ASK Sucuri: What should I do if my email is in the Yahoo Leak?

We love to get questions from you, our readers, in our Ask Sucuri series. If you have any questions about website malware, blacklisting, or security in general, send us an email to: or hit us on Twitter – @sucuri_security.

Yesterday we released a blog post about the Yahoo Leak, and created an online tool to check if your email was exposed in the leak. Since then, we have received hundreds of emails asking what should be done for anyone whose account was compromised.


Question:What should I do if my email was exposed in the recent Yahoo password leak?

The first thing you need to do is to change your password. Not only your Yahoo password, but all your passwords. Specially (and most importantly) if you re-use passwords across multiple accounts. So if your Yahoo password is the same as your Twitter or Facebook or Bank account, you should change them all immediately.

This is our step by step suggestions for anyone that was exposed has a Yahoo Voice account, a Yahoo account in general, or simply hasn’t changed their credentials in a while:

  1. Change your Yahoo passwords
  2. Change the password for any site that you were re-using the same password
  3. Or you can go even further and change all your passwords. Now is a good day to do so.

Remember, you should never re-use passwords between sites. Also, we strongly recommend everyone to use a password manager like LastPass, Peguta or 1Pass.

If your website has malware, or has been blacklisted, visit Sucuri Security for the latest in website malware monitoring and clean up.

About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development. You can find more about Daniel on his site or on Twitter: @danielcid

  • Judy

    I have three emails. Two said “good! Password was not found in breach” the last one shows nothing at all, not a yes, a no, or a good. What does that mean?

    • Annie Williams

      I got that too.  Make sure you enter your email as  Initially, i just entered my email without the domain “”

  • Richard Morris

    @Judy I would just change your password anyways. It is always better to be safe than sorry when it comes to internet and email security.  

  • Hvh888

    I can’t get into the yahoo email.  Must be logged in to change the password.  
    Pretty much like on-line support when your browser is down… can’t do it!

    • Ocr1

       att yahoo call this number ask for tech support, waited on hold yesterday 20 min then took an hour to change all of my accounts but worth it  800 288-2020

  • Rorylovessean

    WTF! My Yahoo account is fine but why is my Gmail account leaked? WTF? These Ukrainian pieces of sh** need to be jailed. Yahoo sucks and they are getting a nasty-gram from me. 

  • Kane

    thank you so much for this! it is crazy! I was freakin’ out when I found out that my yahoo mail went nutzzz… 

    thank you for the tips!

  • Daniël W. Crompton (webhat)

    Just for clarity, when a vendor is breached you should change your password whether it is shown to be exposed or not. Creating a tool which tells you you are not exposed creates a false sense of security. The basic assumption should be that all the data is compromised.

    • Andres Armeda

      Great point, and we agree 100% – The post has been updated to reflect the intent in our suggested steps a bit clearer.

      Thanks for the comment and the Tweet.

      • Daniël W. Crompton (webhat)

        You’re welcome!

        • Philip Leo Kraus

          As a matter of habit (haha, hackers love that saying…) I change my passwords sporadically, and change them to something very far from what the last ones were. In the 17 years I’ve been online, I’ve been hacked a total of 12 times. Not happy about it but it’s something the internet cannot provide- SECURITY.

    • Craig F.

      It seems odd that Yahoo didn’t contact me directly that my password had been hacked (i.e., send me an email [I mean, it’s a Yahoo account so you’d think they could do that]). I had a strong password (which I didn’t know I needed to change). Today spam was sent to all of my contacts. Fortunately I was still able to get into the account and change the password. Did anyone get direct notification from Yahoo?

  • Cat

    I don’t have yahoo,. but my aol was leaked?? don’t get it.

  • DavidS

    Please add better instructions/messages.

    Because of the context — only addresses are a problem — I wonder how many people just type in the first part of their email account without the @yahoo:disqus .com, and, because there isn’t a warning message, assume it was fine. I did it both ways just in case your instructions had hidden assumptions that I didn’t have.

    • Vanity357

      It’s not just @yahoo accounts. My Gmail account that I associated with my Yahoo account was found in the leak. Since then, I’ve received notification after notification from long forgotten accounts about attempted orders, security changes and other mess. This is beyond irritating. 

  • MPA2000

    So how did this happen.  I still haven’t heard the explanation.

    • Marathonmanmusic

      I’ve seen reports that it was all phishing and a new killer trojan that caused this. Yahoo does not store passwords in text. Keep your spam settings set as high as you can bear and change your password often.

