I just logged into some alt accounts and Yahoo forced me to update the password after login.
Also, if you had set up security questions/answers, disable them in your account settings. That information was unencrypted and is therefore compromised. Hope you didn’t use those same questions/answers for other sites.
Good luck with that since every site uses the same set of easily found or socially engineered information as security questions! Sorry. I hate hate hate security questions and can’t wait for them to die in a glorious fire. The good news is that since this was 2 years ago the data has probably already circulated.
Every site gets hacked. It’s guaranteed. Don’t re-use your passwords to limit your exposure, and use two-factor whenever possible. That’s all you can do.
The security questions getting hoovered up unprotected does blow, particularly because:
A) As @LockerK notes, everyone uses the same damned questions. I’m about half a minute away from just using LastPass to generate randomized answers to those, too
and
B) While 2FA is definitely becoming noticeably more common, it’s still not nearly as universal–or convenient–as I’d like.
The rumble is that this has been known for months, but was kept hush-hush by Yahoo because someone was buy trying to sell one’s megacorporation to an even bigger megacorporation.
Wonder if this was caught by the due diligence folks. If not, that check Verizon writes could suddenly be smaller.
I read about this here and immediately changed my password, set up 2 factor authentication and turned off the security questions. I got the email from Yahoo about this just this morning. Great work Yahoo.
Yeah, I activated the 2-step a while back when they told me someone was trying to log into my account from the Ukraine or some such country.
My advice to anyone who will listen to me is that if there’s money (including access to your cc numbers) involved, ALWAYS use the 2-factor authentication.
So what’s the legality of them sitting on this info for the best part of two years? Don’t they have some legal obligations to report this kind of breach in a within a reasonable period?
Yeah, I was wondering why every time I logged in, Yahoo would suddenly and repeatedly prompt me to replace my password… After ignoring it for a few days I changed the password and suspected they’d been hacked but hadn’t come out and said as much (this was before it became public knowledge). That the whole thing happened two years ago, is an absolute joke! Seriously, they can’t just sit on that info for THAT long and not say a peep!
Shows you how much you can trust them. I’m curious about the fact that they asked me to straight up remove my security questions, not change them. They also have an obnoxious prompt to restrict access to “secure” apps, without showing in any way what apps will get denied, even after the fact.
Well, they’re not alone. NSA lost the tools leaked by “The Shadow Broker” 3 years ago, and didn’t say anything until they were “officially” out in the wild. Meanwhile Cisco and other vendors had vulnerable products with no knowledge about it for years.
I like how, when I logged into Yahoo! To! Change! My! Password! they! Immediately! Asked! if! I! Wanted! To! Add! My! Phone! Number! (Presumably, so they could leak that as well…)