Massive Yahoo Account Breach

500 million Yahoo accounts exposed in late 2014

On September 22, 2016 CNN and several other news outlets reported that almost 500 million Yahoo email accounts were compromised, including passwords and security questions/answers. While the breach happened in 2014, Yahoo waited until September to let the public know.

While it is generally unusual for technology companies to delay important security announcements for years, it most likely had to do with the fact that Yahoo was preparing its inevitable sale to Verizon for $4.8 billion in July of 2016. The sale is still pending approval from regulators and the NY Post reported that Verizon is looking for a discount - perhaps even a way out of the transaction entirely. Ultimately, this is extremely bad for the company's reputation, especially as the highly followed CEO Marissa Mayer was working on turnaround efforts for the company.

What to do if your Yahoo account was compromised

If your account was impacted, there are some immediate steps you should take to secure your account and make sure that the damage doesn't bleed into other important accounts (such as facebook or online banking). Ultius informed customers via email with similar recommendations, and we wanted to share them with the rest of the public.

Find out if you were impacted

To find out if your account was impacted, please visit haveibeenpwned.com and enter your email address. This tool will let you know if your email has been associated with any security breach, not just the one that happened with Yahoo.

My account was impacted! What do I do?

If your account was impacted, please follow the steps provided.

Step 1: Change your Yahoo password

According to Yahoo's KB article on changing your password, you should:

• (1) Log into the Yahoo service. You can also access it from the home page, as shown in the images below.
• (2) Click Account Security > Change Password
• (3) Type in your new password
• (4) Click "Continue"

Log in to Yahoo

Account Page

Change Password Screen

 

When choosing a new password, make sure to follow these best practices:

• Never reuse passwords
• Use a strong password
• Consider using a password generator

Step 2: Set up security questions and two-factor authentication

While you're changing your Yahoo password, we strongly recommend that you set up really strong and personal security questions as well as two-factor authentication.

• Security questions: Security questions are used to verify your account if unusual activity is detected. Make sure to store these in a safe place.
• Two-Factor Authentication: Two step verification adds an additional layer of security to your account by prompting you to enter a code sent to your mobile device (through SMS or an authenticator application).

Enable Two Step Authentication

 

Once you have completed these steps, there are some other important things to do in order to stay secure.

Step 3: Change the passwords of any accounts that used that previous password

Any account that reused that password is also at risk. At the very least, make sure to change reused passwords for the following important account types:

• Online banking
• Social media sites like facebook and Twitter
• Google
• Anything that involves payment data or social security numbers (PayPal, government sites)

Step 4: Change your Ultius account password

If you have an Ultius account, please follow the steps below to change your password.

• (1) Log into your Ultius account
• (2) Click Profile from the main menu
• (3) Click Edit Profile on the bottom-right of the screen
• (4) Update your passwords
• (5) Click Update Profile at the bottom-right of your screen to finalize the change.

Now that you have secured your accounts and set up some additional security, keep reading to consider some other security considerations.

 

 

Other things you can do to protect your security

Yes, now is a great time to brush up on your security best practices. After all, we have previously written about online privacy and are familiar with the body of knowledge. Consider the options below:

• Get a password manager. We recommend using Dashlane. We use it internally at Ultius and there is a free version available for consumers (like you)
• Consider updating all of your passwords regularly, especially the ones that you have reused. Once every six months is a sufficient frequency
• Consider changing your email account to one that has a stronger track record of security, such as Gmail by Google or Outlook by Microsoft
• Consider setting up two-factor authentication on all of your important accounts (like online banking). This is an added layer of security that will help prevent unauthorized users from accessing your account without authentication from your phone
• When logging into your email, make sure that your connection is encrypted. Look for HTTPS in the URL box of your browser. It should be in green and look like this
• Never click strange links while reading emails. If you see a suspicious link, use scanURL to see if it's malicious

Lastly, don't forget to share this guide with your friends, family and co-workers so that they can stay safe too.