Yahoo said Thursday at least 500 million user accounts were affected by the data breach, in which names, emails, passwords, telephone numbers and answers to security questions were stolen.
So, what steps should you take if you have a Yahoo account?
1. Change Yahoo passwords
“If you are, or were, a user of any Yahoo accounts or their photo sharing site known as Flickr, you should change your password immediately,” said Ken Colburn, of Data Doctors.
“Even though the Yahoo hack was reported to have occurred in 2014, the compromised information is actively circulating in the internet’s underground right now.”
CBS News Technology Analyst Larry Magid said former users of Yahoo should still change their passwords.
“Somebody can use your account to send spam to other people, so you don’t want anybody committing crimes in your name,” Magid said.
2. Change non-Yahoo passwords
“Make sure you not only change it on Yahoo, but if you use the same password on any other site, which you shouldn’t do, but many people do, go ahead and change your passwords across the board and try to make them unique,” said Magid. “Use a phrase that’s easy for you to remember, and hard for other people to guess.”
“Use something like ‘I met my wife Susan in Long Beach in 87,’ and just use capitals, where they’re appropriate, and number symbols,” said Magid. “That will be gibberish to anybody but you.”
Colburn agreed users who only change Yahoo passwords aren’t protecting themselves, or others.
“If you use the same username and password on any other site it’s critical that you change those as well, Colburn said. “Cyberthieves routinely use automated processes that attempt to use stolen passwords on thousands of other major websites, because they know that so many users use the same password on many sites.
3. Change security questions
“You should also update the security questions that are used to help you get back into your account if you forget your password,” said Colburn.
Attackers can use the information taken from Yahoo security questions to get access to other online accounts.
4. Use two-factor authentication
“Another critically important step to help secure any of your online accounts, not just Yahoo, is to activate two-factor authentication,” said Colburn.
“By adding the extra layer of security, even if someone ends up with your password, they won’t be able to get in without having the special code that gets sent to your smartphone,” Colburn said.
Yahoo offers a service called Account Key, which eliminates the need to remember passwords. Users receive a notification on their smartphones, and can sign in with a tap.
5. Avoid fake Yahoo emails and alerts
Colburn said hackers will attempt to capitalize on fear generated by news of the Yahoo breach.
“Be on the lookout for fake email alerts claiming to be from Yahoo with links to update your password,” said Colburn. “Never click on the link in any message, even if you think it’s legitimate, just go to Yahoo’s website yourself and make the changes.