The Washington PostDemocracy Dies in Darkness

Have you ever had a Yahoo account? You might want to change some passwords.

Here's who was affected, and what you can do to keep your accounts safe. (Video: Jhaan Elker/The Washington Post)

Yahoo says 1 billion user accounts hacked

This post has been updated from a previous version that published Sept. 22, 2016. 

Yahoo on Wednesday revealed that a 2013 breach leaked information from more than 1 billion accounts. This is separate from a very similar breach of 500 million accounts that Yahoo announced in September. At that time, we ran a guide for what Yahoo users should do with their accounts. Since this information is relevant again, we've brought this guide back and updated it to reflect this latest breach.

What information has been stolen?

Yahoo's chief information security officer, Bob Lord, said in a blog post Wednesday that account information taken “may have” included names, email address, telephone numbers and dates of birth. Lord also said that password information, though not passwords in plain text, may have been stolen, as well as some answers to security questions.

According to Yahoo, accounts on Tumblr — which Yahoo bought in 2013 — are not affected.

How about financial information?

Lord said financial information, including credit card numbers and payment card data, were not accessed. That information is stored in a separate system.

Still, users should check their credit scores to see if new accounts have been opened in their name, as this type of personal information can be used as a key to get enough information to open an account.

How data breaches grew to massive proportions in 11 years

How do I know if I've been affected?

Yahoo will be contacting potentially affected users by email.

Beware of scam emails that may reference the Yahoo breach to try to pull more information out of you by asking you to “verify” information.

What should I do on my Yahoo account?

Users will be asked to change their passwords. Any unencrypted security questions and answers will be invalidated, meaning that users will have to submit new ones. If you haven't changed your password since 2013 — or if you had changed it to a password you may have used before 2013 after the previous breach — it's a good idea to change it again.

Also, if you had a Yahoo account in 2013 but have since closed it, you should change the credentials for any current accounts you have that might share a password or security question response with that old account.

Does Yahoo have a place where I can find all this information?

The company has set up a frequently asked questions page for anyone who may have been affected by the breach.