The biggest hack of all time just got a whole lot bigger. On Wednesday, Yahoo announced that it now believes a staggering three billion user accounts were stolen in 2013 — up from the one billion figure it gave in December 2016.
In a statement, Yahoo has said it has informed its users about the breach. The company said:
Subsequent to Yahoo's acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft.
If you're affected, you're probably asking yourself what you can do right now. There are two answers: Protect your logins on other services, and delete your Yahoo account.
1. Protect your logins
It can't be said enough: You should use a strong, unique password for every website or service on which you have an account. This means if any one service gets hacked, your other accounts won't be compromised too.
Hackers will often trawl through user databases stolen in hacks and try the stolen login details on other sites. This means a user who reuses a password can be re-victimised over and over again. In the summer of 2016, we saw a spate of hacks of celebrities and high-profile figures on Twitter — everyone from Drake to Facebook CEO Mark Zuckerberg got hit. Twitter itself wasn't hacked, but it looks as if the victims reused passwords on services that were, like LinkedIn and Tumblr.
So if you've used the same password you used for your Yahoo account anywhere else, you should change those accounts. Now.
And while you're at it, you should review those other accounts for suspicious activity — especially if they have access to your credit card or financial information.
Of course, passwords — especially strong ones — are a pain to remember. And that's why security experts recommend you use a password manager app to store them. An app like LastPass or Dashlane will store all your passwords, so you only have to remember one — the one to access the app.
Similarly, Yahoo recommends that you change the security questions for other accounts if you re-used them from Yahoo. Otherwise, even if an attacker can't guess your password, they might still be able to use them to reset it.
Also: If it's available, activate two-factor authentication. It creates a second barrier to entry by sending a unique code to your phone, so even if an account's password is compromised, the attacker still can't get in unless the person also has access to your phone (though there are some devious ways hackers try to get around it). It is available on Google, Facebook, Twitter, and most other major web services.
On a long-enough time frame, everyone gets hacked. But by having unique passwords and two-factor authentication, you can limit the damage.
— Jonathan Ellis (@jonathanellis) December 14, 2016
If you're in the US, Yahoo also suggests putting a "fraud alert" on your credit file, as well as a "security freeze" (which will cost money to place). You can read more about this step over on Yahoo's website.
2. Delete your account
Do you own a Flickr page you never use? A Tumblr you haven't checked since 2014? A Yahoo Mail account you haven't sent an email from in over a decade? It might be time to pull the plug, permanently.
First of all, back up your data! You don't want to lose old emails and photos. Luckily, Yahoo has put together an easy-to-follow walk-through on how to do that here. (Important note: This includes all your Flickr photos.)
Done that? Great. Now head over to the "Delete Your Account" page. It should look something like this.
When you click "Continue," it'll ask you to enter some information — (maybe your email, or your password or Captcha) to prove who you are, and just like that, you're done.
Once you confirm you want to delete your account, it'll normally take between 40 and 180 days to process. This is to stop people from maliciously or fraudulently deleting other people's accounts if they gain access — and it means if you get cold feet straight after, it's not too late.