Hackers swiped personal information associated with at least a half-billion Yahoo accounts — the biggest known data breach in history.
News of the breach was first made public Thursday, Sept. 22. The hack revealed names, email addresses, phone numbers, birth dates and, in some cases, security questions and answers, Yahoo said in a news release.
Encrypted passwords, which are jumbled so only a person with the right passcode can read them, were also taken.
Wallet Hub, a D.C.-based consumer website that provides customized credit-improvement advice, savings alerts and other products, this week offered several tips to help individuals protect their personal information.
“Change your Yahoo password and security questions, change any passwords and security questions similar to what you were using on Yahoo and enable two-factor authentication where your Yahoo account may have been comprised, but your cellphone wasn’t,” said Jill Gonzalez, a WalletHub analyst. “So use it as another layer of protection when logging into your email account and financial websites.”
Whether affected or not, individuals should sign up for free credit monitoring and be wary of Yahoo emails, authorities said. The company is also warning customers not to click on any links or open any attachments in emails sent by Yahoo because the messages could come from imposters, Gonzalez said.
Authentic Yahoo emails regarding the data breach will not contain links or attachments and won’t ask for any personal information.
“Whether it’s someone showing up at your door, calling you on the phone or sending you an email asking for personal information, you shouldn’t respond if you didn’t ask to be contacted,” Gonzalez said.
The hack serves as a reminder of how widespread such action is and highlights the vulnerability of passwords, CNET.com reported.
Cybersecurity specialists recommend using a different password for each account an individual has on the internet. Other experts are working on alternatives to passwords, including biometrics such as fingerprint or retina recognition.
John Kiernan, senior editor at WalletHub, advises to change account PINS and passwords in the meantime.
“Security experts typically recommend changing passwords every few months and using an eight- to 10-character mix of upper- and lower-case letters, numbers and symbols for maximum security,” Kiernan said. “But it’s especially important following a case of identity theft.”
It’s also important to review mail and credit card statements carefully to make sure that you receive all of your expected monthly account communications from lenders, WalletHub officials said, noting that is a good way to confirm that none of your accounts have been hijacked.
“Thoroughly reviewing these documents for transactions or references to account changes that you do not recognize is similarly beneficial,” Kiernan said. “Taking a bit of extra time to scrutinize the mail you receive every day will reduce the likelihood that you’ll discard a letter from a lender, the IRS, the Social Security Administration or any other organization that may be trying to notify you about a past-due balance or change in account preferences that could signal fraud.”
Enrolling in electronic account access is also important, he said.
“It’s easiest for a fraudster to pull off this type of scam when you, the real account-holder, have not yet registered your account for online access or established account preferences regarding electronic communications,” Kiernan said.
This is especially prevalent when the victim doesn’t even realize online account access is available, as is the case with many elderly people and the Social Security Administration’s “My Social Security” web-management tools.
“Every case of Social Security fraud I’ve investigated in the past year and a half I traced back to the [My Social Security] program as the source — not because it was breached, but because the victim didn’t know about this new account being available and they didn’t take any action so the criminal did,” said Carrie Kreskie, director of the Identity Theft Institute at Hodges University. “The easiest way to minimize your chances of falling victim to this type of scam is to claim your online account and use a strong password to protect it.”
