In December 2016, Yahoo announced a massive data breach, affecting 1 billion user accounts. But, it turns out, the breach was much larger than Yahoo admitted.
On October 3, 2017, Yahoo’s new owner, Verizon, announced that the 2013 Yahoo breach was three times larger than previously reported, affecting all 3 billion of Yahoo’s users. Verizon’s announcement carries extra weight because it operates a well-known data breach investigation unit that publishes an annual report on data breach trends, the Verizon Data Breach Investigations Report (DBIR).
The same week, Equifax announced that its data breach affected an additional 2.5 million Americans, on top of the 143 million previously reported. Equifax’s data breach website may have already told these 2.5 million individuals that their information was not impacted. Equifax says, “To minimize confusion, Equifax will mail written notices to all of the additional potentially impacted U.S. consumers…” The other 143 million Americans whose Social Security numbers, names, and birthdates were taken will not receive written notice, according to Equifax.
The Yahoo and Equifax revelations call into question whether consumers can ever trust a company’s initial announcement that a breach affected only a limited set of people. Other companies have also revised their breach announcements. In the 2012 LinkedIn breach, the company initially announced that 6.5 million users’ accounts were compromised. Four years later, LinkedIn revealed that the breach was nearly 20 times larger, affecting 117 million users’ accounts.
Brian Krebs, cybersecurity researcher, says that for every breach, regardless of what the announcement says: “Assume you’re compromised, and take steps accordingly.”
But, what are the appropriate steps? Cybersecurity writer Joseph Cox says: “If a company you have an account with admits that hackers have managed to grab a ‘selection’ of usernames, passwords, and email addresses—even if you haven’t been explicitly told your account was pinched—you may want to change your password, especially if you use the same one on other websites.” Information on how to change your Yahoo password can be found here.
You may also have other email or online accounts that have been compromised in past breaches. On the website “have i been pwned?,” which in this context means “have I been hacked?,” you can enter your email address or your online usernames to learn if they have been involved in any past data breaches. You can also sign up to receive alerts when a new breach occurs affecting your email address.
For hacks of “more personal information like that in the Equifax dump,” Joseph Cox writes, “taking steps to mitigate fraud or theft would probably be wise, even if the hacked firm hasn’t sent you a direct communication.”
For the Equifax breach, the Federal Trade Commission recommends that you:
- Regularly check your credit reports, which are available for free here.
- Place a fraud alert on your credit files, which you can do by contacting any of the major credit bureaus (Equifax, Experian, TransUnion).
- Consider placing a credit freeze on your credit files, which makes it harder for someone to open new lines of credit in your name.
- Monitor existing credit and bank accounts for unauthorized charges.
- File your taxes early, to avoid attempts by fraudsters to steal your tax rebate.