Hot on the heels of Yahoo announcing a data breach of 500 million user accounts in September, the company has announced that they have suffered another breach of one billion accounts. Yes, you read that correctly- one BILLION accounts.
As Yahoo previously disclosed in November, law enforcement provided the company with data files that a third party claimed was Yahoo user data. The company analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, Yahoo believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. The company has not been able to identify the intrusion associated with this theft. Yahoo believes this incident is likely distinct from the incident the company disclosed on September 22, 2016.
Yahoo believes that the information that was stolen consists of full names, email addresses, dates of birth, phone numbers, hashed passwords, and possibly security questions and answers as well. Luckily, Yahoo does not store credit card or any other payment information in the system that was affected.
2016 seems to be the year of the “mega-breach” with us reporting on eight major breaches involving well-known companies. Big data is big money for attackers, so they set their sights on companies that tend to hold large amounts of personally identifiable data on their customers, such as Social Security numbers, birthdates, home addresses and even medical records. It’s easy for a cybercrime victim to report credit card fraud and just get a new card number. When it comes to a Social Security number, though, you are bound to it for life. And Social Security numbers open the door to all sorts of identity theft.
What Yahoo is Doing to Protect Their Users
The company is currently identifying and notifying potentially affected users instructing them to change their passwords immediately. In addition to notifying users, they are removing any unencrypted security questions and answers from the affected accounts so cybercriminals cannot use those answers to break into users accounts.
It can be hard to keep track of dozens of complicated passwords for multiple websites; however, cybercriminals count on password reuse in order to gain access to other accounts. One way to get around the annoyance of having to remember all of those unique passwords is using a secure password manager, such as Norton Identity Safe.
Another great way to protect your account is if the service offers two-step verification. Two-step verification is a method of verifying your identity in addition to your username and password. Two-factor authentication asks you to provide one of the following things:
- Something you know – a pin number, password or pattern.
- Something you have – an ATM or credit card, mobile phone or security token such as a key fob or USB token.
- Something you are – Biometric authentication such as a voiceprint or fingerprint.
