A revelation made earlier this week about the massive breach suffered by Yahoo in 2013 found that three billion user accounts were compromised. The total was three times the size of the previously reported number and essentially encompassed every account created through the faltering tech giant.

Because the breach includes usernames and passwords, the breach is especially troubling for the billions of people who suddenly find themselves at risk of exposure. Many users may decide to delete their accounts entirely rather than bothering with simply changing their password, but doing so may present additional troubles.

Instead, users should consider adding additional security to their accounts to prevent compromise.

The first concern users should have about deleting their account from the site is Yahoo’s troubling practice of recycling email addresses. In 2013, the company announced a practice of “freeing up” unused account names for others to claim.

Instead of simply letting an email address be removed by the owner of the account, Yahoo allows another person to claim that username after it has been inactive for a year. Because an email address is usually tied to an individual’s identity, allowing a person to take over someone else’s old account creates potential for fraudulent activity.

The decision to recirculate old email addresses caused issues almost immediately, as people who laid claim to abandoned accounts started receiving messages intended for the original account owner.

Adding to the problem for Yahoo users who would like to cut ties with the company is the odd account removal process. Earlier this year, it was discovered that Yahoo wasn’t actually deleting accounts when users requested it be done. Instead, the company’s security protocol requires accounts remain inactive for 90 days after the deletion request before removing them.

The system presents a problem for users, as any activity restarts the 90 day timer. If a user attempts to sign into the account again, the process is reset. That also means if a malicious actor attempts to sign in—which they may well be able to do, given there are three billion account names and passwords available in corners of the dark web.

In some cases, users even reported that Yahoo failed to delete their account after 90 days and it was still possible to gain access to the account. There is no verification process to confirm an account was deleted other than attempting to log in again—and doing so may restart the process.

Instead of deleting a Yahoo account, users should instead consider enabling two-factor authentication. Doing so does not require the user continue using the account regularly, but will add an additional requirement for every login attempt.

With two-factor authentication, entering an account name and password will not automatically grant access to a person trying to login to Yahoo. The system will send a text message with a code to a phone number associated with the account. The user will have to enter that code to actually access the account.

How To Set Up Two-Factor Authentication For Yahoo Accounts

To turn on two-factor authentication, users will have to login to their Yahoo account. After signing in, go to the “Account security” page. Select “Two-step verification” and click the toggle button to the on position in order to enable the two-step authentication process.

Yahoo will ask the user to enter a mobile number and then choose to either receive a text message with a code or receive an automated phone call that will similarly provide a code.

Once the user enters that verification code in a text box on screen and clicks the Verify button, they will have activated two-factor authentication. Every login will then require an additional code to access the account. The additional layer of security will secure the account and alert the user if an unauthorized person attempts to login to their account.​

RELATED STORIES
Security Software Yahoo Security