In the biggest known breach of a company’s network, Yahoo has confirmed that account details of 500m people were stolen by hackers in 2014.
The internet portal giant said the attack was by a “state-sponsored actor”, pointing the finger in the direction of government-backed Russian or Chinese hacker gangs.
Even though Yahoo has been struggling in recent years, with CEO Marissa Mayer trying to breathe life into the company, it is still one of the internet’s busiest sites with some 1bn users.
Yahoo Mail is one of the longest-serving email services and is used as a digital identity, connecting people with banking and e-commerce services, to name a few.
In a statement, Yahoo said: “The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; [the last two] are not stored in the system that the investigation has found to be affected.
“Based on the ongoing investigation, Yahoo believes that information associated with at least 500m user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.”
From the Sony attack two years ago (believed to have been backed by North Korea) to the latest attack by Russian hackers on the World Anti-Doping Agency, the breach levels by state-backed hackers are becoming increasingly flamboyant.
Yahoo said that intrusions by “state-sponsored actors” detected on its networks have so far resulted in warning notices being served to 10,000 users.
No ‘peace of mind’ for Yahoo
In a possibly related incident, Yahoo also investigated a hacker called Peace_of_Mind, who was discovered to be selling Yahoo login credentials to over 200m accounts on a black market website.
The bigger question is why it took Yahoo two years to inform users of this privacy intrusion.
The attack could turn out to be the biggest breach of all time, dwarfing the MySpace incident that saw hackers invade 360m accounts.
More worrying for Yahoo is the implications it could have for Verizon’s $4.8bn acquisition of the company, announced in July.
Verizon acquired Yahoo because it wants to create a 1bn mobile user community to serve with advertising. However, the deal is subject to Verizon’s regulatory rules and approval by shareholders, who may be spooked by the breach.
The timing could not be worse for Yahoo.
What to do if you are a Yahoo user
Veteran security blogger Graham Cluley has offered good advice to existing Yahoo users.
“Reset your Yahoo password. Make it a strong, complex password – and make sure that you are not using the same password anywhere else on the net. Yahoo says it is recommending that all users who have not changed their passwords since 2014 do so.
“If you were using the same password in multiple places, you need to get out of that habit right now. Reusing passwords is a disaster waiting to happen, and could allow hackers to crack open other accounts using the same credentials.
“Invest in a decent password manager programme [that will] generate random, hard-to-crack passwords, store them securely and remember them for you.
“Watch out for phishing emails that pretend to come from Yahoo.
“And yes, if you haven’t already done so, enable two-step verification on your Yahoo account,” Cluley advised.