The Yahoo hack FAQ

yaboo-yahoo

Was my account hacked?

Well, there were 500 million users affected of 1 billion active users, so chances are 1 in 2 that it was. But, you will get an email from Yahoo at some point if you were definitely affected.

What should I do now?

Login with your current details, change your password to a strong, unique one and enable two-factor/multi-step authentication so that you have to receive a text or email (SMS) to login next time.

Anything else?

Yes, you should disable security questions on your account as answers may have been stolen and could be used to break in. Also, if you used the same Q&A on other sites, then I’d recommend changing or disabling those. Hopefully, you didn’t actually answer truthfully so the Yahoo hackers don’t actually now know your mother’s maiden name nor that of your first pet.

What data was stolen by the hackers?

Users’ personal data, birthdays, phone numbers, including unencrypted answers to secret account recovery questions (change those too and don’t use your actual pets’ nor mother’s maiden name, they’re easy for hackers to find out from Facebook etc!), but apparently not credit card details.

Did the hackers get my password?

If your account is one of the unlucky half a billion, then the hackers got a “hashed”, or scrambled, version of your password. Hashed passwords have random letters and numbers added to them to disguise the password, it’s very difficult to work out what this random data is and so recover the actual password.

What about my logins for other sites?

As long as you didn’t use the same password as your Yahoo login, you should be fine. If you did, change the password on those accounts too to a unique, strong password.

Who were the hackers?

Yahoo says it doesn’t know for sure, but they suspect state-sponsored hackers, but that is looking increasingly unlikely, it was more likely a crook hoping to grab data to sell from your Yahoo mail, chats, flickr photos, or Tumblr blog etc.

Either way, should I worry?

Yes, be wary of unsolicited emails, phone calls and even snailmail that have unexpected personal details, such as your birthday and phone number, they could be trying to trick you into clicking a dangerous link or getting hold of your bank and other details. Yahoo will not send out emails with links, so any email that claims to be a security alert from them and has links will most likely be a “phishing” attack.

Is this the biggest hack ever?

At least 500 million accounts have been compromised, which is more than the MySpace breach earlier this year which involved 360 million user accounts, and far more than the Linkedin hack of 2012 (117 million users), so yes.

When did the hack take place?

The attack is thought to have occurred two years ago.

If the hack happened two years ago, why is it in the news only now?

Yahoo had suspicions just two months ago when a hacker called Peace was offering to sell data on 200 million of its users on the dark web, but it is only now that they have verified that a security breach actually took place at the end of 2014.

Could Yahoo have prevented this attack from happening?

It’s very difficult to keep one step ahead of very clever people with malicious intent. So, maybe not. However, they left some personal details unencrypted, which is bad practice and may ultimately expose millions of their users to future problems if their account were one of those compromised. Moreover, they really did take their eye off the ball if they’ve only just noticed the intrusion all that time ago.

Isn’t Yahoo irrelevant in today’s internet?

In some sense yes, the glory days of it being the top search engine long before Google came along are long gone. But, it still has a billion active users, that’s a lot of email accounts and personal details that may well have been compromised. Also, if you have a Flickr photo account, that’s Yahoo too, as is your Tumblr!

What’s Yahoo doing about this hack now?

Who knows? Presumably, they are shutting the barn door, despite the horse having long since bolted, had a good run around and been put out to pasture.

Put out to pasture?

Yes, you know? Like you do with an old horse that’s totally useless, long past its prime, way beyond its use-by date, like a saggy old search engine…