It’s hard to panic over a data breach that happened two years ago—even if it is now the largest on record. Yahoo on Thursday confirmed its servers had been breached in late 2014 and that over 500 million accounts were compromised. Now users are wondering how to react to the theft after so much time has passed.
The account security notice Yahoo offered contains a lengthy list of stolen data along with some advice to users. Compromised data “may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” the company said.
An investigation is still ongoing, but so far, it seems that unprotected passwords, payment card data, or bank account information don’t appear to be part of the data grab.
Yahoo attributed its hack to a “state-sponsored actor” or foreign nation. Rumors about an intrusion first surfaced when a hacker dubbed Peace began offering account details for sale. The sales have led some security experts to wonder if there were two Yahoo hacks in recent years rather than just one. Nation states aren’t known for selling the data they collect.
Affected users will be notified via email and asked to reset passwords. Yahoo took an added step in releasing the text of the email to protect users from falling for bogus emails that are really from malware distributors. The company warns that any email they receive should contain no links or requests for any personal information.
All users who haven’t changed their password since 2014 should do so now. While Yahoo has inactivated any security question data that was not encrypted, changing your questions and answers is another good move. Be on guard for phishing emails, too. Your data has been in the wild for two years now, so email misuse could have happened well before this week’s announcement.
For more answers, check out the breach FAQs page.
Yahoo now owns the title for most records compromised in a data breach. Earlier this year, MySpace announced a hack that compromised 359,420,698 records and was in first place for several months.