Go to top of page

Yahoo breach highlights need for care in using online services

Priority Level: 
Moderate
23 September 2016

You are reminded to be careful and remain vigilant when providing personal information to online services following a statement from Yahoo that personal information associated with up to 500 million accounts was stolen from its network in late 2014.

Stay Smart Online recommends that when deciding whether or not to provide your information, you consider the consequences of those details entering the public domain, or being accessed by malicious people intent on blackmail or identity theft. Sensitive information may include names, addresses, marital status and dates of birth.

Identity theft can have particularly damaging consequences. A criminal can use your stolen identity to access your bank account, obtain credit cards or loans in your name, claim welfare benefits, and potentially ruin your credit rating.

According to Yahoo's statement, the compromised account information may include names, email addresses, telephone numbers, dates of birth, passwords that have been 'hashed' (converted to random-looking strings of characters that are difficult for criminals to unscramble) and in some cases, encrypted or unencrypted security questions and answers.

Yahoo said details such as unprotected passwords, bank account information and payment card data had not been stolen, with payment card data and bank account information stored on a separate system.

Staying safe

If you decide to use an online service, Stay Smart Online recommends you provide the minimum information the service asks for.

Always read and understand the terms and conditions of any service you sign up to use, in particular policies governing use and protection of information. Pay particular attention to information to any conditions related to sensitive information such as date of birth, address, marital status and bank account details.

Yahoo said it was notifying affected users and taking steps to secure their accounts. These steps included invalidating unencrypted security questions and answers so they cannot be used to access an account and asking potentially affected users to change their passwords.

Any Yahoo user who has not changed their password since 2014 should do so.

If you had a Yahoo account in late 2014, you should review any online accounts for suspicious activity, and change any passwords or security questions used across other online services as well as your Yahoo account. You should not use the same username and password for different online accounts.

You should also be wary of any suspicious messages that ask you to click on a link or open an attachment.

The Office of the Australian Information Commissioner advises that anyone who believes their privacy has been breached can contact its office for confidential assistance on 1300 363 992.

More information

Stay Smart Online has information on staying smart online.

The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.