At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We recently confirmed that an older file containing approximately 450,000 email addresses and passwords was compromised. The compromised information was provided by writers who had joined Associated Content prior to May 2010, when it was acquired by Yahoo!. (Associated Content is now the Yahoo! Contributor Network.) This compromised file was a standalone file that was not used to grant access to Yahoo! systems and services.
What steps is Yahoo! taking right now to mitigate the event and ensure it does not happen again?
We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users. Yahoo! users whose email addresses were contained in the compromised file – even if the posted password was not correct – will be prompted at login to authenticate their accounts and change their passwords prior to gaining access to their accounts. In addition, we will continue to take significant measures to protect our users and their data.
Is notice being provided to the users of the affected accounts?
Yes, we are providing notice both indirectly and directly. We have published the following blog and are in the process of notifying potentially affected users.
How do I know if my account was compromised?
If you joined Associated Content prior to May 2010 your email address and password that you used to sign up may appear in the file posted online. Users who have not signed up for Associated Content (now Yahoo! Contributor Network) are not affected by this.
I think my account was compromised. What should I do?
If you joined Associated Content prior to May 2010 using a Yahoo! email address, please log in to change your password at: https://edit.yahoo.com/config/change_pw . If you are a non-Yahoo! email account holder, we apologize that we cannot provide you a direct means to secure your account. We strongly recommend that you employ the security mechanisms recommended by your email service provider to secure your account.
What do you recommend Yahoo! users do to protect themselves online?
With respect to your Yahoo! account, we suggest that you proactively monitor the activity on your account. Be on the lookout for spam that originates from your Yahoo! email, and check your sign-in activity from time to time at https://api.login.yahoo.com/login/history. If you see anything suspicious – like your account was accessed in Romania when you were home in Chicago – you should change your password immediately.
You can also take additional steps to safeguard your Yahoo! account by:
- Adding a mobile phone number to your Yahoo! account,
- Adding a non-Yahoo email address to your Yahoo! account, and
- Keeping your Secret Question & Answer up-to-date.
Updating this information is important, because we use will it to protect your account if we suspect malicious login activity or if you need to recover your password.
Please also be suspicious of emails that prompt you with links and say you must update Yahoo! account information. Yahoo! will never ask you to provide your password or security safeguards like your Secret Question & Answer via email.
Additionally, given the high frequency of consumers using the same login information on service across the Internet, we strongly advise users to change their passwords every few months. We also recommend that users do not use the same password for multiple services across the Internet and that a password with a mixture of characters, symbols, and numbers is used.