On Tuesday, Yahoo announced that a staggering 2013 data breach affecting a billion accounts had actually affected a whole lot more—hackers stole information on every Yahoo account that existed at the time, a total of 3 billion.
This comes just days after Equifax, suffering its own catastrophic breach of Social Security numbers, addresses, and other personal information, said an additional 2.5 million people had been affected, bringing the pool up to 145.5 million.
If we want to protect our data and identities, it’s clearly time to accept that when a company is hacked, we should assume all of our data has been compromised, and act accordingly. The alternative, to just wait and see what the company drips out over time, is not aging well in this era of massive, repeated data breaches.
If a company you have an account with admits that hackers have managed to grab a “selection” of usernames, passwords, and email addresses—even if you haven’t been explicitly told your account was pinched—you may want to change your password, especially if you use the same one on other websites.
When it comes to more personal information like that in the Equifax dump, taking steps to mitigate fraud or theft would probably be wise, even if the hacked firm hasn’t sent you a direct communication.
To be clear, this is not necessarily to blame hacked companies for not uncovering which data was impacted or not. Perhaps the hackers were particularly stealthy, or some other factor outside of the victim’s control slowed the incident response.
“What this shows us more than anything is that it can be enormously difficult to fully understand the scope of an attack,” Troy Hunt, the maintainer of the breach-notification site Have I Been Pwned?, told The Daily Beast in an email.
“Yahoo and Equifax are obviously topical, but think back to last year and Dropbox and LinkedIn’s incidents,” he said, and added that with LinkedIn, the company knew years earlier they had been hacked, but didn’t know the extent of the data theft. “It took until their own data was publicly distributed to realize the full scope of the attack,” he said.
As well as LinkedIn and Dropbox, 2016 saw a flurry of other disclosed data breaches, including MySpace and VK.com, essentially Russia’s version of Facebook. Many of those hacks actually took place years earlier.
In Yahoo’s case, it seems the company only investigated once a hacker advertised a, likely fake, cache of accounts on the so-called dark web. That prompted Yahoo to dig deeper, and it uncovered this very real theft of user data.
Assuming every service you use has been hacked would be impractical, and, to be honest, exhausting. There are some strategies that everyone should be following, though: always use a different password on every site. That way, if hackers already do have access to the company’s databases, they can’t just take those login details and try them on another service. One of the best ways to do this is with a password manager; a small program on your computer that generates and stores unique logins, so you only have to memorize one password. And, if the site offers it, use two-factor authentication, which means hackers need another code sent to your phone or an app to break into your account.
When a company you use is hacked, it’s safer to presume that you should take your own steps to protect your data, and go ahead and change that password, just in case.
“We’re really at a point now where the only safe assumption is that once a company is breached, someone has all your data,” Hunt said.