Skip to main content

3 Billion Yahoo Accounts Hacked: What You Can Do

UPDATED 7:40 a.m. EDT Wednesday with links to Yahoo FAQ and other postings.

If you had a Yahoo account in 2013, your username and password were stolen. Period.

Credit: dennizn/Shutterstock

(Image credit: dennizn/Shutterstock)

That's what Verizon, new owners of Yahoo's online services, admitted today (Oct. 3). The number of accounts compromised in the 2013 Yahoo data breach, disclosed in December 2016 and already the largest on record, is no longer 1 billion — it's now 3 billion.

Verizon revised the numbers after it "received new information from outside the company," The Wall Street Journal reported. Every account held with Yahoo at the time of the breach is thought to have been affected.

What You Can (and Can't) Do

If you hadn't already changed your Yahoo password (or deleted your Yahoo account) when the 1-billion-user breach was disclosed a year ago (or when the different, 500-million-user breach from 2014 was disclosed a couple of months before that), then now is the time to do so. Don't forget to change that password anywhere else you used it as well.

MORE: Best Identity-Protection Services

Other than changing passwords (and we recommend a good password manager to keep them all strong, secure and unique), you should make sure to unlink your mobile devices from your Yahoo accounts and then relink them using new passwords. Also, turn on two-factor authentication on Yahoo and on any other online service that allows it, such as Google, Facebook, Microsoft, Apple and Dropbox.

We always recommend that victims read our tips to surviving a data breach, but in this case, the horse left the barn 4 years ago.

At this rate, it's not a stretch to imagine that many people who had Yahoo accounts in 2013-2014 had their account details stolen not once, but multiple times.

Worst Breach Ever?

A spokesman for Oath, the new company formed by Verizon containing Yahoo's online services, said Oath would immediately begin notifying the holders of the 2 billion additional accounts now known to have been compromised. The number will be far less than 2 billion people, as many individuals held more than one account on Yahoo or its subsidiaries, which include Flickr and Tumblr.

The number of affected Yahoo accounts is staggering, but the Equifax data breach disclosed nearly a month ago is still far worse.

The Yahoo breaches exposed usernames and passwords and let miscreants take over Yahoo accounts (and any other accounts that used the same credentials). The Equifax breach exposed names, address, dates of birth and Social Security numbers of 145 million U.S. residents. Those are the keys to a person's entire identity, and anyone holding them could do nearly anything in someone else's name.

The company that was Yahoo still exists as an independent entity. It is now called Altaba and is mainly a holding company for the shares in Yahoo Japan and the Chinese internet company Alibaba, both of which greatly appreciated in value after Yahoo acquired them many years ago.

Yahoo was one of the first web-only companies, and pioneered many things that we now take for granted, but these gargantuan data breaches will, deservedly or not, be its lasting legacy.

UPDATE: Yahoo posted a press statement, an SEC filing and an updated FAQ about the 2013 data breach to provide more information.

  • bobxp46
    The author may be interested to know that I had a Lifelock account for all of 90 days when my main credit card company informed me of fraudulent charges on my card which they had blocked! Then within the course of a week, I started receiving Bank letters denying me credit that I had not applied for. I called Lifelock and informed them of the breach and they had the audacity to say" before we continue I must read you a disclaimer". Then they promptly read me a legal statement saying they were not responsible for anything! I asked the agent what the hell I was paying them for they had missed it all! needless to say, I no longer do business with those worthless money sucking web ticks. Tom my experience may be unique but at age 71 I have lived long enough to know a seriously worthless scam when I see one. Seriously doubt if I am alone. Capitol One and Transunion stopped the problem but not before my credit rating fell some 50 points. I must also give Chase a pat on the back as one call to them prevented serious damage to that account. Tom, my daddy the Colonel always said a man is known by the company he keeps, you have been informed I'll say no more.
    Reply
  • Paul Wagenseil
    20236401 said:
    The author may be interested to know that I had a Lifelock account for all of 90 days when my main credit card company informed me of fraudulent charges on my card which they had blocked! Then within the course of a week, I started receiving Bank letters denying me credit that I had not applied for. I called Lifelock and informed them of the breach and they had the audacity to say" before we continue I must read you a disclaimer". Then they promptly read me a legal statement saying they were not responsible for anything! I asked the agent what the hell I was paying them for they had missed it all! needless to say, I no longer do business with those worthless money sucking web ticks. Tom my experience may be unique but at age 71 I have lived long enough to know a seriously worthless scam when I see one. Seriously doubt if I am alone. Capitol One and Transunion stopped the problem but not before my credit rating fell some 50 points. I must also give Chase a pat on the back as one call to them prevented serious damage to that account. Tom, my daddy the Colonel always said a man is known by the company he keeps, you have been informed I'll say no more.

    That's very interesting. Can you provide more information about what LifeLock's disclaimer said? And did the LifeLock representative you spoke to mention the company's "million-dollar-protection" feature? The company is supposed to give you a financial cushion in such situations.

    As for Chase, I can speak from personal experience that its customer fraud protection is excellent.
    Reply
  • monseemian
    Isn't Lifelock the same company whose CEO was a victim of hacking/identity theft himself :-)

    With Equifax's failure in such a grand way, consumers are only beginning to realise what kind of frauds and theives they have entrusted their identity/credit security with, all this time.
    Reply
  • thereg.p
    One other question is what happens when, not if but when LifeLock gets hacked? No company, organization, entity with connections to the internet are 100% immune to being hacked/attacked.
    Reply
  • bogarus
    Chase Bank? Hell NO! Just two weeks ago, Chase caught someone trying to cash a check (ours), fraudulently into a wrongly named account. The check was from the US Treasury and had our name and address on it. We are a client of Chase. Instead of notifying us by looking up our account, they sent a valid, cash-able check back to the perpetrator for a large amount. Chase Bank is an accomplice to identity theft--they participate in it daily because they do not care.

    I submitted the proof to my police department and am currently directing a complaint to the Federal bank regulators (OCC) against Chase Bank. Who knows if the bank regulators take anything seriously. I know Chase Bank does not.
    Reply
  • tonytonytony
    This is the scariest thing about self-driving cars, or any car that can be updated through a network. Until they can figure out a way to keep things secure, it seems like you could be driving along and all of a sudden the car takes a hard right at 80 mph and your done for.
    Reply