Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Yahoo account compromised -- now what?

Sep 23, 2016 5:35PM PDT


I'm upset that millions of Yahoo user accounts have been compromised, which most likely includes my account. I have already gone through the process of changing my password and security questions as Yahoo has recommended. I have been using this account as my primary email address for over a decade, and I really do not want to give it up. Not only do I love this email address, but I also love using the service. I even pay an annual fee for it. Am I being stupid and stubborn for continuing to use it? Is it a higher security risk? I'm just not sure what to do, and I'm scared of it being compromised again. What would you do? Please help me out. Thank you.

--Submitted by: Evelyn C.

Discussion is locked

- Collapse -
Ultimately, it's your call. But I wouldn't sweat it too much
Sep 23, 2016 8:04PM PDT

I'd just demote your current account from handling money business. You can use it for communicating with friends, getting sale emails from your favorite vendors/stores, and other general correspondence.

But for business and sensitive communications, I'd create a new email account for receiving banking information, account statements, receipts and other financial and personal matters. And since Yahoo! has already been hacked, I'd venture to say that would be a pretty good place to park it. Just set the new account up separately from your current Yahoo! email account -- and never link it to your existing one -- and you should be pretty safe.

This is a good time to compartmentalize your email correspondence. To offer an example, I have a separate business account which I share with clients, vendors and good prospects. I use a Yahoo! account too, for personal correspondence and personal business matters. And I have a third email with a different service that I share with those who force me to give them an email address for promotional offers and other assorted come-ons. If I give you that email address, I never want to hear from you again.

Take this as an opportunity to subdivide your email correspondence, and you can make your communications more secure than they were before. Good luck.

- Collapse -
Ultimately, it's your call. But I wouldn't sweat it too much
Sep 30, 2016 6:20PM PDT

You don't sound human....you sound more like a bot Plain

- Collapse -
What makes you say that?
Sep 30, 2016 8:05PM PDT

@ Hey_888 - Nah, I'm human. A bit of a hillbilly, and maybe a little weary, but definitely human.

- Collapse -
No longer have one
Oct 1, 2016 5:09PM PDT

I had a Yahoo account about 6 years ago and they had some kind of glitch, I couldn't long into my account. I set up a new one, went through all the steps, it welcomed me, and when I went to log in I couldn't no matter what I did. Haven't had one since!

- Collapse -
Good way to proceed
Oct 2, 2016 6:15AM PDT

i have been following the same approach for many years and it has worked well. If you segregate your financial/business transactions to a separate and specific email...i dont use Yahoo email for it but there are several other good email programs you can use, you shouldnt have any problems going forward. I also use a password management software program , Last Pass, which helps to secure your passwords .

- Collapse -
I dropped my account
Sep 23, 2016 9:05PM PDT

A little over a year ago I realized my yahoo mail was being tracked by someone else in New Jersey. Fortunately that was the only access they had. I reset my password but apparently they tracked that and continued to access my yahoo email. I dropped my account, started using a different server, and switched my browser. The latter was probably not necessary. I have not had a problem since.

- Collapse -
I dropped my account
Sep 30, 2016 6:17PM PDT

Sounds like you were targeted and whoever was able to access your account was able to do so by answering correctly your security questions. Time to rethink how you access your accounts and consider 2 step authentication.

- Collapse -
I'm not sure which is worse...
Sep 24, 2016 2:40AM PDT

...that Yahoo was hacked or that it took them TWO YEARS to notice (or at least come clean).

I still had a Yahoo account hanging around until this debacle but this is the last resort - it is no more! I'd originally had it as a throwaway account, not obviously traceable to me and never used fir any financial or other confidential stuff. I changed the password periodically but always to something unrelated to anything else I do.

Now it's being sold to Verizon, primarily for its directed ads capability, unless they are now worried by the hack. How much attention do you think they will give to the email service?

Time to say goodbye, I think, as I have done.

