Yahoo has confirmed that it suffered a massive data breach, saying its investigation into the matter reported in August has revealed that at least 500 million user accounts are affected. The hack and subsequent data theft took place in late 2014; the company, per its investigation, says it believes a state-sponsored actor was responsible. The potentially exposed data is extensive, including things like user email addresses, names, birth dates, hashed passwords, phone numbers, and possibly security questions/answers of both the unencrypted and encrypted varieties.
Yahoo’s investigation is still ongoing. Currently, the company doesn’t believe things like plain text passwords, bank information, or bank card data were taken, as the payment data was not stored in the breached system. As well, whomever this alleged state-sponsored actor is does not have access to the Yahoo network at this time, at least according to current evidence the company has amassed.
If your Yahoo account is one of the 500 million breached accounts, you can expect to get a notification from Yahoo soon about it. Of course, it is time to change your password — do so ASAP, especially if you haven’t changed your password since 2014. The company has already invalidated unencrypted security questions/answers, one element of data that may have been stolen, so you won’t be able to use those, but neither will any potential ne’erdowell.
If you haven’t already, this would be a good time to ditch your Yahoo account password entirely and use the Yahoo Account Key instead.
If you have accounts (outside of Yahoo) set up with the same or similar data, you should change those, as well. Yahoo is encouraging its users to review their Yahoo accounts for any signs of suspicious activity, and advises that users should avoid clicking links and downloading attachments from any emails or unsolicited communications that seek personal data.
Yahoo has a new account security page with extensive FAQ for those hit by the data breach.