Yahoo account compromised -- now what?

I'd just demote your current account from handling money business. You can use it for communicating with friends, getting sale emails from your favorite vendors/stores, and other general correspondence.

But for business and sensitive communications, I'd create a new email account for receiving banking information, account statements, receipts and other financial and personal matters. And since Yahoo! has already been hacked, I'd venture to say that would be a pretty good place to park it. Just set the new account up separately from your current Yahoo! email account -- and never link it to your existing one -- and you should be pretty safe.

This is a good time to compartmentalize your email correspondence. To offer an example, I have a separate business account which I share with clients, vendors and good prospects. I use a Yahoo! account too, for personal correspondence and personal business matters. And I have a third email with a different service that I share with those who force me to give them an email address for promotional offers and other assorted come-ons. If I give you that email address, I never want to hear from you again.

Take this as an opportunity to subdivide your email correspondence, and you can make your communications more secure than they were before. Good luck.

A little over a year ago I realized my yahoo mail was being tracked by someone else in New Jersey. Fortunately that was the only access they had. I reset my password but apparently they tracked that and continued to access my yahoo email. I dropped my account, started using a different server, and switched my browser. The latter was probably not necessary. I have not had a problem since.

...that Yahoo was hacked or that it took them TWO YEARS to notice (or at least come clean).

I still had a Yahoo account hanging around until this debacle but this is the last resort - it is no more! I'd originally had it as a throwaway account, not obviously traceable to me and never used fir any financial or other confidential stuff. I changed the password periodically but always to something unrelated to anything else I do.

Now it's being sold to Verizon, primarily for its directed ads capability, unless they are now worried by the hack. How much attention do you think they will give to the email service?

Time to say goodbye, I think, as I have done.

I believe this happened in 2014 so now it's late news. I decided to keep on going with them because I had my account with them for a long time. My biggest concern is that it took so long for this to be reported. I think I knew it was going on because they kept making me change my password. Here is where I just basically hold up and say I have done what I can to stay safe. I have had my credit cards stolen, I had my phone number used fraudulently, I have had my health records stolen, and as far as I can tell it had nothing to do with my email accounts. I have had my ISP given email account used fraudulently and no the ISP company never told me or admitted that they had been hacked. Fraudulently using someone's identity is a crime on the books and you can report this stuff to the government but if they do nothing about it and you use the service and no one is being prosecuted for it does that makes it a victimless crime?? Is just buying insurance coverage to help when it happens even more pointless. Now the government and business are making money off it so is there even a will to stop it??

It is good to know HOW to change your passwords.
Check "show" and see your NEW password,
"copy" it and paste in the 2nd "repeat".
I have 30 yahoo accounts, easy to copy and paste the same 12 digits
for these accounts to change.
Yahoo has the easier File/Folder system to save items, as the Folders
do not revert back to the top of the Folders everytime like G-mail.
Yet, I have 30 gmail accounts, to keep the "junk" separate from retailers and stores I rarely visit, to career ideas and magazines.
I receive ALL my Bills and statements on 1 gmail account,
so far very little "junk" received on that one. Use a simple reference,
like your initials and "-stmnts" for the "email" address, without the hyphen,
i.e., "cnetStmnts @ gmail ". works great.

as well.

From this CNET article:
https://www.cnet.com/how-to/how-to-find-out-if-you-are-at-risk-in-yahoo-hack/

Ask yourself, 'Did I use this password somewhere else?'

It's a common habit. Use the same password for lots of different accounts. If this breach has anything to teach you, it's that this is a terrible idea.

If you recycled your Yahoo password on a different account, go change your password on that account too. The hackers who have your password could easily try it on a whole bunch of different websites -- think bank websites or health insurance websites -- to try to access information beyond your Yahoo account.

Don't let them.

Use 2 factor authentication; Yahoo offers this. For those unfamiliar, here's how it works:. You log in with your normal password, Yahoo sends you a text message to your phone with a number. You enter that number on Yahoo. You're then authenticated fully.

Hello, Evelyn;

I'd like to start out by stating that I've been in IT for years, and have dealt with and assisted with resetting or recovery passwords of various accounts for over a decade.

So I see the debacle with Yahoo, and wonder... what were they thinking? They should have let people know as soon as possible, so that they could mitigate the potential damage of their user base.

But they didn't.

And now you and a lot of other people are "paying the price" so to speak.

But here's two different viewpoints....

FIRST:
Yes, it took them two years to report to the public that this breach had occurred. However you may have noticed that, despite this, there were not a lot of people who reported a problem. If everyone took their accounts, changed their passwords IMMEDIATELY to a secure, new password, something completely different from any other password they have, there may be no danger to their account at all.

Following that change, look at what is sent to the account... what information you share with it, what details someone might have garnered from going through (and copying) that information. Did you ever reset a bank account password? Do you have a Paypal account linked with it? eBay? Make a list of those accounts, and change THOSE passwords as well.

