Last Thursday, Sept 22, 2016, Yahoo announced that at least 500 million accounts were hacked. Since many of our clients and their users use Yahoo, we immediately posted an alert to social media and published a Security Bulletin.
Here’s what we know so far:
- Names, email addresses, phone numbers, dates of birth, and even security questions and answers may have been stolen.
- The attack probably goes back as far as 2014.
- Yahoo has publicly stated that a “state-sponsored actor” is responsible.
UPDATE: Some believe that hacker and dark web data peddler “Peace” is responsible, as last month they had posted for sale data from 200 million Yahoo users. But others feel that if the breach is state-sponsored, “Peace” is ruled out. Still others think the “state-sponsored actor” is just a scapegoat. Yahoo is currently non-committal on who is behind the hack. There is no specific indication as to which nation is being blamed for this.
- Yahoo Mail (250 million users)
- Yahoo Finance (81 million users)
- Yahoo Fantasy Sports (several million users)
- Flickr users linked to Yahoo IDs (113 million users)
The Good News: Fortunately, Tumblr is supposedly NOT affected.
The “Badder” News: If you use the same password for Yahoo for multiple accounts, hackers can and will search for access to your other accounts!
What to do!
Reset passwords – Well…duh…but this should be taken care of!
Invalidate security questions – Thankfully, Yahoo has provided a link for this when you log in. Log in now and you’ll see more details.
Implement multi-factor authentication – Yahoo has several alternatives to improve your authentication.
We have some specific steps and links that we will be sending exclusively to our newsletter subscribers. If you’d like to sign up, please visit http://t2d.la/signup
Here’s our initial Security Bulletin on this: http://conta.cc/2d0DZvN
Finally, please check out why we’ve always advised clients to avoid free email services for business: Free Email Is No Bargain
500 million Yahoo accounts breached
Yahoo says 500 million accounts stolen
Yahoo’s Data Breach: What to Do If Your Account Was Hacked