For the third time in less than six months, Yahoo is warning users that their email accounts may have been hacked.
In December the Internet giant confirmed that a data breach back in 2013 had put a billion users' accounts at risk. The company also said at the time that the incident was believed to be completely separate from the hack Yahoo reported in September, which involved 500 million accounts.
Details about Yahoo's new data breach
Now, Yahoo is notifying users that their accounts may have been hacked sometime between 2015 and 2016, but the company did not say how many people may have been affected.
"As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users' accounts without a password," a Yahoo spokesperson told Clark.com in an email.
"The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again."
According to a source familiar with the case, the security investigations are in their final stages and the company has notifified a "reasonably final list of users" -- which means many, but not all, victims of the breach have been notified.
What information was exposed in the hack?
Pretty much any and everything associated with your Yahoo email account could have been stolen by hackers.
According to Yahoo, the stolen account information may have included:
- Email addresses
- Telephone numbers
- Dates of birth
- Hashed passwords
- Encrypted or unencrypted security questions and answers
Yahoo says the investigation has found no evidence that passwords in clear text, payment card data or bank account account information were included in the stolen data.
If all this sounds a little familiar, that's probably because we've heard it all before -- it just keeps happening.
Yahoo first mentioned "forged cookies" when it announced the massive hack back in December: "Based on the ongoing investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies."
That basically means criminals were able to hack the company's proprietary code in order to gain access to users' accounts without even having a password.
Yahoo says the forged cookies have been "invalidated" and cannot be used again, but that doesn't help users who may have already been affected by malicious activity carried out through these hacks.
How to protect yourself
Although Yahoo says their investigation shows no indication that bank account or credit card information was stolen, criminals could easily use something else they found about you through your email account to gain access to other accounts that contain personal, sensitive information.
If you have a Yahoo account, you need to change your password immediately, regardless of whether or not you have received the notification email from Yahoo.
If you have used any password ever associated with your Yahoo account with any other account, you need to also change the passwords on those accounts immediately.
As a general rule of thumb, if you receive an email you weren't expecting, do not click on any links inside the email. Even if you are expecting an order confirmation or package to be delivered, do not click on any links in an email notification. Go to the company's website directly to get any delivery or order information.
Here are some more tips to help you protect yourself from online scammers:
- Be wary of unexpected emails containing links or attachments: If you receive an unexpected email claiming to be from your bank or other company that has your personal information, don't click on any of the links or attachments. It could be a scam. Instead, log in to your account separately to check for any new notices.
- Call the company directly: If you aren't sure whether an email notice is legit, call the company directly about the information sent via email to find out if it is real and/or if there is any urgent information you should know about.
- If you do end up on a website that asks for your personal information, make sure it is a secure website, which will have "https" at the beginning ("s" indicates secure).
- Look out for grammar and spelling errors: Scam emails often contain typos and other errors -- which is a big red flag that it probably didn't come from a legitimate source.
- Never respond to a text message from a number you don't recognize: This could also make any information stored in your phone vulnerable to hackers. Do some research to find out who and where the text came from.
- Don't call back unknown numbers: If you get a missed call on your cell phone from a number you don't recognize, don't call it back. Here's what you need to know about this phone scam.
- Be cautious of any notification from an “automated message system” that states “Click on this link for details.”
For basic protection, use anti-virus and anti-malware software on all of your devices and make sure to keep it up to date. See our Virus, Spyware and Malware Protection Guide for links to free options.