Yahoo has admitted that personal information from at least 500 million user accounts has been stolen, in what may be the largest-ever publicly-announced data breach. If you think you may have been affected you should urgently change your password - here's what else you can do to protect yourself from this and other high-profile hacks.
The internet giant claims a "state-sponsored actor" is responsible for the hack, which occurred in late 2014. It says information including names, email addresses, telephone numbers, dates of birth, 'hashed' (ie, encrypted) passwords and security questions and answers were taken. Full passwords, payment card data and bank account info weren't targeted.
How do I know if I've been hacked?
Yahoo says it's now notifying users who may have been affected by email. However because of the scale of the hack, it's probably safest to assume that if you had a Yahoo account in 2014 it may have been compromised, and to take action to protect yourself accordingly.
If you want to be sure the email you've received is definitely from Yahoo, it's helpfully published the email contents.
The HaveIBeenPwned? website allows you to check if an email address has been compromised in a number of large-scale hacks, including major breaches at LinkedIn and Myspace, and more recently Dropbox.
So far the details of the accounts involved haven't surfaced, and according to HaveIBeenPwned? creator Troy Hunt, we might never see it. Usually the data will be made public so the hackers can make money out of it, but because this is rumoured to be a state sponsored hack there might not be the same appeal for the data to be public.
Commenting on the data breach Troy Hunt said:
"All the same usual good practices apply: create strong unique passwords (preferably with a password manager like 1Password) and turn on multi step verification. Do it on all your online assets too, not just Yahoo."
A password manager can help you keep track of all your passwords. 1Password has a free version and good ratings – or see Martin's Password help blog for more options.See full info on how to use HaveIBeenPwned? in Hack check help.
What should I do to protect myself?
Yahoo says that anyone who's affected or believes they could be should immediately change their password and security questions and answers.
Crucially, you should do this not just for your Yahoo account but for any other accounts you have which may have used the same info - a big risk with this kind of data breach is that hackers could use personal data from the hacked account to access your other accounts.
A list of security tips published by Yahoo also urges users to:
- Review your accounts for suspicious activity.
- Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
- Avoid clicking on links or downloading attachments from suspicious emails.
Yahoo says it has invalidated unencrypted security questions and answers so they won't be able to be used to access your account.
Yahoo has also suggested using Yahoo Account Key to avoid having a password altogether. It works by linking your Yahoo account with your mobile phone so when you sign in you'll only need to enter your username and Yahoo will send a notification to your phone and you can approve the log in from there.
Yahoo has said that no one’s bank details have been compromised in the hack if you want to be absolutely certain you should take a good look at your account statements and check your credit file to make sure there's been no fraudulent activity on any of your accounts.
Find out how to check your credit file for free in our Credit Report guide.
What does Yahoo say?
Bob Lord, Yahoo's chief information security officer, said: "An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries.
"Through strategic proactive detection initiatives and active response to unauthorised access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure."
Additional reporting by the Press Association.