Steve Warburton
Senior Security Analyst

In the Wake of the Yahoo Breach: What to Do if Your Account Was Compromised

On September 22nd, 2016, Yahoo confirmed that they were victim to a state-sponsored attack that compromised 500 million user accounts. According to Yahoo, “The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and in some cases, encrypted or unencrypted security questions and answers.” Yahoo is recommending users change their passwords and review their accounts for suspicious activity.

While Yahoo works with investigators to learn more about what was breached or stolen, you can take the necessary steps to ensure your password is changed and your security questions are updated.

To find out if your account was part of the breach, you can check it here.

Click on images to view larger.

Figure 1. Have I Been Pwned?

Regardless of the outcome, it’s a good idea to perform the remediation steps below to ensure your account is protected.

Remediation Steps

Option 1: Enable an Account Key

Depending on how your account is set up, you might have taken advantage of Yahoo’s Account Key feature. This allows you to sign into Yahoo contingent upon having the Yahoo Mail app installed on your mobile device. In this scenario, there is no password, but you may have security questions. Yahoo recommends that you disable those if you’re using the Account Key feature as well. This eliminates the need to remember or to have Yahoo store your credentials or security questions/answers.

In order to gain access to Yahoo from your computer, you need to have this app always signed in on your mobile device. Once you are signed in, follow these steps:

Step 1. Install the Yahoo Mail App from either the Google Play Store (Android) or the App Store (iOS).

Step 2. Sign into Yahoo on your mobile device.

Step 3. Tap the 3 bars in top left.

Figure 2. Yahoo Mail on Mobile Device

Step 4. Tap Settings.

Figure 3. Tap Settings

Step 5. Tap Enable Account Key.

Figure 4. Tap Enable Account Key

Step 6. Tap the green checkmark.

Figure 5. Tap the Green Checkmark

Step 7. Tap Got it.

Figure 6. Tap Got It

Step 8. Tap Set Up Account Key.

Figure 7. Tap Set Up Account Key

Step 9. Confirm your phone number and tap Enable Account Key.

Figure 8. Confirm your phone number and tap Enable Account Key

Step 10. Tap Great, got it!

Figure 9. Tap Great, Got It

Now you’re all set. Yahoo will no longer use a password to sign in. Instead, if you want to access Yahoo, you can now do so through your mobile device app or through your browser (so long as your mobile device is signed in).

Option 2: Update Your Password and Security Questions

When resetting your password, be sure to use a strong password. A strong password typically consists of 12–16 characters comprised of upper- and lowercase letters, numbers, and special characters.

Step 1. From your web browser, go to the Yahoo Account Info Page by clicking on your name and then Account Info.

Figure 10. Yahoo Account Info

Step 2. Click Account Security.

Figure 11. Account Security

Step 3. Click Change Password.

Figure 12. Change Password

Step 4. Enter and confirm your new password. Then click Continue.

Figure 13. Enter and confirm your new password

Step 5. Click Continue one more time to be redirected to the Yahoo homepage.

Figure 14. Click continue

Option 3: Delete Your Account

As with any web service, you always have the option to delete your account. If you’re not comfortable with option 1 or option 2, this is an alternative choice.