It's official: Yahoo has confirmed the credential information from 500 million user accounts were stolen after a data breach that occurred in 2014. The company has said i the breach was a result of a "state-sponsored" hack. Here's what you need to know.
In August, a hacker under the name of 'Peace' started selling what he claimed was Yahoo! account information from 2012 on TheRealDeal, a dark web marketplace. He claimed to have credentials for 200 million accounts which included usernames, passwords and personal information including email addresses and was selling them for around US$1800. Password information that was up for sale was also poorly encrypted.
At the time, Yahoo said its security team was investigating the matter to determine the facts:
"Yahoo works hard to keep our users safe and we always encourage our users to create strong passwords or give up passwords altogether by using Yahoo Account Key and use different passwords for different platforms"
This morning, Yahoo released a statement to confirm that the breach was worse than expected. The number of affected accounts have jumped to at least 500 million and the company is blaming a "state-sponsored threat actor" for the hacking:
"A recent investigation by Yahoo! Inc. (NASDAQ:YHOO) has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers."
Yahoo has stressed that the stolen information did not include unprotected passwords, payment card data, or bank account information and said that it doesn't believe the attacker responsible is still on its network. It is currently working with law enforcement agencies over in the US to continue to investigate the matter.
Potentially affected Yahoo account holders are being notified. Interestingly, in late 2015, Yahoo said it would start alerting customers if their accounts were suspected to have been attacked by "state-sponsored" threat actors.
A source told Recode before the official announcement that the breach was "worse" than just 200 million accounts.
"[M]ost of the two dozen Yahoo usernames tested by Motherboard did correspond to actual accounts on the service. (This was done by going to the login section of Yahoo, entering the email address, and clicking next; when the email address wasn’t recognised, it was not possible to continue). However, when Motherboard attempted to contact over 100 of the addresses in the sample set, many returned as undeliverable. 'This account has been disabled or discontinued', read one autoresponse to many of the emails that failed to deliver properly, while others read 'This user doesn’t have a yahoo.com account'.
Either way, if you still have a Yahoo account, you might want to go in and change your password or, take the company's advice and use its Yahoo Account Key app to log in instead.
This is probably the worst time for this news to come out given that Yahoo is currently in the process of selling its business to Verizon for US$4.8 billion.