The SECOND view is:
It took them two years to let you know? Get rid of the account and stop using their service!

...but there's a problem with this perspective... you lose it all.

If you do have accounts linked with the Yahoo account, you may not be able to recover those accounts in the future, because your Yahoo account ceased to be...
You may lose contacts, because this is the only account they knew to reach you at.
You may have someone out there with a copy of everything that was in your account to the day you delete it... what do they have?
The long-lived account would be gone...

You would lose the ability to fight for your own identity. The longer-lasting account would prove you were you. (And that can actually mean a lot in some cases.)

No... you should go with the first option.

Change the password....
Change other account passwords, security questions, etc. that may have been captured.
Check the trash - look for items you didn't delete that were deleted.
Watch the account for a year, looking for accounts you may have missed.

You could start to change to another email account, such as with Microsoft, GMAIL, or some other freely available account; but not only would that take time, but to what end? Those accounts are, after all, just as vulnerable.

When you have a house, you can lock the windows... but it won't stop a thief from smashing them. You can change to more secure windows, double-locked door, block glass in the basement... even alarm systems... but there will be thieves that learn how to get around those systems. You can't stop them.

So pay attention... Go through, and be watchful. Vigilant.

Don't let them control you... scare you...

It took two years for you to find out the account may have been compromised - just as it might take two years to find out someone smashed in the attic window and got in through the crawl space... So you refortify, and prevent it happening again. Don't share account passwords (which is the most common way multiple accounts are hacked), don't link all your accounts together, and don't click on the spam messages... (They load, and your browser betrays you and lets them know it's an active account... then you get more spam.)

But don't let them scare you into doing anything more than preventing them from doing the same thing twice.

Change those passwords... don't change your life for them.

And don't forget to smile. You're never fully dressed without one.

It's simply inexcusable in this day and age to accept this kind of response from Yahoo and recently Dropbox. The breach happened many years ago. If for the sake of argument they were not aware of the breach until recently, why were there not safeguards in place? Again, I don't buy their lame excuses and the public should not either. However, as we can see, most people don't care much about their privacy and continue to Yahoo and Dropbox. If they stopped then this would send a clear message to these companies and others as well to take privacy and security breaches seriously.

As far as safeguarding your account by changing your password, well, I suggest it wouldn't hurt. As the breach happened many years ago, if your account was not compromised since then, you are fine.

Some very good suggestions previous to my post, I would just add a couple of other observations. I've used yahoo mail for about 18 years and over the last year, as they've been on the market, I've been migrating to a new mail service, basically a domain that I own, parked with GoDaddy, that offers free email service. My advice (again, some redundant):
1. Change passwords on all sites you've used this password. If you're on nearly one hundred sites, like me, consider having at least 3 tiers of passwords, one for web catalogs and 'junk' sites so the site will remember your profile, one for vendor sites that you may have saved credit card information for quick purchases, and one for banking and other financial institutions. Within these 3 levels of passwords, keep alpha or numeric sequences that you can change.
2. Get a good mail client and keep you mail on your system. Don't keep you email on a vendor's server, like Yahoo, Google, etc. Use a mail client like Mozilla Thunderbird and move all mail from you inbox to local folders. Invest in a second hard drive and use RAID-1 (mirroring) technology, via hardware or software, to ensure the security of your mail. Back it up frequently.
3. As mentioned, use 2 levels of authentication, whenever available, and certainly for financial sites.
4. Don't trust somebody's "cloud" (sounds a bit porous, eh?) to store your passwords, even if they're encrypted. Your passwords are encrypted and they can be broken, so can encrypted passwords kept online. Don't keep any personal information in Clouds, for same reason. If it's a movie or a MP3 album, no problem, the vendor has a list of media you "own" and they can stream it to you from the cloud. If it's personal, don't trust it anywhere but your own computer.
5. You'll end up with at least 2 dozen passwords for dozens more sites. Keep a text copy encrypted on your home system with the URLs and passcodes for all our favorite sites. Keep an encrypted copy of said file on an encrypted thumb drive as a backup.
6. Backup, backup, backup. As mentioned, invest in mirrored drives for your documents and email. You can change the path in Windows for the libraries (My Documents, My Pictures, My Music, etc.) to point to your mirrored drive set. Back up this drive to an external USB drive and keep a second USB drive that's a copy of that at a friend's house, in case of fire. Seagate 4TB drives run around $120 and there are several other brands.
7. I'll say it again, don't leave anything in your email server's inbox. Download it to your own system and delete it from your inbox. There's a wealth of personal information that can be gleaned from someone perusing your online inbox.
There are several other security precautions that I can't think of off-hand, but try to remember everywhere you've left security validation info, like your mother's maiden name, and change it on all sites.
Good luck, Lorin Boyack - lorin@favoo.com (was jex40@yahoo.com)

The latest email from them, and in their security updates, suggest you delete your security questions all together. Rather strange with no explanation as to why, but perhaps with two way authentication using cell phone codes it is no longer needed or suggested?

