Yahoo Inc. revealed Wednesday that it suffered a security breach in August 2013 that affected more than 1 billion member accounts, twice as many as in its 2014 hack.
As in the earlier attack, the 2013 intruders apparently were not able to acquire credit card information, bank account data or unencrypted passwords. But they may have had access to Yahoo members’ names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, security questions and answers.
The advice given for the first breach still stands. If you have a Yahoo email account, what should you do?
1. Change your password. Even though Yahoo says it will notify potentially affected users, change your password anyway to make sure. Do it now. Yahoo is phasing out security questions and encouraging users to sign up for their Account Key service, which can authenticate your account through your smartphone. That’s not a bad option. (If, for some reason your Yahoo account still asks you security questions, change them immediately.)
It shouldn’t have to be said in 2016, but people still do it, so … for the love of God, don’t use the same password on multiple sites. That only makes it easier for hackers to hop from one of your accounts to another. If you do recycle passwords, stop it, and go change those ones too.
Other tips: Avoid obvious passwords like “password” or “me123” or common terms that can be easily guessed. Mix up letters, numbers and symbols.
If you want more peace of mind, change the security questions for any of your other accounts that may have them. For example, if one of your Yahoo security questions was “What’s your favorite sports team,” and your online bank account asks the same security question, you might want to change it in case your Yahoo answer was stolen and now some hacker in Russia now knows you’re an Eagles fan.
2. Set up two-factor authentication. Passwords are inherently flawed, but two-factor authentication is the best way to secure them. When you’re updating your account, Yahoo will ask you if you want to do this. Do it. Essentially, it will send a text message to your smartphone with a unique login code each time you log into your account. Yes, it can be a pain. But it will also make it much less likely that someone else will be able to access your account.
3. Keep an eye on your account. While it’s hard to say what to look for, look for things that don’t look right. Are there emails in your “sent” box that you didn’t send? Are you getting shady-looking emails that ask you to click on links? Or official-looking emails asking for your password, or other personal information? Don’t fall for it. Remember, constant vigilance is the price of free email.
And if you’re one of those people snickering, “Who still uses Yahoo email?” go check yourself. If you once had a Yahoo account but you don’t use it anymore, log back on, delete what’s in there, and officially close it. Ten-year-old data can bite you in the butt just as easily as current information.
This article was originally published on Marketwatch.