- Collapse -
It's late news but some flame
Sep 24, 2016 6:53AM PDT

I believe this happened in 2014 so now it's late news. I decided to keep on going with them because I had my account with them for a long time. My biggest concern is that it took so long for this to be reported. I think I knew it was going on because they kept making me change my password. Here is where I just basically hold up and say I have done what I can to stay safe. I have had my credit cards stolen, I had my phone number used fraudulently, I have had my health records stolen, and as far as I can tell it had nothing to do with my email accounts. I have had my ISP given email account used fraudulently and no the ISP company never told me or admitted that they had been hacked. Fraudulently using someone's identity is a crime on the books and you can report this stuff to the government but if they do nothing about it and you use the service and no one is being prosecuted for it does that makes it a victimless crime?? Is just buying insurance coverage to help when it happens even more pointless. Now the government and business are making money off it so is there even a will to stop it??

- Collapse -
QUICK CHANGE login
Sep 27, 2016 9:33AM PDT

It is good to know HOW to change your passwords.
Check "show" and see your NEW password,
"copy" it and paste in the 2nd "repeat".
I have 30 yahoo accounts, easy to copy and paste the same 12 digits
for these accounts to change.
Yahoo has the easier File/Folder system to save items, as the Folders
do not revert back to the top of the Folders everytime like G-mail.
Yet, I have 30 gmail accounts, to keep the "junk" separate from retailers and stores I rarely visit, to career ideas and magazines.
I receive ALL my Bills and statements on 1 gmail account,
so far very little "junk" received on that one. Use a simple reference,
like your initials and "-stmnts" for the "email" address, without the hyphen,
i.e., "cnetStmnts @ gmail ". works great.

- Collapse -
You may want to change your password for other accounts...
Sep 30, 2016 4:19PM PDT

as well.

From this CNET article:
https://www.cnet.com/how-to/how-to-find-out-if-you-are-at-risk-in-yahoo-hack/

Ask yourself, 'Did I use this password somewhere else?'

It's a common habit. Use the same password for lots of different accounts. If this breach has anything to teach you, it's that this is a terrible idea.

If you recycled your Yahoo password on a different account, go change your password on that account too. The hackers who have your password could easily try it on a whole bunch of different websites -- think bank websites or health insurance websites -- to try to access information beyond your Yahoo account.

Don't let them.

- Collapse -
use 2FA
Sep 30, 2016 5:49PM PDT

Use 2 factor authentication; Yahoo offers this. For those unfamiliar, here's how it works:. You log in with your normal password, Yahoo sends you a text message to your phone with a number. You enter that number on Yahoo. You're then authenticated fully.

- Collapse -
Yeah so then they got your phone number too!
Oct 2, 2016 7:49PM PDT

I'm uncomfortable with using phone SMS message as a two factor method; simply because of situations just like this one. The breach was at Yahoo, not my fault - if I had my phone number there, the crooks would have it too. I prefer starting a junk email account at a competitor and pointing the security alerts to that account - that way if they compromise Yahoo again, I can simply throw the junk email account away, and point to a new one. I realize that would require opening them both each day to assure something didn't go awry, and the crooks could just as well take over the junk email account as well - I look at this this way, better my email than my phone - I see my phone as more important.

- Collapse -
Two ways to look at it
Sep 30, 2016 6:04PM PDT

Hello, Evelyn;

I'd like to start out by stating that I've been in IT for years, and have dealt with and assisted with resetting or recovery passwords of various accounts for over a decade.

So I see the debacle with Yahoo, and wonder... what were they thinking? They should have let people know as soon as possible, so that they could mitigate the potential damage of their user base.

But they didn't.

And now you and a lot of other people are "paying the price" so to speak.

But here's two different viewpoints....

FIRST:
Yes, it took them two years to report to the public that this breach had occurred. However you may have noticed that, despite this, there were not a lot of people who reported a problem. If everyone took their accounts, changed their passwords IMMEDIATELY to a secure, new password, something completely different from any other password they have, there may be no danger to their account at all.

