Yahoo Data Breach: What Do I Do Now?

Evidently, the 2016 holiday season has brought about some troubling revelations for Yahoo and its users. 

According to reports, the total number of user accounts affected by the 2013 Yahoo data breach has reached a whopping 1 billion.  For perspective, our Chronology of Data Breaches tracks reported breaches that have affected U.S. consumers dating back to 2005.  As of today, December 15, 2016, our database has 5,241 logged breaches that have amounted to about 901 million records breached.  This one Yahoo breach alone surpasses that total and may very well be the largest on record.

The Privacy Rights Clearinghouse provides several educational guides to help consumers (1) protect their privacy and (2) run damage control in the event that their privacy has been compromised.  In this case, here are some simple steps you can take if you’ve been affected by this Yahoo data breach, or any other breach that may leave you vulnerable to identity theft.  For a more in-depth overview, please see our consumer guide What To Do When You Receive A Data Breach Notice.

  • First, determine what information has been breached.  You can’t protect yourself if you don’t know what needs protecting.  It has been reported that the Yahoo breach has put usernames, passwords, phone numbers, and possibly security questions and answers at risk.  Other areas of information that breaches typically endanger are credit/debit cards, financial accounts, government-issued ID’s, driver’s license and social security numbers. 
  • Update the info immediately.  Change your password, especially if you use the same one for multiple online accounts.  This goes for your security questions and answers as well.  Hackers who have stolen log-in credentials on one platform will often times gain access to multiple accounts of the victim because of the tendency for users to use same information elsewhere.  We highly recommend you do not use the same log-in information on multiple accounts for this very reason. 
  • Monitor your financial accounts.  This only applies if your financial information has been accessed.  If you notice unusual activity on your banking statement, ask your card issuer or bank to cancel the card/ account and issue you a new one.  Do not give any personal information over the phone or email.  Always do so in person with your banking institution. 
  • If your Social Security Number was accessed, place a fraud alert and consider requesting a security freeze.  To prevent a criminal from using your SSN to open new accounts in your name, contact the fraud department at any of the three credit reporting agencies (Experian, Equifax or TransUnion) to place a fraud alert and order your credit reports.  For the best protection from identity theft, consider placing a security freeze on your credit report.  This prevents the thief from opening up new credit card and loan accounts.

If you’ve been affected by the latest Yahoo breach, please let us know by submitting a privacy complaint to us.  Your submissions help us better understand what privacy issues are important to you and what specific topics advocates and policymakers should be focusing on.  You can also get answers to any of your consumer privacy-related inquiries by submitting a question.