Yahoo’s bombshell revelation that some 500 million of its email accounts have been compromised by a state-sponsored hack shows that no online service — no matter how big — is safe from attacks.
If you’ve had a Yahoo email address since 2014, or if you have an old one you haven’t used in a while, you could be affected by the recent breach. But even if you’re living Yahoo-free, you’re still at risk from similar attacks on online accounts.
“The trends of the past few years show us that the bad guys are certainly able to penetrate sophisticated, well-equipped enterprises,” Mark McArdle, chief technology officer at the Cambridge, Ont-based cybersecurity firm eSentire, said. “Just because you have a large, Fortune 500 logo does not mean that you are somehow immune from these types of breaches.”
Here’s what you need to do to protect yourself.
Find out if you were hacked
According to CNET, Yahoo has one billion active monthly users on its services, and 225 million monthly active users for Yahoo Mail. So there’s a chance that even if you don’t use Yahoo as your primary email, you have an account lying dormant somewhere.
So whether Yahoo is your main email, a backup or something you signed up for to get access to another Yahoo service, check your Yahoo Mail account right now, because that’s how the company is notifying users they’ve been targeted.
What’s more, your email doesn’t have to end in @yahoo.com to have been a target. In Canada, for example, people with email service through Rogers Communications could be affected, as Rogers emails are powered by Yahoo.
Neither Yahoo nor Rogers would give a breakdown of how many Rogers customers were hit by the hack, but Rogers says no account or credit card numbers were compromised.
“We take our customers’ privacy seriously and are in contact with Yahoo as they continue their investigation and determine next steps” Rogers said.
Change your password
Yahoo also is recommending that all users change their passwords if they haven’t done so since 2014.
The stolen passwords were encrypted, but a dedicated hacker can get through that — especially if you use something weak like “passw0rd” or “12345.”
If you use your Yahoo password on other sites, change those too — and make them different from your new Yahoo password.
While you’re at it, change up your security questions. Yahoo says the questions and the answers were compromised in the breach. If you tend to use the same security questions across multiple sites, change them everywhere.
Change all passwords regularly
In fact, whether you have a Yahoo account or not, it’s a good idea to switch up your passwords regularly.
And no matter how convenient it may be, do not recycle your passwords. You’re just making it easier for hackers to do widespread damage.
“Not using the same password in multiple places is just good hygienic internet practice,” McArdle said.
- Mark Zuckerberg hack a cautionary tale about password security
- Why passthoughts could make passwords a thing of the past
Obviously, managing dozens of passwords or more can be unwieldy. That’s why McArdle recommends installing password manager software like 1Password or LastPass.
These generate strong passwords for all your accounts and store them securely, so you only have to remember one, albeit complicated, master password.
Enable 2-step verification
If the service you’re using has two-step verification — and Yahoo does — turn it on.
This adds a second method of authenticating your identify after you type in a password, usually by sending you a code through a text message or an app.
“For a hacker, having a username and a password is all you really need when there’s no two-factor authentication,” McArdle said. “Everyone should be switching two-factor authentication wherever it’s available.”
And if you’re using a service that doesn’t offer two-step, McArdle says you should demand it.
Beware of grifters
The Yahoo hack has a lot of people talking and panicking, and cybercriminals will use that against you.
“Whenever there has been a big event in the media… a hacker has tried to take advantage of that and use either the excitement or the concern around those events to trick users,” McArdle said.
Be on the lookout for fake emails purporting to be from Yahoo or another service warning you about security problems and asking for your information.
“Be suspicious of any links you see,” McArdle said. “The bad guys are really on to this trick.”