Following that change, look at what is sent to the account... what information you share with it, what details someone might have garnered from going through (and copying) that information. Did you ever reset a bank account password? Do you have a Paypal account linked with it? eBay? Make a list of those accounts, and change THOSE passwords as well.

The SECOND view is:
It took them two years to let you know? Get rid of the account and stop using their service!

...but there's a problem with this perspective... you lose it all.

If you do have accounts linked with the Yahoo account, you may not be able to recover those accounts in the future, because your Yahoo account ceased to be...
You may lose contacts, because this is the only account they knew to reach you at.
You may have someone out there with a copy of everything that was in your account to the day you delete it... what do they have?
The long-lived account would be gone...

You would lose the ability to fight for your own identity. The longer-lasting account would prove you were you. (And that can actually mean a lot in some cases.)

No... you should go with the first option.

Change the password....
Change other account passwords, security questions, etc. that may have been captured.
Check the trash - look for items you didn't delete that were deleted.
Watch the account for a year, looking for accounts you may have missed.

You could start to change to another email account, such as with Microsoft, GMAIL, or some other freely available account; but not only would that take time, but to what end? Those accounts are, after all, just as vulnerable.

When you have a house, you can lock the windows... but it won't stop a thief from smashing them. You can change to more secure windows, double-locked door, block glass in the basement... even alarm systems... but there will be thieves that learn how to get around those systems. You can't stop them.

So pay attention... Go through, and be watchful. Vigilant.

Don't let them control you... scare you...

It took two years for you to find out the account may have been compromised - just as it might take two years to find out someone smashed in the attic window and got in through the crawl space... So you refortify, and prevent it happening again. Don't share account passwords (which is the most common way multiple accounts are hacked), don't link all your accounts together, and don't click on the spam messages... (They load, and your browser betrays you and lets them know it's an active account... then you get more spam.)

But don't let them scare you into doing anything more than preventing them from doing the same thing twice.

Change those passwords... don't change your life for them.

And don't forget to smile. You're never fully dressed without one.

- Collapse -
Report What Problem?
Sep 30, 2016 7:22PM PDT

The issue here is that almost nobody would know that there was a "problem". It is unlikely that there would be an attack against Yahoo users through yahoo. However, if I had your Yahoo ID and your email address and your password, I would be able to go to banking accounts (completely outside of Yahoo) especially ones that sent you a credit card statement or checking account statement and see if I could hack into your account there using the information I got from Yahoo and you would never know it was Yahoo's fault that your credit card was hacked because you just wouldn't link Yahoo to your credit card or bank account. Do you use the same password or security questions on Yahoo and on Cnet? Even though there may not be any financial gain, someone can log into your Cnet account and you would never know that the information came from the Yahoo breach. I had a similar situation with a credit card account and wound up having to to shut down the card to make it stop. Once they get information in one breach, you are breached on the entire web.

- Collapse -
Best response I've seen...
Oct 4, 2016 12:28PM PDT

Thanks for your straight-forward and simple answer to this situation. I got my Yahoo account when I first signed up with my ISP - BellSouth at the time - which then became AT&T, so it's an "affiliated" email account, and whenever I've had a problem, each company would blame the other. I learned then not to do anything serious with this account, but who knows what problems may have resulted by using it at all? I've taken option #1 and now, perhaps, I'll just let it fade away... Happy

- Collapse -
Inexcusable
Sep 30, 2016 6:14PM PDT

It's simply inexcusable in this day and age to accept this kind of response from Yahoo and recently Dropbox. The breach happened many years ago. If for the sake of argument they were not aware of the breach until recently, why were there not safeguards in place? Again, I don't buy their lame excuses and the public should not either. However, as we can see, most people don't care much about their privacy and continue to Yahoo and Dropbox. If they stopped then this would send a clear message to these companies and others as well to take privacy and security breaches seriously.

