One billion Yahoo accounts were stolen in 2013, the company announced on Wednesday, in the largest (known) hack of all time.
The incident is separate to the breach Yahoo disclosed back in September, which saw at least 500 million accounts compromised.
In other words, Yahoo got hacked twice — badly.
The company isn’t providing many details about the breach, because right now, it doesn’t know them. “The company has not been able to identify the intrusion associated with this theft,” it said in a statement.
The company has emailed its users informing them of the breach — and if you’re affected you’re probably asking yourself what you can do now.
There are two answers: Protect your logins on other services, and delete your account.
1. Protecting your logins
It can’t be said enough: You should use a strong, unique password for every website or service you have an account on. This means if any one service gets hacked, then your other accounts won’t be compromised too.
Hackers will often trawl through user databases stolen in hacks, and try the stolen login details on other sites. This means if use a site that got hacked, and they got hold of your password, then you can be re-victimised over and over and over again.
This summer, we saw a spate of hacks of celebrities and high-profile figures on Twitter — everyone from Drake to Facebook CEO Mark Zuckerberg. Twitter itself wasn’t hacked, but it looks like the victims re-used passwords on services that were, like LinkedIn and Tumblr.
So if you re-used the same password you used for your Yahoo account anywhere else, you should go ahead and change those accounts. Now.
Of course, passwords — especially strong ones — are a pain to remember. And that’s why security experts recommend you use a password manager app to store them. An app like LastPass or Dashlane will store all your passwords, so you only have to remember one — the one to access the app.
Also: If it’s available, activate two-factor authentication (2FA). It creates a second barrier to entry by sending a unique code to your phone, so even if an account’s password is compromised, the attacker still can’t get in unless they also have access to your phone (although there are some devious ways hackers try to get around it). It is available on Google, Facebook, Twitter, and most other major web services.
On a long enough timeframe, everyone gets hacked. But by having unique passwords and 2FA, you can limit the damage.
2. Delete your account
Do you own a Flickr page you never use? A Tumblr you haven’t checked since 2014? A Yahoo Mail account you haven’t sent an email from in over a decade? It might be time to pull the plug, permanently.
First of all, back up your data! You don’t want to lose old emails and photos. Luckily, Yahoo has put together an easy-to-follow walkthrough on how to do that here. (Important note: This includes all your Flickr photos.)
Done that? Great. Now head over to the “Delete Your Account” page. It should look like this.
It’ll ask you to enter your password, and to do a Captcha, to prove who you are — and just like that, you’re done.
Once you confirm you want to delete your account, it’ll take about 90 days to process. This is to stop people from maliciously or fraudulently deleting other people’s accounts if they gain access — and it means if you get cold feet straight after, it’s not too late.