Yahoo has confirmed a massive data breach affecting ‘at least 500 million user accounts’. This is one of the largest security breaches yet, considering the wide use of the company’s services (one billion monthly active users as at February 2016).
The company suspects the perpetrator of the data breach, which happened in late 2014, is a ‘state-sponsored actor’ i.e. an agent of the government. According to Yahoo, “The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”
To protect its users, Yahoo has stated that it is notifying affected users and asking potentially affected users to promptly change their passwords and account verification information, especially those who haven’t done so since 2014. It has also invalidated unencrypted security questions and answers to prevent them from being used to access any account.
However, in August this year, it was rumoured that a hacker called ‘Peace’ (famous for claims of selling stolen LinkedIn and My Space accounts) claimed to be selling data from 200 million Yahoo Users online for just over $1,800. It was alleged that the stolen data included user names, easily decrypted passwords, personal information and email addresses. The company had confirmed knowledge of the claim and that it was investigating same, but failed to confirm the outcome of its investigations or direct users to secure their accounts. However, the current breach is much wider than what was contemplated by the previous rumours. Nevertheless, sensitive information such as bank account and credit card details has been ruled out from the affected information; while the company continues to work with the FBI to further investigate the breach.
Yahoo also stated that “The FBI is aware of the intrusion and investigating the matter,” an FBI spokesperson said. “We take these types of breaches very seriously and will determine how this occurred and who is responsible. We will continue to work with the private sector and share information so they can safeguard their systems against the actions of persistent cyber criminals.” (via CNN Money)
Cyber security experts have predicted that this massive breach may have drastic online effects in the near future. It is also speculated that this may have more implications for the sale of Yahoo’s core business to Verizon, valued at $4.8 billion. The deal is about to be completed, subject to approval by regulatory agencies and Yahoo Shareholders. Recent Yahoo CEO, Marissa Mayer, a former Google executive, has been criticised over the breach, as well as the failure of the company to innovate new products, which allegedly led to the sale. (via Recode)
The following are Yahoo’s security recommendations to its users:
- Change your password and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.
- Review your accounts for suspicious activity.
- Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
- Avoid clicking on links or downloading attachments from suspicious emails.