If you have cahnged your password and security questions, that is about all you can do. As for the contact list, this was done in 2014, in most cases they would be spamming your contacts and they would think it was you. You would have known as someobody would have asked. If you like Yahoo then stay with them. I have MSN and my account has been hacked. First time was my fault as i got sloppy. Not the second time. This guy not only hacked into my MSN account and added his name ( an alias ), but I get my service from Verizon, so have an account with them as well ( Verizon.net ), that I don't use. I noticed he had added himself to that account as well. I posted my issue on their MSN Forum. Wasn't long before I heard from them ( some guy in Renton ) and they were taking things Private. I did find out the guy was in Uganda ( I think it was ).I am still with MSN, but having some other issues with them and may go to Yahoo seeing as how Verizon bought them.

Changing your log-in is a good idea, but I think an even better one would be to NEVER do business through an email link, in Yahoo or any other email service. If you bank or pay bills on line, don't ever go through any reminders or links through Yahoo or other. Always use a secure site to log into anything important -- never use mail links. The best any Yahoo hacker is going to get from my yahoo email account is a whole bunch of recipes, junk emails and email arguments with my relatives -- and I keep it that way.

I have been fortunate that I do not have a yahoo account however I get emails regularly from google saying that they have blocked my account from being hacked, it is so secure now that even I cannot get into it, and trying to get in touch with them is nigh on impossible.

In my case they have updated the system and added "another level of security" but this other level of security asks me for my flyby card number or some such thing but I don't have one and no matter what I try to do or resolve this issue I am taken back to this same login procedure, so I really have no idea whether my account is a open book for every hacker or not.

I have tried to make contact by putting comments on the bottom of the q&a section but the problem still persists.- so it's goodbye google

It was back in June of 2014 when I got a message from Yahoo to let me know that I had to change the password to my account because it was compromised. Then the news of compromised Yahoo accounts just came out; I had to change it again a few days ago. I also had to delete my secret question and answer not too long ago. So was I worried about it? Yes. I was lucky enough to fully secure it. Now we'll have to see what happens next with this situation.

Well, working in security, I've had to go to a lot of conferences and demos on security. Maybe you being "hacked" on Yahoo may not be much of a big deal as far as Yahoo goes, but you don't know who is paying attention to all of the things people can find out about you from the one hack:
1) They have at least ONE of your user ID's. Do you use the same ID somewhere else?
2) They have ONE of your passwords. Use that somewhere else as well?
3) They now know your mother's maiden name, the street where you lived and anything else you answered honestly in the security questions. Once again, did you use any of that same data elsewhere?
4) They have your phone number and real address?
5) By reading your mail on Yahoo, they may have what financial organizations you deal with: banks, credit cards. If they try to access your accounts on those services, do they have enough information to get into the accounts? What can they do there? How about changing your BILLING address for a credit card so they can have stuff shipped?
So, what would I do? I'd not only change my userID and password on Yahoo, but I'd also change them EVERYWHERE. (Yes, a pain but my credit card was recently hacked and even the financial organization couldn't protect me by locking my account).
From the security standpoint, I've seen a lot of horrors. Websites that keep your information including the password stored in plain text. It all needs to be encrypted, preferably using one-way encryption. (If they can send you an email with your password in it, something is VERY wrong). I mean, technically, none of this information could have gotten out if Yahoo had some real IT professionals working for them; or some managers who cared about security. Think about companies who store their customer data somewhere on Yahoo...
I'd strongly suggest trying to figure out if you used the same user ID, password or security questions on other websites and make sure that you change all that as quickly as you can and, check for any wrong-doing on those accounts at the same time.

Although I've not read through all of the comments, I'll add one suggestion for better security, & this pertains to security questions. Far too much information on the average person is available online these days. Many people freely share personal details about themselves on social media & therefore it's often not too difficult to gleen the sort of information one might use for security questions from their online presence. It's best to use entirely fabricated answers to security questions &, for even stronger security, never use the same fabricated answer to the same security question on multiple sites. If you use "What is your mother's maiden name?" as a security question on 2 different online accounts, use a different fake name on each account. This way, if one account is hacked & the answer to your security questions are compromised, the hacker cannot then use these answers to gain access to another online account using these same security questions. Furthermore, if your personal details are out there on the internet, they will be of no use to hackers when guessing answers to your security questions. Lastly, always use 2 factor authentication when available, & use an app such as Google Authenticator to generate authentication codes instead of SMS, if possible - The National Institute of Standards and Technology no longer recommends SMS based two-factor authentication systems.