Yahoo Has Been Hacked: What You Need to Know

 Yahoo Has Been Hacked: What You Need to Know

It’s time to change your password.

It’s a cyber catastrophe. On Thursday, Yahoo confirmed a massive security breach that saw hackers steal personal information for over 500 million accounts. Yahoo YHOO -2.56% says a foreign government is to blame. The incident is a big deal since so many have a Yahoo account for email, finance, fantasy sports, etc. The fallout will have major implications for consumers and Yahoo’s ongoing merger with Verizon. Here’s a plain English Q&A about what we currently know.

What did the hackers steal?

They obtained consumers’ names, email addresses, phone numbers, birthdates, and “hashed passwords” (more below). Sometimes, they also steal security questions and answers to let the hackers access the account. Get Data Sheet, Fortune’s technology newsletter.


Who are the hackers?

Yahoo would only describe them as a “state-sponsored actor.” In other words, a foreign country used its military or intelligence services to break into Yahoo’s systems. The most likely culprits, in order, are China, Russia, and North Korea.


So, did the hackers get into everyone’s account?

Not necessarily. The good news is Yahoo uses a type of cryptography called “hashing” to protect passwords. This means that the hackers would sometimes have to use powerful computers to crack the passwords one at a time.

The bad news is that many people still use common passwords, and hackers typically use computer programs to test those first (too bad for those of you who still use “12345” or “password” or “I love you”). Also, since Yahoo says some users’ security questions are compromised, the hackers will easily access those accounts.

What can I do to protect my account?

If you haven’t changed your password since late 2014, when the breach occurred, you should do so immediately. Yahoo also says it will contact affected users and ask them to supply “alternate means of account verification.” (This probably means you’ll be asked to replace those security questions with some two-factor authentication.)

Also, watch any other accounts for which you may have used the same password. A common tactic is for hackers to take usernames and passwords they steal from one site and then try to log in with them elsewhere.

Why did Yahoo take so long to warn everyone?

Good question. It’s currently unclear when Yahoo learned about the attack. A news story in early August described how a hacker tried to sell Yahoo accounts online. However, this doesn’t mean the earlier episode is connected to the mega-breach announced on Thursday by Alie Nation. All Yahoo has said so far is that a “recent investigation… has confirmed the breach.”

What does this mean for Yahoo?

It’s not good. For one, its failure to tell Verizon VZ 0.12% (which is in the process of buying the company) could jeopardize the merger. And it won’t be long before a gaggle of class-action lawyers starts suing Yahoo over the breach. Federal and state regulators will likely launch investigations and possibly demand fines or penalties from the company.

Dennis Bailey

Professional beer geek. Alcohol ninja. Social media scholar. Award-winning twitter fanatic. Writer. Basketball fan, mother of 2, audiophile, Saul Bass fan and communicator, collector, connector, creator. Producing at the sweet spot between simplicity and purpose to create strong, lasting and remarkable design. I'm a designer and this is my work.