard password recovery process they were taken back to the original sign in page. One reader had success with the following, “Simple answer, don’t use password recovery but use the Hacked account or any of the other headings where you get to send a message to a support person. After three or four posts, plus posting on Yahoo Support Facebook page, I received an email from support and the passwords were reset through a Gmail account. Took way longer than I would like but it was much better than setting a completely new account.”
Disable security questions
After changing your password, click “Disable security questions” on the Account Security screen. You’ll see what your questions were, and you’ll be prompted to disable them to protect your account. You can reset your security questions later.
The next screen after disabling your security questions will present any currently listed account recovery email addresses and phone numbers. If you don’t have either, it’s a good idea to set at least one of each so you won’t be locked out of your account.
When you’ve changed your password and disabled your security settings, your Yahoo account is protected. But there’s more to do.
Change similar passwords on any non-Yahoo accounts
Hackers know that many if not most of us reuse the same passwords and security questions. Therefore, if you have ever done that — and if not, you can join a very short list — you will need to change your passwords on your other accounts because they are in jeopardy. Go to all of your other accounts including email accounts, banks accounts, social media accounts, merchant accounts such as Amazon, media accounts like Netflix, and any other online accounts you use and change the passwords. Also, change the security questions and answers for any account where they were required.
There are other measures you can take to protect your accounts including two-factor authentication, using the Yahoo Account Key, or specialized password security programs. The first steps, though, with no delay, are to change your Yahoo password, disable personal security questions, and then sweep through all your existing accounts (and former accounts if you can remember them) and reset all passwords.
Updated on 10-02-2016 by Bruce Brown: Updated to include reader suggestion to get password change assistance from Yahoo support.