On September 22nd, 2016, Yahoo confirmed that they were victim to a state-sponsored attack that compromised 500 million user accounts. According to Yahoo, “The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and in some cases, encrypted or unencrypted security questions and answers.” Yahoo is recommending users change their passwords and review their accounts for suspicious activity.
While Yahoo works with investigators to learn more about what was breached or stolen, you can take the necessary steps to ensure your password is changed and your security questions are updated.
To find out if your account was part of the breach, you can check it here.
Click on images to view larger.
Regardless of the outcome, it’s a good idea to perform the remediation steps below to ensure your account is protected.
Remediation Steps
Option 1: Enable an Account Key
Depending on how your account is set up, you might have taken advantage of Yahoo’s Account Key feature. This allows you to sign into Yahoo contingent upon having the Yahoo Mail app installed on your mobile device. In this scenario, there is no password, but you may have security questions. Yahoo recommends that you disable those if you’re using the Account Key feature as well. This eliminates the need to remember or to have Yahoo store your credentials or security questions/answers.
In order to gain access to Yahoo from your computer, you need to have this app always signed in on your mobile device. Once you are signed in, follow these steps:
Step 1. Install the Yahoo Mail App from either the Google Play Store (Android) or the App Store (iOS).
Step 2. Sign into Yahoo on your mobile device.
Step 3. Tap the 3 bars in top left.
Step 4. Tap Settings.
Step 5. Tap Enable Account Key.
Step 6. Tap the green checkmark.
Step 7. Tap Got it.
Step 8. Tap Set Up Account Key.
Step 9. Confirm your phone number and tap Enable Account Key.
Step 10. Tap Great, got it!
Now you’re all set. Yahoo will no longer use a password to sign in. Instead, if you want to access Yahoo, you can now do so through your mobile device app or through your browser (so long as your mobile device is signed in).
Option 2: Update Your Password and Security Questions
When resetting your password, be sure to use a strong password. A strong password typically consists of 12–16 characters comprised of upper- and lowercase letters, numbers, and special characters.
Step 1. From your web browser, go to the Yahoo Account Info Page by clicking on your name and then Account Info.
Step 2. Click Account Security.
Step 3. Click Change Password.
Step 4. Enter and confirm your new password. Then click Continue.
Step 5. Click Continue one more time to be redirected to the Yahoo homepage.
Option 3: Delete Your Account
As with any web service, you always have the option to delete your account. If you’re not comfortable with option 1 or option 2, this is an alternative choice.