What's worse than disclosing that a hack on your website potentially compromised the personal information of 500 million of your users? How about disclosing three months later that a separate and earlier hack affected twice as many users?
That's where Yahoo finds itself, after announcing that a 2013 hack affected over 1 billion accounts. Compromised information includes names, dates of birth, telephone numbers, e-mail addresses, encrypted passwords and security questions and answers (encrypted and unencrypted). It's not clear how many Yahoo accounts past or present were compromised by both attacks, but it seems certain that the majority of people holding Yahoo accounts have been affected by at least one of the attacks.
This time, Yahoo is forcing all users that were affected by breaches to change passwords. The company is also invalidating security questions that were unencrypted. If you ever had a Yahoo account, you should assume your information has been compromised and take the same steps.
What else should you do to protect yourself? The first rule is to reset any other passwords and encryption questions that were similar to the ones used on Yahoo accounts. Financial, shopping, and travel accounts are likely places for thieves to cash in using your stolen information.
Avoid recycling passwords, and change them often. Use passwords that are more random, yet easy to remember. One useful trick is to weave allowed non-alphanumeric characters into phrases, such as "P!A!S!S!W#O#R%D%". You can also use password managers, such as LastPass, that store your passwords in a database protected by a single master password.
Be careful with security questions that can be gleaned from other stolen information. For example, a thief who has your name and date of birth may be able to determine your place of birth or mother's maiden name through some simple searching and educated guesswork.
Use two-factor authentication anytime that is an option. Two-factor authentication requires a secondary, single-use code, typically sent to you in a text message, which you must enter online in order to log in.
Treat any suspicious e-mails very carefully. Thieves that have some of your information may mimic an e-mail from one of your existing accounts trying to gain more information. The angle may be to verify that your information is up to date, to request verification to prevent some negative event, or a similar pitch to make you believe the request is legitimate. If you can't determine if a request is real, contact the company by separate means — but do not use any phone numbers or similar contacts within the suspicious e-mail.
E-mails with attachments or links warrant extra scrutiny, especially if they appear to be from Yahoo. Yahoo will not ask you for personal information via e-mail.
In a scam alert issued by the Federal Trade Commission (FTC), Yahoo warned that their customer care team is not contactable by phone. Any phone numbers you might find online, allegedly connecting you to the Yahoo support team, are also fake.
Many credit card issuers and other financial services monitor accounts for unusual activity and issue fraud alerts and/or ask for verification before processing large transactions. You can protect your credit accounts further by applying either a fraud alert or a credit freeze on your credit report.
By placing a fraud alert with one of the three credit bureaus (Experian, Equifax, and TransUnion), you are requiring potential new creditors to verify your identity before issuing any new lines of credit. A credit freeze cuts off access to your credit report by creditors until you lift the freeze to open a legitimate new account. If you would like to monitor your credit to prevent identity theft and see your credit reports and scores, check out our credit monitoring service.
For those who are still concerned about fraudulent use of their information, identity theft prevention services like Credit Manager by MoneyTips can provide even further levels of protection for a given cost. You must balance the cost of extra security against your potential losses and the likelihood of their occurrence based on your habits.
Even though these steps are directed at Yahoo users, the same principles apply to users of any website, regardless of any evidence of information breaches. Take preventative action against fraudulent use of your personal information, and improve your peace of mind.
You can check your credit score and read your credit report for free within minutes using Credit Manager by MoneyTips.