Photo
Credit Mike Blake/Reuters

Yahoo has said that hackers in 2013 stole data of over one billion users. Names, contact information, passwords and answers to security questions may have been taken in the breach, the company said. The next year, according to the company, a similar attack affected 500 million accounts.

Whether you are a current or former Yahoo user, security experts have said that incidents like these could have far-reaching consequences for users beyond Yahoo’s services.

Here are some answers to frequently asked questions about how you can protect yourself.

  1. How do I know if my personal information was stolen?

    Assume it was.

    Yahoo said it had begun notifying potentially affected users, but its breach was huge, and similar attacks and smaller thefts happen all the time.

  2. Should I change my password?

    The first step, as always, is to change passwords for sites that contain sensitive information like financial, health or credit card data. Do not use the same password across multiple sites.

    Changing Yahoo passwords will be just the start for many of you. Comb through other services — especially those for which you provided a Yahoo email address to create an account — to make sure passwords used on those sites aren’t too similar to what you were using on Yahoo.

    And if you weren’t doing so already, you’ll have to treat everything you receive online with an abundance of suspicion, in case hackers are trying to trick you out of even more information.

  3. How do I create stronger passwords?

    Try a password manager like 1Password or LastPass.

    These sites create a unique password for each website you visit and store them in a database protected by a master password that you create. Password managers reduce the risk of reused passwords or those that are easy to decode.

    The Wirecutter, a product recommendations site now owned by The New York Times, provides a helpful explanation of why password managers are so essential. They also maintain an updated guide to the best password managers.

    If you must create your own passwords, try creating long, complex passwords consisting of nonsensical phrases or one-sentence summaries of strange life events and add numbers and special characters.

    Examples:

    • My favorite number is Green4782#
    • The cat ate the CoTTon candy 224%

    Or, if you’re extra paranoid, consider mimicking this setup:

    Jeremiah Grossman, a web security expert, memorizes only a few passwords, including one to unlock his computer, and another to unlock an encrypted USB drive containing a file with a list of all his passwords for dozens of services. None of his passwords are memorable because they are random.

    “I select them quite literally by banging on the keyboard a few times like a monkey,” Mr. Grossman said, adding that his setup is “a bit more paranoid” than that of the average person.

    Create the strongest passwords for the sites that contain the most sensitive information and do not reuse them anywhere.

  4. Are passwords enough?

    Passwords are not enough. If a site offers additional security features, like secondary or two-factor authentication, enable them. Then, when you enter your password, you will receive a message (usually a text) with a one-time code that you must enter before you can log in.

    Many bank sites and major sites like Google and Apple offer two-factor authentication. In some cases, the second authentication is required only if you are logging in from a new computer.

  5. How can I stop my information from being stolen in the first place?

    Increasingly, you cannot. Regularly monitoring your financial records can help minimize the damage if someone gets your information. But only the companies storing your personal data are responsible for securing it. Consumers can slow down hackers and identity thieves, but corporate computer security and law enforcement are the biggest deterrents.

  6. What if you have changed your password after the breach happened but before it was disclosed?

    The Yahoo attack happened three years ago but was disclosed only this week. Even if you changed your passwords recently for other websites, chances are at least some of them are similar to the password linked to your Yahoo account.

    To play it safe, you should change your passwords, starting with your most sensitive accounts, including your online banking account.

  7. Won’t security questions protect my data?

    Sites will often use security questions like “What was the name of your first school?” or “What is your mother’s maiden name?” to recover a user’s account if the password is forgotten.

    These questions are problematic because the internet has made public record searches simple and the answers are usually easy to guess.

    In a recent study, security researchers at Google found that with a single guess, an attacker would have a 19.7 percent chance of duplicating an English-speaking user’s answer to the question, “What is your favorite food?” (It was pizza.)

    With 10 tries, an attacker would have a 39 percent chance of guessing a Korean-speaking user’s answer to the question, “What is your city of birth?” and a 43 percent chance of guessing the favorite food.

    Jonathan Zdziarski, a computer forensics expert, said he often answered these questions with an alternate password. If a site offers only multiple choice answers, or requires only short passwords, he will not use it.

    “You can tell a lot about the security of a site just by looking at the questions they’ll ask you,” he said.