Yahoo has confirmed hackers stole the personal information of at least 500 million users over the past two years following a data breach in 2014.
Speculation that a significant breach had taken place had been increasing in the past few months, but this is the first time Yahoo has acknowledged the severity of the incident and is now informing users about it.
“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.
“The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.”
The breach is one of the largest ever and the sheer volume of information stolen is of concern, say experts.
“Half a billion records of just emails would be impressive but half a billion names, email addresses, telephone numbers, birthdays, hashed passwords, and (the icing on the cake) ‘unencrypted security questions and answers’ is astounding,” said Tyler Moffat, senior threat research analyst at Webroot.
“On the bright side, no financial data was breached. And while no unencrypted passwords were stolen, the unencrypted security questions are basically the same thing. It’s good Yahoo! is resetting the questions, but it doesn’t change that they were compromised and that some were likely used for identity theft before Yahoo! disclosed the breach.”
If you use Yahoo, probably. The company says it will be reaching out to potentially affected users and asking them to change their unencrypted security questions. Experts say you should not even wait to be notified and change your password immediately – and for any site for which you use the same credentials.
Some BT and Sky email customers will also be affected. BT now has its own mail platform but until 2013 was supplied by Yahoo Mail, and this is still used by a “minority” of customers. Sky still uses Yahoo and is also reaching out to its subscriber base.
And don’t forget, Yahoo has bought quite a few companies over the years. Flickr, Tumblr and other non-vowel adverse companies are also under its stable.
The response for consumers is simple: change your password immediately and any other service it is used for.
James Lyne, a researcher at Sophos recommends you use a different password for every site and this should be a combination of upper and lower case letters, symbols and numbers.
“Cyber criminals are very proficient at using such data to commit broader fraud, so the ramifications of such a breach can extend well beyond e-mail,” he said.
Credentials could be reused for company services and the data breach could see employees subject to phishing and other social engineering scams on a corporate network.
“In the wake of a breach like this, companies should have a well-oiled response plan,” said Rajiv Gupta, CEO of Skyhigh. “First, measure exposure to the breach by identifying how many employees use the cloud service. Then, take action to prevent immediate threats by prompting employees to change their passwords.
“Companies may consider temporarily blocking data uploads to the service to prevent further damage. The fallout of a data breach doesn’t end there, and neither should companies’ response. Employees frequently reuse passwords, and hackers can use stolen passwords to access other accounts.”
The hack serves to show that Yahoo is just at risk from these attacks as any other business. The implications can be financial or reputational, but the key message from the cybersecurity industry (which unsurprisingly) is to invest in adequate measures and be as transparent as possible.
“What other businesses can learn from this is, where possible, being proactive with your user base; the users need to be kept in the loop,” said Mark James, a security specialist at ESET. “If there has been a breach then find out how, where and why. Ensure your systems are now clean if malware is involved, reset passwords, inform your users and keep them up-to-date.
“We all understand data breaches are a factor of modern day computing but the impact can be cushioned with the correct flow of information.”
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…