Update (10/24/18): After nearly a 2-year lawsuit following its breach, Yahoo has agreed to pay a $5o million settlement to 200 million affected consumers in the U.S. and Israel. On top of the settlement, the search engine will cover as much as $35 million in lawyer fees pertaining to the case, and offer two free years of credit monitoring services for those impacted – a $350 value. Some ad hoc compensation packages will exist for those who can prove direct losses due to the Yahoo data breach, including identity theft or tax fraud.
Update (10/9/17): In December 2016, it was reported that “more than 1 billion user accounts” may have been impacted by the 2013 Yahoo breach. Recent news, however, shows it was indeed more than 1 billion—much more. Four months after Verizon acquired Yahoo’s core internet assets, it was revealed that every single customer account was impacted by that breach; three billion Yahoo accounts—including email, Tumblr, Fantasy, and Flickr—were stolen. Even after thorough investigations, it is still unknown who was behind the 2013 Yahoo breach.
Remember in September when we told you about a 2014 breach at Yahoo that affected approximately 500 million accounts? Well, get ready for a bit of déjà vu, because it happened again — and it’s even bigger than before. On December 14, Yahoo revealed the discovery of a breach that happened in August 2013 and may have resulted in the theft of data from more than one billion user accounts. They found the breach while reviewing data provided to the company by law enforcement. If all of this is true, this is the largest breach in history.
Although the news of this breach is a huge announcement, Yahoo isn’t giving up too much information about what happened. They think the breach is “likely” distinct from the one that was reported in September, and they haven’t figured out who is responsible or how they were able to hack into their systems. Yahoo says the stolen information “may have included” names, e-mail addresses, telephone numbers, dates of birth, hashed passwords, and in some cases, encrypted or unencrypted security questions and answers. They did, however, add that payment-card data and bank account information weren’t stored in the system they think was breached.
Yahoo is notifying all potentially affected users and taking steps to secure their accounts. The company is requiring those users to change their passwords, and they’ve also invalidated unencrypted security questions and answers so they can’t be used to get into an account. Yahoo is encouraging all users to follow these security recommendations:
- Change your password and security questions and answers not just on your Yahoo account, but any other accounts you have that use similar information. For example, if you use your Yahoo e-mail password as your password for Facebook, online banking, or other accounts, change the password everywhere to be safe.
- Review all of your accounts regularly and look for suspicious activity.
- Think twice before responding to or clicking on unsolicited communications that ask for personal information or refer you to a webpage that asks for personal info.
- Don’t click on links or download attachments from suspicious e-mails.
The company also says it’s smart to monitor your credit reports and/or place a fraud alert on your credit profile, but they aren’t offering any assistance or identity theft services to help you. If you think you were affected by this monumental Yahoo data breach, you may want to consider investing in identity theft protection with IdentityForce. We’ll monitor your personal information 24/7 so that if someone does try to use it illegally, we can notify you immediately and try to prevent the damage before it occurs. And, if someone is successful in stealing your identity, we will handle the entire restoration process for you.
New details about this breach will likely emerge in the coming weeks and months, especially regarding who is responsible and how they did it. It appears that Yahoo has not been as concerned about security as it should have been, so hopefully it will prioritize the safety of its users moving forward.