December 15th, 2016
*UPDATE* Another Billion User Accounts Breached
In September Yahoo! reported a data breach of 500 million user accounts that occurred in 2014, as Yahoo conducted further investigations they identified a separate incident in August 2013, which lead to another breach of one billion user accounts. Although these two incidents appear to be separate, Yahoo's forensic investigators have found traces of evidence that connects the state-sponsored actor believed to be behind the breach in 2014 with the breach in 2013. In both cases, the information stolen from the user accounts included name, email, telephone number, date of birth, hashed password, and both encrypted and unencrypted security questions and answers. Yahoo's CISO, Bob Lord states that "the stolen information did not include passwords in clear text, payment card data, or bank account information."
For more information here is a statement from Yahoo's CISO, Bob Lord.
Note: All of the recommendation we advised below continues to apply.
September 22nd, 2016
What's the issue?
Yahoo! has confirmed that they had a security breach in 2014 in which over 500 million user's account information were stolen. Their investigation has revealed information that leads them to believe that the attacker was a state-sponsored actor, meaning a government organization has themselves or has hired a hacker to obtain information from their target. According to Yahoo, the user account information that was stolen includes "names, email address, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers." Yahoo has also reported that no payment or bank account information has been affected by this breach as they were stored on a different system.
What does this mean to me?
At this time, Yahoo! has notified affected users by email of the breach, and has provided steps to secure their accounts. Be aware that other cybercriminals may take this opportunity to create phishing emails that will look like a Yahoo! issued email about this breach. Yahoo! has released a copy of their email notice, which you can see here, and clearly states that they do not ask you to open any attachments or click on any links and does not request your personal information in the email.
What should I do?
For any person that has a Yahoo account whether or not you received an email notification from Yahoo, we suggest that you reset your password for your Yahoo account as well as any other accounts that use the same or similar password. You should also reset your security questions for any accounts that use the same security questions as your Yahoo account. In addition, consider setting up two-step verification for your Yahoo account, or try using a simple authentication tool called Yahoo Account Key to eliminate the use of passwords. For more information please visit Yahoo's Account Security Issue FAQs page.
Yahoo's Account Security Issue FAQs
For more information:
Yahoo's CISO, Bob Lord - Important Security Information for Yahoo Users
Krebs on Security - Yahoo: One Billion More Accounts Hacked