Information from at least 500 million user accounts was stolen from the Yahoo network in late 2014, the company said Thursday.
The account information included names, email addresses, telephone numbers, dates of birth, some passwords and, in some cases, encrypted or unencrypted security questions and answers.
The stolen information didn’t include unprotected passwords, payment card data, or bank account information, which is stored in a different system, Yahoo said.
The company is notifying potentially affected users and is asking them to change their passwords. It has invalidated unencrypted security questions and answers so that they can’t be used to access an account.
Yahoo also recommends users review their online accounts for suspicious activity and to change their password and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account.
The company advises users to avoid clicking on links or downloading attachments from suspicious emails and that they be cautious of unsolicited communications that ask for personal information.
Mike Litt, consumer program advocate at U.S. PIRG, said the announcement two years after the fact raises troubling questions about how the breach was able to take place, especially after a breach of 450,000 of its accounts in 2012.
Litt said the information stolen in this breach could be used to “phish” or gather additional information that can be used to access existing credit accounts or create new credit accounts.
“It is imperative that Yahoo’s response to this breach not fall through the cracks as its acquisition by Verizon Communications is finalized,” he said.
In addition to changing passwords and being on the lookout for suspicious activity on other online accounts, Yahoo should also alert its users to the benefits of credit freezes and offer to pay for credit freezes with all three major national credit bureaus, Litt said.
“Such a response would be the most consumer friendly response to a major data breach and would be a huge advancement for identity theft prevention in our country,” he said.
Consumers can prevent identity thieves from opening new credit accounts in their names by placing freezes on their credit accounts. Credit freezes help prevent new account identity theft because they keep potential creditors from seeing consumer credit history, without which new accounts are typically not opened.
For more information, see “Why You Should Get Security Freezes Before Your Information Is Stolen.”