Change your Yahoo Account password immediately

On September 22, Yahoo confirmed their account system having 500 million user accounts stolen, among included names, email addresses, telephone numbers, dates of birth, and hashed passwords. The relevant information can be traced back since 2014. To apply the best protection of data for user, HKCERT advises users to change passwords immediately.

If an attacker compromises user information on Yahoo account, he may login the account and access the user's private information. We strongly recommend Yahoo users to change their password immediately, and set up two-step verification¹. If a user is using the same ID (email address) and password on other online services, it is time to change them and use different new passwords for each service.

Here are some tips for choosing a good password.

• Use at least eight characters long password.
• Use combination of different character types in a password, e.g. upper and lower case letters, numeric and symbol characters.
• Use passwords that are hard to guess but easy to remember.
• Change your password regularly.
• Do not use the same password for different online services.

Other attackers may take advantage of this incident and send out phishing email or perform social engineering attack. Never change your passwords by clicking the URL in an email that you did not request. You should also be cautious when you receive posts or messages with suspicious URLs, even if the sender claims to be your friends. Check the URLs before you click on it.