*Yahoo now claims ALL of their email accounts were hacked. So, Now What?


TechViews News   …..

Yahoo, the internet company that was acquired by Verizon this year, now believes the total number of accounts compromised in the August 2013 data breach, which was disclosed in December last year, was not 1 billion—it’s 3 Billion. Yes, the record-breaking Yahoo data breach affected *every user* on its service at the time.

Late last year, Yahoo revealed the company had suffered a massive data breach in August 2013, which affected 1 billion user accounts. The 2013 hack exposed user account information, including names, email addresses, telephone numbers, dates of births, hashed passwords (using MD5), and, in some cases, “encrypted or unencrypted security questions and answers,” Yahoo said in 2016.

Verizon acquired the core internet operations of Yahoo! for $4.5 billion, $250 million less than the original offer, due to the hacks. Despite the additional disclosure, Verizon said it was still committed to Yahoo!, as well as keeping the safety and security of its users as a top priority.

Oath, the Verizon subsidiary into which Yahoo was merged, made the announcement in a filing with the SEC on Tuesday, which reads:

“Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft.”

The statement clearly suggests that if you had an account on Yahoo in 2013, you were affected by the data breach.

Now, think about that number. That’s 3 billion passwords. There weren’t 3 billion people on the internet in 2013, but there were that many Yahoo accounts because some people had several Yahoo accounts at the time. But, roughly, because Yahoo was so huge, basically everyone had a Yahoo account at some point (just like basically everyone had a Google account at some point). And somewhere, there’s a database with all those usernames and passwords.

That means a hacker can take an email address and a password pair and run it against all the popular sites on the internet. Facebook. Google. Ebay. Amazon. PayPal.

Did you use an old password when you created an account on any of those sites? Did you think that hackers won’t target you? News flash: Malicious hackers, except in some very specific cases, don’t care who you are. They’re not targeting you, personally. They have scripts that go through millions of usernames and passwords, and try them against hundreds of sites. If an old password works, boom: They got something of value.

I get it. Maybe you were in a hurry to buy that new Kindle for Christmas, and you just needed an account, fast. Perhaps you meant to change the password later, but never did. Or maybe you’re one of those people who simply cannot remember more than one or two passwords and won’t be bothered with a password manager.

Well, if you had a Yahoo account in 2013, or even before that, and you’re still using that old password, you’re putting yourself at serious risk. You could lose personal data, your reputation, or even your money.

So for whatever reason you did not change your password last year after the disclosure of this massive breach, you should now change your passwords immediately and enable two-factor authentication.

Also, if you are using the same password and answers to security questions somewhere else, change them too.

And deleting your Yahoo account may not be a good option to opt for, as Yahoo recycles deleted accounts after 30 days, which would allow anyone to hijack it. So, even if you don’t want to use your Yahoo account, just enable 2FA and leave it.

Nothing can fully protect you from a hack. A site you’re using might get hacked and your personal data can be stolen, and there’s nothing you can do about that. But you can at least make sure the same people can’t use that data to login on all your other sites.

Think about good password practices as brushing your teeth. It’s not something you really want to do twice every day, but you know you have to, or there will be consequences. So you simply get out of bed every morning and do it, no questions asked. The next time you need to think of a new password, and you really, really don’t want to, suck it up. Install a password manager. Follow the steps. Create a fresh, safe password.

If you don’t, somewhere down the line, there will be consequences.

Be Safe – Backup Your Data Regularly!


And don’t forget to take advantage of our FREE subscription to the TechViews.org Newsletter. A must-read if you are interested in Internet Security.



  1. Thank you for the info. Can you please expand a bit more on why deleting a Yahoo account can be an issue? Not exactly sure on how account recycling can be a problem. I have a couple of active Yahoo accounts I want to get rid of.


    1. Generally it has to do with legal actions if your log-on credentials were compromised, and then used by someone else via an online crime. Until the matter is straightened out, you could be the focus of an investigation you had nothing to do with. Or, if you have created an address/account from a recycled address, and the authorities are still looking for the original criminal, then you could be caught in the middle of an unnecessary mess. You could conceivably have to go through costly legal channels to verify that you are not the original user. For the time being, a Yahoo email account is rather toxic.

      The best policy is to change your Yahoo log-in to an extra-strong password (20+ characters), then set it for two-factor-authentication. Then don’t even think about logging in for at least a year. If you DO log-in then that account will then have a new time stamp of activity. Just leave it alone. That gives you some insulation if someone else tries to get in. If all is well after that time, then shut the account down. At some point in time it could be recycled, but enough time has passed that it’s reuse should not affect you.


Comments are closed.