If you’ve ever signed up for an account with Yahoo, there’s cause for concern. The company confirmed today, after Recode broke the story last night, that 500 million user accounts were breached in a massive hack.
That’s larger than the population of the United States and Mexico combined.
Yahoo says the attack likely included email addresses, passwords, names and phone numbers — not payment card data or bank account information.
But our email accounts are packed with personal information. We send people we trust our account details for all kinds of services over email, and whether it's as benign as a Netflix password or as potentially devastating as a pornography website login or credit card number, we expect our email accounts to be password-protected and private.
If you have a Yahoo account, here’s what you should do.
Change all your passwords
Not just your Yahoo account. Make a list of all the online accounts where you store sensitive information. Update all your passwords to make them long and strong. Be sure to give each separate account a unique password, too. No repeats.
The best way to keep track of all your new passwords is with a password manager, which stores all your account details in an encrypted vault on your smartphone and your desktop. You can find some great free or extremely cheap ones online. Do some digging and find an option that works best for you.
Review old emails, delete sensitive content and disconnect accounts
If your Yahoo account information is indeed for sale, someone can hack into your email and find information you’d rather keep locked safe. Search your emails for sensitive correspondence, delete liberally and empty the trash folder.
Then visit the account settings of services you’ve connected to your Yahoo account and disconnect them immediately.
Switch to Gmail or use encryption
Gmail is endorsed by security researchers for being a secure service that most people can trust. If you want an airtight layer of protection, you can always setup a PGP key so only the intended recipient can decrypt your emails.
Enable two-factor authentication for all accounts and update apps
If you want to log in to your accounts, you should be able to verify you’re the one trying to log in and not someone else. That means employing more than just an easily sharable password to authenticate your login attempt.
Most services offer the option to text a code to a phone number on file for your account so only a person with both your password and your cellphone can access. Make sure all your apps and services are fully updated to take advantage of any recent security improvements.
Don’t open shady emails
Hackers often try to bait people into opening emails or attachments that may contain malware. Don’t open the email if you’re unsure. And if you do open an email and then decide it might be a hacker, do not open the attachments. Delete it.
This article originally appeared on Recode.net.