Update your Password NOW – Yahoo! Confirms Data Breach of 500 Million Accounts

Updated September 27, 2016

Yahoo! has reported a data breach which has exposed possibly 500 million user accounts to hackers. Here’s what happened and what action you need to take right now!

Once mighty technology giant, Yahoo! known for its popular webmail, portal, and directory services; confirmed a breach of possibly 500 million accounts.

Important! – Before creating any new passwords, please read this article on How to Create an Easy to Remember, Strong Password.
Stop what you’re doing right now, and change all your Yahoo! account passwords.
Hopefully…. you didn’t re-use any passwords from Yahoo! however, if you did, be sure to go change any other account online which might have the same password as your Yahoo! account. Be sure also to audit all your other online accounts which use the same password as your Yahoo! account.
I know you’ve already done this but… as a reminder… PLEASE Enable Two-Factor Authentication for all your online accounts today!
Another important thing to mention is to not answer those “three security questions with real answers”. For example, mother’s maiden name, first girlfriend, your pet’s name. If you use the same answers on every site, it is easy for a hacker to figure out all of your accounts. In fact, you shouldn’t even to answer these questions with the real truth. My advice, use fake answers and store them in a Password safe like 1Password, our favorite password safe app.
Why are you still reading this? Go change your passwords!!!

500 Million Yahoo Accounts Compromised

In a public statement on the company’s official Tumblr page; the Sunnyvale, California company confirmed user account information was stolen from the network in 2014.

We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter. Source

Yahoo is advising users to update their accounts now. The process is quick and easy; the network has simplified the process to update your information. Just head on over to the sign in page, log in with your existing email address and password.

You will be asked to secure your account, click the button Yes, secure my account button.

Enter your new password then confirm it.

That’s it! Just as a precaution, you might want to update or change your credentials if you use your Yahoo! account to sign into services. I was using my Yahoo address to sign into Facebook, so I made sure to update it.

Years of failed leadership and lack of a strategy to compete with Google, Facebook, Twitter and Microsoft has destroyed the company to the point that most of its assets are being sold to Verizon for a mere 5 billion…. that is unless Verizon pulls out based on this latest breach. Honestly, this data breach is likely to be the final nail in the coffin for this once great Internet Corp.

What do you think? Will you be moving your account to a new service? Would love to hear your thoughts about Yahoo! and this latest data breach in the comments below.

10 Comments

Jerrix
September 23, 2016 at 5:57 pm
It took them two years to tell all about it? Glad I don’t use Yahoo! Yahoo!!
Reply
- Steve Krause
  September 23, 2016 at 7:43 pm
  According to some sources, it appears Yahoo wasn’t aware of the hack until July 2016… apparently not until AFTER the deal was signed by Verizon to acquire them.
  Still… why did it take two months for Yahoo and Verizon to notify their customers. For me, that’s unacceptable. Granted, I’m sure the time was spent on damage control and working with attorneys to figure out liability and how best to go public. Still… two/three months is not OK.
  Reply
Adam D. Shorbagy
September 23, 2016 at 6:01 pm
I deleted my last Yahoo Email today. This is sucks and I had enough.
Reply
Andre Da Costa
September 23, 2016 at 10:09 pm
I mostly using my Yahoo! account as a spam account, but I was using the address to sign into a social network. Changed that immediately.
Reply
- Hardeep
  September 24, 2016 at 5:32 am
  Make sure somebody not uses your yahoo account for spamming ;)
  Because your account maybe also in the list of 500 Million Accounts
  Reply
holdum333
September 23, 2016 at 10:35 pm
IMHO The internet is becoming a cesspool. These are very serious times my friends, and we need each other to protect us from the bad guys! There is a big fight between the good guys and the bad guys. I’m with the good guys! There are so many things that I don’t know and I use these kind of sites to keep me informed.
Thanks Andre Da Costa for your great blogs!
Gary!
Reply
James
September 24, 2016 at 9:19 am
HEADLINE for the post should surely be:
CHANGE YOUR YAHOO ACCOUNT password 2 YEARS AGO!
And
DO NOT use the same password for a mix of account types
If you must use the same password for multiple accounts-
Then
Keep your banking and money management accounts separate all others
Have special accounts and passwords for browsing,
Keep them separate from your main email.
And keep your main email account separate from the rest of your social interaction accounts.
And – for good passwords –
have a phrase you can remember – and use letters from that
as you will not be writing that phrase down, or telling any one what it is, you can write down clues to yourself – as in
start at character, select every ‘n’ th character and how many characteers to use
Make that more complex by having a usual set of characters you include in most of those passwords –
that set including at least 1 capital, 1 numeric and 5 lowercase
so – maybe every password includes “Clo3t” and ends with some characters from “I8Yahoodotheyannoyu2.”
You could also use some characters from the date – but remember ‘scans’ will look for short and full month and year entries.
The basic technique is to have a means of remembering set of passwords that you can change.
And – considering the time taken for the problem to be made public, keep some separation of your activities logons
Reply
- Steve Krause
  September 24, 2016 at 9:54 am
  All great tips James. Thanks for the comment.
  I wrote an article a few years back here on gP yet it’s still relevant. Will perhaps update and republish here on the site.
  https://www.groovypost.com/howto/create-easy-remember-secure-strong-password-phrase/
  Reply
Jan
September 24, 2016 at 10:06 am
James, I appreciate all the good advice and want to follow it. But what do you mean by “keep some separation of your activities logons”? Do you simply mean that we should use different passwords for different activities, or do you mean something else? If so, would you please tell how to do it, if it involves finding a logon list somewhere, for instance.
Reply
James
September 24, 2016 at 4:24 pm
Yes – by “separation” I do mean different passwords for them –
So someone noting you type in your system logon password, and then your email password will not get access to your bank account using those passwords.
And – if hackers get 1 services logon and password, that will not be the same, or even very similar to your other ones – especially those accessing your money – or even other’s money –
You’ll get the blame if it’s your id used to clear out the nursery school petty cash for snacks account – whatever.
Re logon list –
Well, I have a list for my logons – it goes along the lines of:
11,3,5 Current
12,3,6 Savings
16,2,5 ISA
2,1,5 forums
1,2,5 email
1,2,4 ISP
Note the separation of Forum’s and email characters from the money access ones –
So if someone gets the forum values – they do not get the banking ones
And – the browsing etc. are via my ISP account so I have to enter them for all online access
So they are definitely NOT extending into the money password characters.
Email accounts – if you have many for anti-spam, or spam source identification purposes, passwords can be just another character on the end – as in
1,2,5,8
Similarly for forums where there is no money or personal details available – just your ability to post messages.
Remembering others may get the list, but it is really just as a reminder to you, and to use it the phrase is needed! – as is the meaning of any extra entries you use – such as – in the above, 8 could be 8th in the phrase, the number 8, or the 8th letter of the alphabet (English A-Z or Greek, etc.) or a 2 number code for the character (row and across) on the keyboard.
It’s up to you to work out a meaning for the clues to you that you write down.
And remember – you may, at any time, need to change the passwords for your access – such as if your bank, or YAHOO admit their system has been hacked!
And you do NOT want to have to change the password for all your online access.
You should also consider – for passwords and for backup – Your system, and all the backups may be stolen – or your home destroyed – so keep a record somewhere you should be able to get them back from – certainly, you’ll probably need a password to get at any online (Cloud) backups.
So – read through the thread posted by Steve, and, yes – it is addressed in another thread, – but…
When creating backups – you need to consider what disaster you would be recovering from!
Reply