The hack of 500 million Yahoo user accounts is far and away the largest corporate breach ever reported, ahead of the 2013 MySpace hack that compromised over 300 million user accounts.
Yahoo blames the breach on a "state-sponsored actor," though exactly which state has still to be answered.
The whole affair brings to mind the infamous 2014 quote from FBI director James Comey. "There are two kinds of big companies in the United States," he said. "There are those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese."
While nobody is linking this hack to the Chinese, Comey's point is that every Internet user should assume their information is compromised, always.
Internet security expert Dan Kamisky, quoted in Reuters, says the same thing: "Five hundred of the Fortune 500 have been hacked. If anything has changed, it's that these attacks are getting publicly disclosed."
Huge hack
Armed with that knowledge, it's the size of this attack that makes it such a big deal.
The hack predominantly affects U.S. users, but according to Pingdom, an Internet security firm, Yahoo also has a large presence in Japan, the Philippines, Taiwan and Hong Kong, and users there should be particularly vigilant in protecting their information.
But 500 million accounts is fully half of all the people who visit Yahoo every month. According to the website Pocket-lint, "Yahoo has 1 billion users around the globe. About 250 million use Yahoo Mail, while [Yahoo owned businesses] Flickr has 113 million, and several hundred million use Tumblr. About 81 million use Yahoo Finance, and tens of millions use Yahoo Fantasy Sports."
Yahoo has said in a statement that no Tumblr accounts were compromised, but if you use Flickr, you should definitely be changing your passwords and looking for trouble.
What was taken and what to do
Here is the account information that Yahoo says may have been compromised: "names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers."
If you were affected, Yahoo will be sending you an email letting you know, so keep an eye on your inbox.
But even if you don't get an email and you're a Yahoo user, you should consider taking some basic steps to protect yourself. First, change your security questions, so they can't be used to get into your accounts. Also, Yahoo recommends that "users who haven’t changed their passwords since 2014" go ahead and do that.
Also: "...avoid clicking on links or downloading attachments from suspicious emails" and watch out for "unsolicited communications that ask for personal information."
These kinds of recommendations are pretty much standard all the time but they become even more important if you've been hacked.
Finally, as an intial layer of protection, Yahoo suggests setting up something called a Yahoo Account Key, which is a way to bypass passwords altogether. This works by sending you a code by text anytime you try to log into your email account. You'll have to keep your phone with you if you're logging in from a laptop or PC, so it's a bit more complicated but much safer.
Unless of course, someone steals and hacks your phone. To protect against that, and if your phone has the technology, enable your thumbprint password as a way to keep your phone bad-guy free.
It's a lot to think about and a lot to worry about, but the Internet isn't a safe place, and it never has been. Even way back in 2002, Richard Clarke, who was the special advisor on cybersecurity to U.S. President George W. Bush, famously said: "If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked."
And as the U.S. government later discovered through massive breaches in its own personnel office, even spending millions of dollars on security is no guarantee of protection.