Yahoo announced on Thursday that it believes information associated with at least 500 million user accounts was stolen by a “state-sponsored actor” at the end of 2014.
Cyber security experts believe that this was the largest-known breach of user accounts. Russian hackers are suspected as being behind the breach.
More users were reportedly impacted in this one incident than all of last year, according to the 2016 Internet Security Threat Report produced by security company Symantec.
Since the announcement of the breach, two lawsuits have been filed against the company, both in California, alleging that it was negligent in securing users’ personal information.
What was taken?
The stolen information could include names, email addresses, dates of birth, telephone numbers, password information and possibly the question-answer combinations for security questions, which are often used to reset passwords, said Yahoo in a statement.
However, Yahoo said that the passwords that were compromised were hashed, a way of encrypting data.
The stolen information did not include unprotected passwords, payment card data or bank account information, according to Yahoo.
“Unfortunately there is information being stolen everyday and this is not a unique event, but it’s adding to the long list of compromises that have been out there,” said Jeff Greene, director of government affairs for North America at Symantec.
What are the risks?
Hackers may attempt to log directly into a Yahoo account, but they could also use the information to try to get into someone’s other accounts, according security experts.
“If your primary email address is compromised, so much of you the rest of your digital life flows from that,” said Morgan Reed, executive director of ACT, which represents app and tech companies.
When it comes to stolen passwords, the “good news” is that the passwords were encrypted, said Reed.
The bad news is that the one entity that has the resources to break encryption is a state actor, he added.
Criminals can also come out of the woodwork to use this as an opportunity to take advantage of consumers, said Greene. People may receive bogus emails to reset accounts and click on links.
“It’s like after a storm, there will be all these fake requests for money,” said Greene.
There is also a future risk. The data may be stored and used for an attack down the road. The hackers themselves may not even know the potential of the information yet.
“There’s the short game, the immediate compromise, and there’s the long game,” he said.
What can you do?
Change your password. Yahoo recommends “that users who haven’t changed their passwords since 2014 do so,” the company said in its statement. Cyber security experts say this is the necessary first step.
Security experts also recommend signing up for “two-factor authentication,” make sure passwords are complex and unique, and make all software is up-to-date and patched.
Use different passwords on different accounts, according to cyber experts that spoke with ABC News.
“Far too many Americans use the same password for different services,” said Reed.
However, a new Consumer Reports report, which compiled 66 expert tips, found that it’s better to keep the same password and be “password loyal,” unless there is a breach.
Be aware of unusual activity. Look for unusual friend requests, requests to reset a password and anything out of the ordinary.
“If you do all of these things, you are going to stop the vast majority of the attacks,” said Greene.