Yahoo announced on December 14, 2016, that a major data breach occurred in 2013 which affected over 1 billion accounts. This breach is larger and is a different breach than the 2014 breach that Yahoo announced in September 2016.

Like the 2014 breach, the information stolen in this breach may include names, email address, telephone numbers, dates of birth, hashed passwords, encrypted and unencrypted security questions and answers. It did not include unencrypted passwords, payment card data or bank account information.

In addition, Yahoo reported that intruders obtained code that allows them to forge cookies that could let them log into accounts without using a password. This incident is occurred in either 2015 or 2016 and is probably related to the 2014 breach.

Yahoo has provided the following information:

As more information is collected through data breaches, it is important that everyone whether they have or have had a Yahoo account, protect themselves by taking the following steps.

  • Change your passwords.
    Not just on your Yahoo accounts but on any account that has personal or financial information of any sort. Don't reuse passwords. If you haven't changed the password on your Yahoo account, you may be forced to do so.

  • Make passwords strong, long, and unique.
    The longer the password the harder it is to crack. You may want to use a password manager that can create strong passwords and then stores them in an encrypted vault.

  • Setup two-factor authentication where offered.
    With these sites, you enter a one-time use passcode sent by text or email in addition to your password. Some sites are skipping the password all together and will send you a passcode.

  • Change your security questions and answers on all of your accounts.
    The stealing of these from Yahoo is the biggest concern of some security experts. Make these unique on every site that uses them. Use made up answers not real because real answers can reveal more information about you.