As far as safeguarding your account by changing your password, well, I suggest it wouldn't hurt. As the breach happened many years ago, if your account was not compromised since then, you are fine.

- Collapse -
Time for a new email service
Sep 30, 2016 6:17PM PDT

Some very good suggestions previous to my post, I would just add a couple of other observations. I've used yahoo mail for about 18 years and over the last year, as they've been on the market, I've been migrating to a new mail service, basically a domain that I own, parked with GoDaddy, that offers free email service. My advice (again, some redundant):
1. Change passwords on all sites you've used this password. If you're on nearly one hundred sites, like me, consider having at least 3 tiers of passwords, one for web catalogs and 'junk' sites so the site will remember your profile, one for vendor sites that you may have saved credit card information for quick purchases, and one for banking and other financial institutions. Within these 3 levels of passwords, keep alpha or numeric sequences that you can change.
2. Get a good mail client and keep you mail on your system. Don't keep you email on a vendor's server, like Yahoo, Google, etc. Use a mail client like Mozilla Thunderbird and move all mail from you inbox to local folders. Invest in a second hard drive and use RAID-1 (mirroring) technology, via hardware or software, to ensure the security of your mail. Back it up frequently.
3. As mentioned, use 2 levels of authentication, whenever available, and certainly for financial sites.
4. Don't trust somebody's "cloud" (sounds a bit porous, eh?) to store your passwords, even if they're encrypted. Your passwords are encrypted and they can be broken, so can encrypted passwords kept online. Don't keep any personal information in Clouds, for same reason. If it's a movie or a MP3 album, no problem, the vendor has a list of media you "own" and they can stream it to you from the cloud. If it's personal, don't trust it anywhere but your own computer.
5. You'll end up with at least 2 dozen passwords for dozens more sites. Keep a text copy encrypted on your home system with the URLs and passcodes for all our favorite sites. Keep an encrypted copy of said file on an encrypted thumb drive as a backup.
6. Backup, backup, backup. As mentioned, invest in mirrored drives for your documents and email. You can change the path in Windows for the libraries (My Documents, My Pictures, My Music, etc.) to point to your mirrored drive set. Back up this drive to an external USB drive and keep a second USB drive that's a copy of that at a friend's house, in case of fire. Seagate 4TB drives run around $120 and there are several other brands.
7. I'll say it again, don't leave anything in your email server's inbox. Download it to your own system and delete it from your inbox. There's a wealth of personal information that can be gleaned from someone perusing your online inbox.
There are several other security precautions that I can't think of off-hand, but try to remember everywhere you've left security validation info, like your mother's maiden name, and change it on all sites.
Good luck, Lorin Boyack - lorin@favoo.com (was jex40@yahoo.com)

- Collapse -
And now they say to delete your security questions!
Sep 30, 2016 6:21PM PDT

The latest email from them, and in their security updates, suggest you delete your security questions all together. Rather strange with no explanation as to why, but perhaps with two way authentication using cell phone codes it is no longer needed or suggested?

- Collapse -
Here is Why
Sep 30, 2016 7:32PM PDT

Actually, it is a bit late. If I would be a bad person and would have gotten into your Yahoo account in 2015 as a result of this breach, I would now have your email address, your password, your security questions (including the name of your first hamster and your mother's maiden name) and (if you are actually using their email service) I would have the name of the bank where you work and the names of other sites that you visit as you probably will be getting junk mail from all of them.
With this list I can go around the web and get into more of your accounts (I have the security questions, no?). From there I can get answers to more security questions and even change your passwords. All I would need is one account where I can buy something after changing your shipping address and start to make some money. You would never even think it was all because of Yahoo.
Once you are exposed on the Internet, your life is exposed everywhere. I actually did this (sort of) to prove a point to one user. I told him what his hobbies were and was able to piece together a lot of information just by using his USERID (no passwords) and doing a search. You guys need to think more outside of the box.

