Yahoo just announced that it was the victim of a devastating state-sponsored hack that resulted in the personal data of half a billion users being breached. If you’re a Yahoo user, your account may have been comprised.
It’s so far unclear exactly which accounts were breached. Yahoo says personal information “like names, email addresses, telephone numbers, dates of birth, [encrypted] passwords... and, in some cases, encrypted or unencrypted security questions and answers” were breached in the hack, but that banking information was safe. Just to be completely sure your info is secure, you should probably assume that you were hacked and spend some time beefing up your security. (Always a good idea!) Here are a few simple steps to get you started.
If you’re worried about anyone—especially state-sponsored actors—stealing your personal data, you should seriously consider switching your accounts to Google. Cybersecurity experts almost universally agree that Google has some of the best security that the general public can access. News that Yahoo was the victim of such a large scale hack serves as further proof that the company isn’t on par with Google.
“Google spends an absurd amount of money on security and they have amazing team,” Matthew Green, cybersecurity expert and professor at John Hopkins University, told Gizmodo. “It may be time to switch over [to Google]. It is really well known in our field that google has an amazingly good security department.”
Making the switch over to Google could be tough, as it would mean changing your email address, but it may be worth it in the long run. If you’re committed to holding on to your Yahoo account for whatever reason, keep reading.
Here’s the most obvious advice: change your Yahoo password. Yahoo recommends using its Account Key service, which allows you to forgo a password and use a randomly generated code on your phone instead. But this allows anyone who has access to your phone to gain access to your Yahoo account. Not ideal. Instead, just use a strong password and two factor authentication.
Changing all your passwords ensures that any password that was perviously exposed in a breach won’t be used by a hacker to break into other accounts that use the same password. And don’t change your password to “p@$$w0rd” or something like that. Be sure to use a secure password or, preferably, an ultra-secure passphrase.
On that note, you really should use different passwords for every account you use. When you use a unique password on every service, you don’t have to worry about a hacker using that password to break into your other accounts after one gets breached. It can definitely be a hassle to remember a different password for every single account, so using a password manager is an easy way to keep all of your passwords under control.
Security doesn’t stop at secure, unique passwords. The most effective way to protect all of your accounts is to enable two-factor authentication wherever possible. Here’s a useful guide for which services offer two-factor authentication.
Any breach that leaks your personal information, like this Yahoo one, allows hackers to craft specialized phishing attacks. These manifest themselves as emails that look like they’re real and use your leaked personal information to convince you that they are legitimate. Yahoo specifically says, “The company further recommends that users avoid clicking on links or downloading attachments from suspicious emails and that they be cautious of unsolicited communications that ask for personal information.”
Apply common sense here, and don’t trust any email out of the blue. Don’t click on links and definitely don’t download any files unless you’re sure you know who sent them. If the email sounds very dramatic or too good to be true, it probably is. If you haven’t done a password reset but you receive a password reset email, the email is probably someone trying to hack you.
Motherboard noticed earlier this year that Yahoo’s user data was up for sale. There’s not much you can to do prevent your personal information from being bought and sold once its on a dark web black market, but you can increase your online account security so that it’s much harder for hackers to utilize your stolen data to breach your accounts.
All of this seems pretty stressful, so the best option to avoid being hacked is to delete all of your accounts, fill up a warm bath, and throw all of your devices inside of it. Next, pack your bags and craft some hunting tools for your trek into the wilderness. Good luck.