​500 million Yahoo users hacked: How to protect yourself

The odds are excellent that your Yahoo account is now open for attack to the highest bidder.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Yahoo has revealed that at least 500 million of its users accounts have been hacked. That's more victims than in any other hack in history. Odds are you're a victim. Here's what you must do to protect yourself.


Image: CNET

First, if you have any kind of Yahoo account, such as Yahoo Mail or Flickr, you must change your password. To do this go to your Yahoo account page. Once there, go to Account security and choose Change password.

See also: Yahoo claims state actor behind attack

Pick a good password. That means choosing one you're likely to remember. As Jonathan Yarmis, a research analyst at the research firm, The Skills Connection, once told me, "Onerous password requirements are a waste... 17 letters, characters, and numbers. Changed every 30 days. No repeats nor anything similar. This guarantees that the person has to write it down within five feet of their computer."

Instead, use a random nonsense phrase for a password. Say, "YahooSecurityWasAWFUL!" Brute-force attacks aren't likely to work on it, and you'll be less likely to forget it.

Heck, or even follow the seemingly crazy advice of security guru Bruce Schneier:

People can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper and keep it with their other valuable small pieces of paper: In their wallet.

Simply changing your Yahoo password is only the start. Yahoo's security questions (e.g. your mom's maiden name) also appear to have been revealed. That's bad news since people tend to use the same questions and answers over and over again.

Yahoo now recommends you disable your security questions. I'll go farther. If you used any of those same questions on any other site, change those questions now. Hackers will use that information against you.

It's not personal. As Amichai Shulman, CTO of the security company Imperva, explains,"Data from breaches is hot merchandise on both sides of the legitimacy fence, the security marketplace on one side and the dark market on the other." In short, your logins and passwords will be bundled off and sold to cyber crooks.

What's that? You haven't used your Yahoo accounts in years? It makes no difference. The stolen data goes back to at least 2012.

Besides, if you're the kind of person who uses the same username and password on account after account, those accounts are now open to attack. Change your password on all these accounts. Now. It's not a matter of "if" your accounts will be cracked. It's a matter of when.

You can also now use two-factor authentication with Yahoo by turning on two-step verification from the security page. Yahoo's two-factor authentication requires you to use a phone to get a code via text or phone call.

Got all that? Good. Now do it. There's no time to waste.

Related Stories:

Editorial standards