- Collapse -
Your Call
Sep 30, 2016 6:24PM PDT

If you have cahnged your password and security questions, that is about all you can do. As for the contact list, this was done in 2014, in most cases they would be spamming your contacts and they would think it was you. You would have known as someobody would have asked. If you like Yahoo then stay with them. I have MSN and my account has been hacked. First time was my fault as i got sloppy. Not the second time. This guy not only hacked into my MSN account and added his name ( an alias ), but I get my service from Verizon, so have an account with them as well ( Verizon.net ), that I don't use. I noticed he had added himself to that account as well. I posted my issue on their MSN Forum. Wasn't long before I heard from them ( some guy in Renton ) and they were taking things Private. I did find out the guy was in Uganda ( I think it was ).I am still with MSN, but having some other issues with them and may go to Yahoo seeing as how Verizon bought them.

- Collapse -
Personally identifyable information..
Oct 2, 2016 8:06PM PDT

Just quit using personally identifiable information in your email account and keep folders empty of such information, and it won't be so damaging when it gets breached. Making a habit of changing your passwords every chance you get, just because - isn't a bad idea either. My friends had so much trouble with Yahoo, that I made a habit of changing the passwords every six months, or even more often, and never sent anything to my inbox that wasn't already encrypted - so I'm not really that worried about this breach - but then I could see it coming from way up on the horizon too.

- Collapse -
Yahoo hacked accounts
Sep 30, 2016 6:29PM PDT

Changing your log-in is a good idea, but I think an even better one would be to NEVER do business through an email link, in Yahoo or any other email service. If you bank or pay bills on line, don't ever go through any reminders or links through Yahoo or other. Always use a secure site to log into anything important -- never use mail links. The best any Yahoo hacker is going to get from my yahoo email account is a whole bunch of recipes, junk emails and email arguments with my relatives -- and I keep it that way.

- Collapse -
Similar thing
Sep 30, 2016 6:32PM PDT

I have been fortunate that I do not have a yahoo account however I get emails regularly from google saying that they have blocked my account from being hacked, it is so secure now that even I cannot get into it, and trying to get in touch with them is nigh on impossible.

In my case they have updated the system and added "another level of security" but this other level of security asks me for my flyby card number or some such thing but I don't have one and no matter what I try to do or resolve this issue I am taken back to this same login procedure, so I really have no idea whether my account is a open book for every hacker or not.

I have tried to make contact by putting comments on the bottom of the q&a section but the problem still persists.- so it's goodbye google

- Collapse -
Had to change my password again, two years later
Sep 30, 2016 7:16PM PDT

It was back in June of 2014 when I got a message from Yahoo to let me know that I had to change the password to my account because it was compromised. Then the news of compromised Yahoo accounts just came out; I had to change it again a few days ago. I also had to delete my secret question and answer not too long ago. So was I worried about it? Yes. I was lucky enough to fully secure it. Now we'll have to see what happens next with this situation.

- Collapse -
I Was a Security Person for the Government
Sep 30, 2016 7:48PM PDT

Well, working in security, I've had to go to a lot of conferences and demos on security. Maybe you being "hacked" on Yahoo may not be much of a big deal as far as Yahoo goes, but you don't know who is paying attention to all of the things people can find out about you from the one hack:
1) They have at least ONE of your user ID's. Do you use the same ID somewhere else?
2) They have ONE of your passwords. Use that somewhere else as well?
3) They now know your mother's maiden name, the street where you lived and anything else you answered honestly in the security questions. Once again, did you use any of that same data elsewhere?
4) They have your phone number and real address?
5) By reading your mail on Yahoo, they may have what financial organizations you deal with: banks, credit cards. If they try to access your accounts on those services, do they have enough information to get into the accounts? What can they do there? How about changing your BILLING address for a credit card so they can have stuff shipped?
So, what would I do? I'd not only change my userID and password on Yahoo, but I'd also change them EVERYWHERE. (Yes, a pain but my credit card was recently hacked and even the financial organization couldn't protect me by locking my account).
From the security standpoint, I've seen a lot of horrors. Websites that keep your information including the password stored in plain text. It all needs to be encrypted, preferably using one-way encryption. (If they can send you an email with your password in it, something is VERY wrong). I mean, technically, none of this information could have gotten out if Yahoo had some real IT professionals working for them; or some managers who cared about security. Think about companies who store their customer data somewhere on Yahoo...
I'd strongly suggest trying to figure out if you used the same user ID, password or security questions on other websites and make sure that you change all that as quickly as you can and, check for any wrong-doing on those accounts at the same time.

