Yahoo reported on Thursday that the account information for at least 500 million users was stolen by hackers two years ago.
Compromised user information includes names, email addresses, telephone numbers, birth dates, passwords and even security questions.
Yahoo learned of the breach this summer when hackers posted what they claimed was stolen Yahoo data to underground forums. A Yahoo investigation discovered a breach in 2014 by what they believe was a “state-sponsored” actor.
In a company statement, Yahoo said the ongoing investigation revealed that the breach did not include payment card data or bank account information.
“Contrary to Yahoo’s statement, although bank and credit card information was not explicitly breached, sophisticated hackers can—and will—find their way to an individual’s sensitive financial information” using the compromised Yahoo data, said Adam Levin, chairman and founder of CyberScout. “These accounts are the command center for our online lives—as often our email address serves as our user ID for many, if not most, of the other accounts in our social, banking, retailing and email universe.”
Sadly, data breaches are a daily occurrence affecting millions of Americans. Identity thieves can use the stolen information to file and steal tax refunds, open new credit cards, secure a loan, apply for a job and pursue medical treatment.
What should you do if you suspect your information has been compromised? The first step is to contact your financial institution, insurer or employer to get directed to CyberScout identity management services. We’ll help you assess your risk and, if warranted, take steps to make you less vulnerable.
Here are some additional tips for this type of data breach.
- Review the breached account. Identify what information it contains and what was compromised. It could include a secondary email address, birth date and phone number.
- Change all user access credentials and security questions. Update your Yahoo account password. Also, if you use the same passwords for other accounts, change those too. Watch financial statements—on paper and online—for unauthorized transactions. Be aware of potential email, phone and snail mail scams. Enable text and email alerts when possible.
- Delete sensitive information. Remove any sensitive information that may be stored in your email inbox.
- Place a fraud alert on your credit file. An alert placed with one of the three major credit bureaus signals to potential creditors that you could be a victim of identity theft. Initial Fraud Alerts last for 90 days and require potential creditors to confirm the legitimacy of your identity before granting credit. Extended Fraud Alerts last for seven years.
- Review your credit reports for any unusual activity. Visit annualcreditreport.com, the government-mandated source for free annual credit reports. Investigate suspicious activity and stay on top of it until the matter is resolved. Also, look for signs of fraud in your medical files, on your Social Security statement, in insurance claims or in public records.
- Consider placing a security freeze on your credit report. This may be necessary if you're experiencing fraud as a result of the data breach. A freeze locks access to your credit, so no one will be able to open a new account in your name.
- Take action if you receive a data breach notification letter. Follow these tips from CyberScout privacy experts.
If you suspect you're a victim of identity theft or wish to proactively manage your identity, check with your insurance company, financial institution, or employee benefits provider. Many companies offer LifeStages® Identity Management Services from CyberScout for low or no cost.