What to Do After the Massive Yahoo Hack

Yahoo confirmed Thursday that at least 500 million usernames and passwords were stolen by hackers back in 2014. The company isn’t saying who exactly is behind the attack, blaming an unnamed “state-sponsored actor.”

If you have a Yahoo account, what should you do now?

First, log in to your account and change your passwords. Never use the same password for more than one site — if you’ve been doing that, the hacker(s) who attacked Yahoo could use that password to gain access to your other accounts across the web, so change your other passwords too.

If you have trouble remembering more than one password, consider a password management program like 1Password or LastPass. (These programs can also generate secure passwords that are a jumble of letters and numbers, which are harder to guess than passwords you might think up on your own.)

Second, turn on two-factor authentication for your Yahoo account. This will require you to have your smartphone handy when you log in to your Yahoo account, meaning a hacker will need more than just your password to get access. Here’s how to do it.

Third, consider using Yahoo’s “Account Key” feature, which replaces written passwords with a smartphone app. It’s like a souped-up version of the step above. Here’s how to do it.

Fourth, be on the lookout for signs of credit card fraud, identity theft, and so on. Check your statements regularly. And be extra wary of any emails or phone calls seeking your personal information, as these could be attempts by hackers or their customers to gain more information about you.

Hacks like these are a good reminder of how important it is to practice good password hygiene. It’s generally a good idea to be constantly changing your passwords, using password managers and turning on two-factor authentication whenever possible for any service you use.

Contact us at letters@time.com.