UPDATED 7:40 a.m. EDT Wednesday with links to Yahoo FAQ and other postings.
If you had a Yahoo account in 2013, your username and password were stolen. Period.
That's what Verizon, new owners of Yahoo's online services, admitted today (Oct. 3). The number of accounts compromised in the 2013 Yahoo data breach, disclosed in December 2016 and already the largest on record, is no longer 1 billion — it's now 3 billion.
Verizon revised the numbers after it "received new information from outside the company," The Wall Street Journal reported. Every account held with Yahoo at the time of the breach is thought to have been affected.
What You Can (and Can't) Do
If you hadn't already changed your Yahoo password (or deleted your Yahoo account) when the 1-billion-user breach was disclosed a year ago (or when the different, 500-million-user breach from 2014 was disclosed a couple of months before that), then now is the time to do so. Don't forget to change that password anywhere else you used it as well.
Other than changing passwords (and we recommend a good password manager to keep them all strong, secure and unique), you should make sure to unlink your mobile devices from your Yahoo accounts and then relink them using new passwords. Also, turn on two-factor authentication on Yahoo and on any other online service that allows it, such as Google, Facebook, Microsoft, Apple and Dropbox.
We always recommend that victims read our tips to surviving a data breach, but in this case, the horse left the barn 4 years ago.
At this rate, it's not a stretch to imagine that many people who had Yahoo accounts in 2013-2014 had their account details stolen not once, but multiple times.
Worst Breach Ever?
A spokesman for Oath, the new company formed by Verizon containing Yahoo's online services, said Oath would immediately begin notifying the holders of the 2 billion additional accounts now known to have been compromised. The number will be far less than 2 billion people, as many individuals held more than one account on Yahoo or its subsidiaries, which include Flickr and Tumblr.
The number of affected Yahoo accounts is staggering, but the Equifax data breach disclosed nearly a month ago is still far worse.
The Yahoo breaches exposed usernames and passwords and let miscreants take over Yahoo accounts (and any other accounts that used the same credentials). The Equifax breach exposed names, address, dates of birth and Social Security numbers of 145 million U.S. residents. Those are the keys to a person's entire identity, and anyone holding them could do nearly anything in someone else's name.
The company that was Yahoo still exists as an independent entity. It is now called Altaba and is mainly a holding company for the shares in Yahoo Japan and the Chinese internet company Alibaba, both of which greatly appreciated in value after Yahoo acquired them many years ago.
Yahoo was one of the first web-only companies, and pioneered many things that we now take for granted, but these gargantuan data breaches will, deservedly or not, be its lasting legacy.