3 Billion Yahoo Accounts Hacked: What You Can Do

UPDATED 7:40 a.m. EDT Wednesday with links to Yahoo FAQ and other postings.

If you had a Yahoo account in 2013, your username and password were stolen. Period.

Credit: dennizn/ShutterstockCredit: dennizn/Shutterstock

That's what Verizon, new owners of Yahoo's online services, admitted today (Oct. 3). The number of accounts compromised in the 2013 Yahoo data breach, disclosed in December 2016 and already the largest on record, is no longer 1 billion — it's now 3 billion.

Verizon revised the numbers after it "received new information from outside the company," The Wall Street Journal reported. Every account held with Yahoo at the time of the breach is thought to have been affected.

What You Can (and Can't) Do

If you hadn't already changed your Yahoo password (or deleted your Yahoo account) when the 1-billion-user breach was disclosed a year ago (or when the different, 500-million-user breach from 2014 was disclosed a couple of months before that), then now is the time to do so. Don't forget to change that password anywhere else you used it as well.

MORE: Best Identity-Protection Services

Other than changing passwords (and we recommend a good password manager to keep them all strong, secure and unique), you should make sure to unlink your mobile devices from your Yahoo accounts and then relink them using new passwords. Also, turn on two-factor authentication on Yahoo and on any other online service that allows it, such as Google, Facebook, Microsoft, Apple and Dropbox.

We always recommend that victims read our tips to surviving a data breach, but in this case, the horse left the barn 4 years ago.

At this rate, it's not a stretch to imagine that many people who had Yahoo accounts in 2013-2014 had their account details stolen not once, but multiple times.

Worst Breach Ever?

A spokesman for Oath, the new company formed by Verizon containing Yahoo's online services, said Oath would immediately begin notifying the holders of the 2 billion additional accounts now known to have been compromised. The number will be far less than 2 billion people, as many individuals held more than one account on Yahoo or its subsidiaries, which include Flickr and Tumblr.

The number of affected Yahoo accounts is staggering, but the Equifax data breach disclosed nearly a month ago is still far worse.

The Yahoo breaches exposed usernames and passwords and let miscreants take over Yahoo accounts (and any other accounts that used the same credentials). The Equifax breach exposed names, address, dates of birth and Social Security numbers of 145 million U.S. residents. Those are the keys to a person's entire identity, and anyone holding them could do nearly anything in someone else's name.

The company that was Yahoo still exists as an independent entity. It is now called Altaba and is mainly a holding company for the shares in Yahoo Japan and the Chinese internet company Alibaba, both of which greatly appreciated in value after Yahoo acquired them many years ago.

Yahoo was one of the first web-only companies, and pioneered many things that we now take for granted, but these gargantuan data breaches will, deservedly or not, be its lasting legacy.

UPDATE: Yahoo posted a press statement, an SEC filing and an updated FAQ about the 2013 data breach to provide more information.

Create a new thread in the Antivirus / Security / Privacy forum about this subject
This thread is closed for comments
6 comments
Comment from the forums
    Your comment
  • bobxp46
    The author may be interested to know that I had a Lifelock account for all of 90 days when my main credit card company informed me of fraudulent charges on my card which they had blocked! Then within the course of a week, I started receiving Bank letters denying me credit that I had not applied for. I called Lifelock and informed them of the breach and they had the audacity to say" before we continue I must read you a disclaimer". Then they promptly read me a legal statement saying they were not responsible for anything! I asked the agent what the hell I was paying them for they had missed it all! needless to say, I no longer do business with those worthless money sucking web ticks. Tom my experience may be unique but at age 71 I have lived long enough to know a seriously worthless scam when I see one. Seriously doubt if I am alone. Capitol One and Transunion stopped the problem but not before my credit rating fell some 50 points. I must also give Chase a pat on the back as one call to them prevented serious damage to that account. Tom, my daddy the Colonel always said a man is known by the company he keeps, you have been informed I'll say no more.
    0
  • Paul Wagenseil
    Anonymous said:
    The author may be interested to know that I had a Lifelock account for all of 90 days when my main credit card company informed me of fraudulent charges on my card which they had blocked! Then within the course of a week, I started receiving Bank letters denying me credit that I had not applied for. I called Lifelock and informed them of the breach and they had the audacity to say" before we continue I must read you a disclaimer". Then they promptly read me a legal statement saying they were not responsible for anything! I asked the agent what the hell I was paying them for they had missed it all! needless to say, I no longer do business with those worthless money sucking web ticks. Tom my experience may be unique but at age 71 I have lived long enough to know a seriously worthless scam when I see one. Seriously doubt if I am alone. Capitol One and Transunion stopped the problem but not before my credit rating fell some 50 points. I must also give Chase a pat on the back as one call to them prevented serious damage to that account. Tom, my daddy the Colonel always said a man is known by the company he keeps, you have been informed I'll say no more.


    That's very interesting. Can you provide more information about what LifeLock's disclaimer said? And did the LifeLock representative you spoke to mention the company's "million-dollar-protection" feature? The company is supposed to give you a financial cushion in such situations.

    As for Chase, I can speak from personal experience that its customer fraud protection is excellent.
    0
  • monseemian
    Isn't Lifelock the same company whose CEO was a victim of hacking/identity theft himself :-)

    With Equifax's failure in such a grand way, consumers are only beginning to realise what kind of frauds and theives they have entrusted their identity/credit security with, all this time.
    0