One billion Yahoo accounts were stolen in 2013, the company announced on Wednesday, in the largest (known) hack of all time.
The incident is separate from the breach Yahoo disclosed back in September, which saw at least 500 million accounts compromised.
In other words, Yahoo got hacked twice – badly.
The company isn’t providing many details about the breach, because right now it doesn’t know them. “The company has not been able to identify the intrusion associated with this theft,” the company said in a statement.
Yahoo has emailed its users informing them of the breach – and if you’re affected, you’re probably asking yourself what you can do now.
There are two answers: Protect your logins on other services, and delete your account.
1. Protecting your logins
It can't be said enough: You should use a strong, unique password for every website or service on which you have an account. This means if any one service gets hacked, your other accounts won't be compromised too.
Hackers will often trawl through user databases stolen in hacks and try the stolen login details on other sites. This means a user who reuses a password can be re-victimised over and over again.
This summer, we saw a spate of hacks of celebrities and high-profile figures on Twitter - everyone from Drake to Facebook CEO Mark Zuckerberg. Twitter itself wasn't hacked, but it looks as if the victims reused passwords on services that were, like LinkedIn and Tumblr.
So if you used the same password you used for your Yahoo account anywhere else, you should change those accounts. Now.
Of course, passwords - especially strong ones - are a pain to remember. And that's why security experts recommend you use a password manager app to store them. An app like LastPass or Dashlane will store all your passwords, so you only have to remember one - the one to access the app.
Also: If it's available, activate two-factor authentication. It creates a second barrier to entry by sending a unique code to your phone, so even if an account's password is compromised, the attacker still can't get in unless the person also has access to your phone (though there are some devious ways hackers try to get around it). It is available on Google, Facebook, Twitter, and most other major web services.
On a long-enough time frame, everyone gets hacked. But by having unique passwords and two-factor authentication, you can limit the damage.
Nowhere in this @Yahoo email: "We're sorry" pic.twitter.com/wQXQApQAjJ
— Jonathan Ellis (@jonathanellis) December 14, 2016
2. Delete your account
Do you own a Flickr page you never use? A Tumblr you haven't checked since 2014? A Yahoo Mail account you haven't sent an email from in over a decade? It might be time to pull the plug, permanently.
First of all, back up your data! You don't want to lose old emails and photos. Luckily, Yahoo has put together an easy-to-follow walk-through on how to do that here. (Important note: This includes all your Flickr photos.)
Done that? Great. Now head over to the "Delete Your Account" page. It should look like this.
It'll ask you to enter your password and to do a Captcha, to prove who you are - and just like that, you're done.
Once you confirm you want to delete your account, it'll take about 90 days to process. This is to stop people from maliciously or fraudulently deleting other people's accounts if they gain access - and it means if you get cold feet straight after, it's not too late.