The announcement was made when a portion of the database was found for sale on the Dark Web. According to the investigative team, this hack origins trace back to late 2014, and Yahoo is advising all of its customers who have not changed their passwords since that time frame or earlier to do so immediately, or continue to be at risk.
Curiously, there’s a bit of pushback on this point. The hacker responsible for putting the database up for sale insists that the data it contains comes from the earlier 2012 hack, which impacted some 200 million user accounts.
The investigation into the matter is still ongoing, so it’s not yet clear whether the two incidents (2012 and 2014) are related, but there exists a strong possibility that they are. In any case, if you’re a Yahoo user, and it’s been a while since you’ve changed your password, you definitely should.
This latest incident highlights two points quite painfully. Firstly, no company can count itself completely safe. If a hacker is determined enough, he’s going to breach your defenses, no matter how cunning or elaborate they might be.
Secondly, and this is a point that experts have been repeating loudly for more than a year now, if you use the same password across multiple web properties, you are putting yourself at serious and completely unnecessary risk. If a hacker breaches any one of the websites you use, they have access to significant portions of your life, because they can simply try that password on other sites you use.
Many people use the same password across multiple sites because it’s more convenient and easier to remember. Unfortunately, it also makes you much more prone to identity theft, and all the misery that comes with it. The bottom line here is simple: if you’re a Yahoo user and it’s been a while since you’ve changed your password, do so immediately.