500 million accounts breached in Yahoo hack – are you a victim?


On the 22nd September 2016 Technology giants Yahoo confirmed reports that information rumoured to be an unprecedented number of “at least” half a billion user accounts were stolen in a 2014 breach.

The leak includes, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers. Yahoo was quick to blame a “state-sponsored actor.” The state sponsored accusation was made as it is believed the attack bears resemblance to previous hacks traced to Russian intelligence agencies or hackers acting under their command.

News of a possible major attack on Yahoo first emerged in August, when data appeared for sale on The Dark Web.

For some reason, Yahoo didn’t call for a mandatory reset password when news of the attack first broke out in August.

The company said in a statement at the time that it was “committed to protecting the security of our users’ information and we take any such claim very seriously. Our security team is working to determine the facts.”

From Yahoo’s statement:

Yahoo is notifying potentially affected users and has taken steps to secure their accounts. These steps include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords.

What to do if you’ve been a victim:

The message is simply change your password. Immediately.

If you haven’t changed your Yahoo password since 2014, make a special effort to login and follow the instructions to change your password when prompted.

Don’t just stop at your Yahoo password though. Make sure each account password is different, and make them all strong. We discussed earlier in 2016 about the death of passwords and introduced the concept of passphrases, you can view that article here.

With a change of password you should also look at reviewing your security questions and look at the option of enabling 2 Factor Authentication. If you are one of the half a billion users who’s been affected by the breach (you can find out here), you won’t have a choice about changing your security information, since Yahoo’s gone and invalidated your security questions for your safety.