- Collapse -
Some advice regarding security questions
Sep 30, 2016 9:20PM PDT

Although I've not read through all of the comments, I'll add one suggestion for better security, & this pertains to security questions. Far too much information on the average person is available online these days. Many people freely share personal details about themselves on social media & therefore it's often not too difficult to gleen the sort of information one might use for security questions from their online presence. It's best to use entirely fabricated answers to security questions &, for even stronger security, never use the same fabricated answer to the same security question on multiple sites. If you use "What is your mother's maiden name?" as a security question on 2 different online accounts, use a different fake name on each account. This way, if one account is hacked & the answer to your security questions are compromised, the hacker cannot then use these answers to gain access to another online account using these same security questions. Furthermore, if your personal details are out there on the internet, they will be of no use to hackers when guessing answers to your security questions. Lastly, always use 2 factor authentication when available, & use an app such as Google Authenticator to generate authentication codes instead of SMS, if possible - The National Institute of Standards and Technology no longer recommends SMS based two-factor authentication systems.

- Collapse -
So where do they send the code?
Oct 2, 2016 8:15PM PDT

Chances are, that information is also in the Yahoo account - if it is sent to a phone, then the crooks have your phone number too. I prefer junk email accounts that are easy to throw away, and then point to a new one after locking down the Yahoo account - I don't like changing my phone number or getting another phone.

- Collapse -
I Thought of That Too, But..
Oct 3, 2016 1:23PM PDT

You have to ask yourself, what about the pros and cons. If you give them your cell phone number for two-factor identification and then someone hacks Yahoo, maybe they will have your phone number. Is there a way for anyone to make money using that information? I can't think of any. Maybe they can sell the information but you wind up giving people your cell phone number anyway. Right? If I was one of your friends or relatives would you give me your number? I'd put it on my computer in my contact list. Then, if I get malware or someone hacks into my computer, all of the contacts are hacked. The same goes for any company! Let's take an example that you have Anthem medical insurance. How much information do they have about you? They've been violated twice. And what about storing stuff on Google? They don't perform background checks on their world-wide employee base (same with others, I guess).

- Collapse -
Fake security answers?
Oct 3, 2016 7:50PM PDT

That makes no sense... Why would you use fake security answers? The entire idea of the security questions is to allow you access back into the system again should something happen, such as your password is lost or forgotten. By using "fake information", you are only making it harder in those events to recover your account.

I wish instead of having specific questions, you could enter the questions yourself, instead. Instead of your mother's maiden name, how about the maiden name of the best friend's mother you had at the age of 7? Instead of the street you grew up on, how about the street your dentist was on when you went to college? Favorite number... best place to get pancakes... Your first pet's favorite chew toy...

You choose the questions - someone would have to troll through all your social media and HOPE to find that kind of information...

But giving fake information? That leads to more problems than using the same passwords across sites!

"Oh; rats... what did I use for my mother's maiden name here... was it my favorite rock band? My friend's favorite socks?...."
Then if it's breached anyway, they get the answers you used and can change them...

Another nicety would be if you had to answer, say, two or three security questions before it would let you change them... or see the answers...

But don't tell people to use different security answers on different sites...