Q. I have a Yahoo account. I have changed the password and taken other recommended security steps but I have yet to hear from Yahoo. Does the company have any obligation to inform its users of the breach? Shouldnât Yahoo have been the first to send out information instead of letting us find out about the hacking from the news?
A. When Yahoo posted online statements to its users and investors on Sept. 22 announcing the 2014 security breach that compromised 500 million accounts, the company said it had begun to notify potentially affected users by email that morning. If you did not receive such a message, there could be a number of reasons: It might have been blocked by a filter or accidentally deleted, or you may not have been included on the email list. But as the experts advise, just assume that your personal information was stolen.
Credit The New York Times
The contents of the security breach message and a set of frequently asked questions can be found on Yahooâs site at yahoo.com/security-update. On the page, the company also suggests switching from a traditional password to the Yahoo Account Key, a user authentication tool that lets you sign in with a smartphone running Android or iOS.
Yahooâs notice to users referred to a continuing investigation, which may have slowed the companyâs disclosure, but there could be legal consequences for the delay. Along with multiple lawsuits brought by Yahoo users over the companyâs security practices, Senator Mark R. Warner, Democrat of Virginia, has called for an investigation into Yahooâs failure to immediately inform its users of the situation.
Six other senators sent a letter to Marissa Mayer, Yahooâs chief executive, on Sept. 27, calling the delayed announcement âunacceptableâ and asking for more information about âhow Yahoo intends to safeguard data and protect its users, both now and in the future.â
Security-breach notification laws exist in 47 states already. More legislation is pending.