The latest Yahoo hack is a doozy you shouldn’t ignore.
The company said on Thursday at least 500 million user accounts were affected by a massive data breach. The hack happened in 2014, when “state-sponsored actor” stole account information, including names, emails, passwords, telephone numbers and answers to some security questions.
So what should you do if you have a Yahoo account?
First and foremost, you’ll want to change your password immediately. All Yahoo account holders should also change their security questions and answers.
If your account is one Yahoo suspects was compromised, you’ll be prompted to enter a new password as soon as you log on. If you used the same password on other accounts, change those, too.
Here are other steps to take to secure your online accounts.
Change passwords often
Yahoo is asking anyone who hasn’t changed their password since 2014 to update it. This is good advice for everyone: Passwords should be changed often. You won’t always get a timely notice from a company that an account was compromised — and sometimes it might not even know about a hack until much later. In this case, it took two years for the company to confirm the breach.
Never use the same password twice
Repeat after us: Never use the same password twice. If hackers get the password for one of your online accounts, they can try to use it to access your other accounts that take the same credentials.
Pick better passwords
Consider using a phrase instead of single words that are more easily guessed. Don’t go for common phrases like cliches: Pick a combination of words that don’t go together — i.e. rather than “herecomesthesun,” go for something like “wombatbootsparade”.
Avoid using common passwords like 1-2-3-4-5-6 or p-a-s-s-w-o-r-d (see more here), and include a mixture of numbers, letters and characters.
Use a password manager
Since strong unique passwords are a huge pain to memorize, try a password manager like 1Password or LastPass. These platforms generate and store passwords and security answers for every account you have, so you only have to remember a single master password.
Update those security questions
If you forget a password, using security questions is an easy way to gain access back into your own account — its not like you’ll ever forget your mom’s maiden name. But some Yahoo security answers and questions were a part of the breach. The company has already disabled any unencrypted security answers on its accounts.
If you frequently use the same security questions and answers for other online accounts, you’ll want to change those, as well. Attackers could use the information taken from Yahoo to obtain access to other online accounts that contain even more sensitive information.
Avoid choosing the obvious questions and don’t provide answers that are easy to find online through Google searches, social media sites or old Live Journal entries.
The company is urging users to look through their Yahoo accounts (email, calendar, groups, etc.) for any signs of suspicious activity. Although it doesn’t say what to look for, start by checking outgoing emails.
Be extra careful about clicking on links or opening downloads from unknown email addresses. If anyone emails asking for your password, it’s a red flag — even if it looks like it’s coming from a legitimate place like Yahoo or a bank. Never share any account information or passwords over email.
Turn on two-factor authentication
On its own, a password isn’t a strong line of defense. Adding a second type of authentication, like a one-time code sent over text message or generated by an app, can greatly secure your online accounts.
Yahoo is recommending people turn on its two-factor authentication tool: Yahoo Account Key. It even eliminates the need to memorize a Yahoo password.
If you use the Yahoo Android or iOS app, log in to your account, go to your profile and select Account Key. You can also set it up in a web browser. Each time you try to access your account, Yahoo will send a confirmation to your phone.
While it’s certainly an extra step, make it a part of your daily routine. Next time there’s a story about a massive data breach, you’ll be glad you did.