On December 14, 2016, Yahoo Inc. announced that they were the subject of a data breach that occurred in August 2013, affecting more than one billion user accounts. This breach is believed to be separate from the one announced in September 2016 that affected 500 million user accounts. Yahoo’s latest breach has compromised users’ names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, unencrypted security questions and answers.
December 16 update
Announced: December 14, 2016
Description of the breach: On December 14, 2016 Yahoo! announced that approximately 1 billion of their users had their personal data compromised by an unknown third party, making this the largest data breach in history. This breach is separate from the breach announced in September 2016 which affected a reported 500 million accounts.
Personal information compromised by this breach included names, email addresses, telephone numbers, dates of birth hashed passwords, and in some cases encrypted and unencrypted answers security questions.
Yahoo! has advised all users to immediately change their passwords as well as the passwords of any accounts where they may have re-used their compromised Yahoo! login credentials and/or password reset questions.
Affected users should be cautious of any unsolicited communications from a source claiming to be Yahoo! or any “help center,” as hackers tend to use the information from large data breaches in phishing scams to lure individuals into clicking dangerous links, or to convince consumers to give up additional private information. Yahoo! is reminding all users that they will not send out any emails asking users for personal information or to click on links or attachments. Any emails purporting to be from Yahoo! that ask for personal information or that ask you to click on a link or attachment are most likely a part of a phishing scam and should be immediately deleted.
Data breach period: August 2013
Official information from Yahoo: Available here
More coverage of this breach: New York Times
Announced: September 22, 2016
Description of the breach: On September 22, 2016 Yahoo announced that at least 500 million of their users had their account information compromised in a state sponsored hack that occurred in late 2014. Tumblr, a social media website owned by Yahoo was not affected in the breach.
Users that have not changed their password and security questions since 2014 are being advised to do so immediately. In addition, Yahoo is advising all users to be cautious of any unsolicited communications from a source claiming to be Yahoo or any “help center” as hackers tend to use the information from large data breaches in phishing scams to lure individuals into clicking dangerous links, or to convince consumers to give up private information. Yahoo is also reminding users that the company never charges for technical support, and anyone that is charging a fee for help related to this breach, is most likely a fraud.
Because many consumers reuse their passwords across multiple sites, those accounts are likely susceptible to hacking if the account holders uses the same login/password combination elsewhere. If you reuse your Yahoo password or suspect you may have, it is advisable that you change your passwords on those accounts immediately.
Data breach period: Late 2014
Official information from Yahoo: https://yahoo.tumblr.com/post/150781911849/an-important-message-about-yahoo-user-security
Yahoo Q&A regarding the breach: https://help.yahoo.com/kb/account/SLN27925.html?impressions=true