Yahoo Data Breach - What Happened, What To Do Next and How To Protect Yourself

Yahoo reported last Thursday at least 500 million user accounts were affected by a massive data breach. The hack happened in 2014, when hackers stole account information, including names, emails, passwords, telephone numbers and answers to some security questions from Yahoo servers.

According to reports, in July Yahoo began investigating claims by hackers who were offering to sell what they said were 280 million Yahoo usernames and passwords. Yahoo said it concluded the information for sale wasn't legitimate, but the company decided to broaden its probe, eventually determining that it had been breached by “a state-sponsored actor.” 

The claim of a state-sponsored attack may be solely based upon the timing of the attack, 2014.  In 2014, several alleged China sponsored intrusions occurred, Anthem and OPM for example, stealing millions of recorded identities.  Also, by claiming a highly sophisticated state sponsored attack, this helps alleviate some corporate security management responsibility.  Schneider Downs has doubts as to state sponsored origins of the attack in that organized crime, not nations, offer stolen data for sale over the Internet. 

In a proxy filing related to the Yahoo-Verizon deal on Sept. 9, Yahoo said it wasn't aware of any “security breaches” or “loss, theft, unauthorized access or acquisition” of user data.  The Yahoo breach appears to be the largest ever disclosed, based on the number of users affected.

What should you do if you have a Yahoo account?

First, you'll want to change your password immediately. 

Second, all Yahoo account holders should also change their security questions and answers.

Third, take some overall security precautions when it comes to Internet accounts:

  1. Never use the same password twice on  same type of accounts
    1. Use different passwords
    2. Make social media passwords different from banking passwords
  2. Pick better passwords
    1. Password phrases are longer and easier to remember
    2. Utilize a capital letter, number and control character (@,!#) when possible
  3. Better yet, use a password manager - A personal password manager technical product may be a good idea.  Password manager software is a system that allows users to both create complex passwords for different sites and remember them.  A password manager is just software that creates, stores and organizes all your passwords for your computers, websites, applications and networks.  Password managers generate passwords and double as a form-filler, and have the ability to enter your username and password automatically into login forms on websites.  So, if you want super-secure passwords for your multiple online accounts but do not want to memorize them all, a password manager is the way to go.  Some leaders are: 
    1. LastPass Password Manager 
    2. Keeper Password Manager (has self-destruct feature)
    3. Dashlane Password Manager (cloud based with auto password changer)
    4. LogMeOnce Password Manager (Good Mac Product – Mug Shot Feature)
    5. KeePass Password Manager (Open Source – local stored)
  4. Update those security questions
    1. Use different security question for different sites.
    2. Try not to use well known facts (like your high school mascot).
    3. Try not to use information that can be determined by Facebook, Twitter or other social media accounts.
  5. Turn on two-factor authentication
    1. Where possible, have a text code to phone as an additional authenticator.
    2. A second option would be to use some authenticator tool like Google Authenticator or RSA token.

As always, contact Schneider Downs if you have more specific or detailed questions about IT Security or securing your personal information online. 

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2020 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

Ransomware Victims May Now Face Federal Fines
Schneider Downs Shortlisted for PTC Tech 50 Cybersecurity Award
Cybersecurity Tips from Home Video Series
National Cybersecurity Awareness Month 2020
Innovation and Implementation of New Technology in Manufacturing
Zerologon: Instant Elevation to Domain Admin

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office

One PPG Place, Suite 1700
Pittsburgh, PA 15222
p:412.261.3644     f:412.261.4876

Map of Columbus Office

65 East State Street, Suite 2000
Columbus, OH 43215
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102