  • Herewegoagain

    Not only was my e-mail pword exposed, someone hacked it about three weeks ago and used it send out garbage to all my contacts.  They also managed to throw in some malware and a trojan, which my so called great internet security software (which was supposed to protect me from everything), did not catch.  As of today, and literally 40 plus hours of my time plus remote sessions from tech support, the problem is still not fixed.  This whole thing was an eye opener as I just now found out the trojan dropped in my PC is state of the art and steals you passwords for your online banking information.  This Zeus New version trojan/virus is so bad, and so new, it is wiping out bank accounts across Europe and now the US.  There is so much money missing, and it went out of the accounts so fast, no one could catch it.  I trust no security software now.  I am a Joe Blow, and barely making it, yet money was stolen from me too.   I am having a great day….

  • Mel Sanchez34

    I keep getting kicked off of here….I can’t remember my security questions from 2009 and I no longer have the alternate e-mail address and cannot not find a way to list a new one. There has to be a way to get off the merry-go-round

    • Cscanlon62

       that is my same problem, my security question has only one answer it could be (from 2009) and it is not being accepted, been locked out several times for trying. It is like being on a Stephen King merry-go round. What is Yahoo doing to help us? no phone number for human being,.

      • Scottyboe69

        here is the phone number for yahoo: 
        866-562-7219 it wont work they will ask you about your security questions when you created the account but you can try.  

  • Davidt31

    can yahoo be sued because of this

    • Marathonmanmusic

      Yes, if you suffer damage that can be linked to the leak. US Bank caused me a little damage in 2010 when they compromised my info online (no more internet banking for me! And no more US Bank, either, which, is not even owned by a US company!) and they are in process of having a little trouble because of that. Yes, they’re liable for damage, absolutely.

  • marthaviolet

    My Yahoo email account was leaked. After lots of communication and FINALLY speaking to a LIVE person (in another country!).  I was asked questions to which I could no longer answer. The last 4 digits to a credit card from YEARS ago, etc. Yahoo representative answer? “You will no be able to log into your account” .. in which i replied “never? no other options to reset my password?” .. their response “unless you have the last 4 digits to your credit card you used when you set up your account” In other words, thousands of email account users will have to say adios to their Yahoo accounts due to this hack. Yes. That HURTS to read this. But unfortunately Yahoo is not concerned about you being able to read your business emails, or emails from family and friends. Rather than help its loyal users (whom they have made millions from marketing your personal data to other companies) they would much rather “solve” this problem by wiping the slate clean and deleting your account.

  • Sherri Smith

    I have still yet to recover my sbcglobal account! I’ve tried everything from email CS to sitting on hold for a good 40 minutes only to speak with someone that had no idea what he was talking about! I am so incredibly frustrated! And to make matters worse my alternative email addresses were changed and I can’t answer the security questions until tomorrow…

    Get with it yahoo… especially for security reasons with all my financial crap associated with this account it better get fixed quickly!

  • Philip Leo Kraus

    I received an email that my yahoo contributor account was breached, but they wanted me to change my yahoo email password! Not making any sense, so I used the tool to see, and sure enough my yahoo email account WAS compromised. I also know for a fact that my account was hacked because every email I had sent or received about an attorney who has been harassing the hell out of me, and all the illegal things she’s done over the last year, has been deleted. One was deleted TOTALLY, not even in the trash, right before my eyes, while I was online a week and a half ago… What do I do? My Facebook account was also compromised, and actions there have also appeared… I guess we are not safe online in any fashion at any time. No sense of security here…

    • Philip Leo Kraus

      Oh, and by the way, Yahoo will not give me direct answers to my questions about the unknown IP’s that showed up, that are actually VERY CLOSE in their numbers to the ones I was using, but not the IP that I was using…

  • usługi księgowe łódź

    I like your post very much.Your post is very different.Thanks for your post.

  • Bill

    It’s happening again. They used only my online address book (Contacts) to send out links to mal-sites. Called support who tried to convince me I had a virus. McAfee and Malware bytes did not find anything. No contact from my Outlook or phone contacts only the few on the online address book. Yahoo support tried show me my computer was hacked by showing my network connections (using Netstat) and systems errors (from System log). The connections were all legit (I work in IT) and system error … ya, I have some system issues. He told me I was under attack RIGHT NOW and should purchase a service they provide to clean up my machine. Never attribute to malice what can be attributed to ignorance but really. I wonder how many people believed and purchased just because he was able to techy speak. I wish something more could be done to warn others.

  • Sandra

    if they are able to send emails from my email address can they see my files in my emails, notepads?

  • taher

    I can’t remember my security questions but I have the alternate e-mail address

  • taher

    I can’t remember my security questions but I have the alternate e-mail address how can I get back my E- mail

  • chetan

    hello sir my password heck and not Recharge ans know way this step tell me i need for my open email id

Share This