Yahoo last night confirmed earlier reports that information pertaining to the unprecedented number of “at least” half a billion user accounts was stolen in a 2014 breach.
That may include names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with the password-hashing function bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.
Yahoo says the breach didn’t include unprotected passwords, payment card data, or bank account information. The company says it doesn’t store payment card data or bank account information in its system.
It’s blaming an unspecified “state-sponsored actor.” The FBI has confirmed that it’s investigating the attack.
Three unnamed US intelligence officials told Reuters that they believed the attack was state-sponsored because of its resemblance to previous hacks traced to Russian intelligence agencies or hackers acting under their command.
News of a possible major attack on Yahoo first emerged in August, when Peace – the infamous dark-web purveyor of humongous data sets that date back years – was trying to sell information on 200 million Yahoo accounts.
For some reason, Yahoo didn’t call for a mandatory reset password when news of the attack first broke last month.
Somebody familiar with the matter told Reuters that the August report turned out to be false, though Yahoo’s investigation did in fact uncover the separate 2014 theft.
The company said in a statement at the time that it was “committed to protecting the security of our users’ information and we take any such claim very seriously. Our security team is working to determine the facts.”
Those facts: Peace is the same name – he or she goes by peace_of_mind in the dark markets, or simply “Peace” – of the person who’s gone online recently to sell data sets from years-old breaches at Tumblr, LinkedIn and MySpace.
The Yahoo haul dwarves them all, according to Troy Hunt, who maintains the data breach awareness portal Have I Been Pwned.
What to do?
Change your password.
Yes. If you haven’t changed it since 2014, do it now.
And change that password on any other sites you use. Make sure each online account has a different password, and make them all strong.
Also, it’s a good time to change your security questions. If you’re one of the half a billion users who’s been affected by the breach, you won’t have a choice about that, since Yahoo’s gone and invalidated your security questions for your safety.
From Yahoo’s statement:
Yahoo is notifying potentially affected users and has taken steps to secure their accounts.
These steps include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords.
Why did it take 2 years to uncover?
Huge breached data sets emerging years after attacks have become a bit of a trend recently.
Over the past few months, we’ve seen multiple massive data sets put up for sale online, all dating back to breaches that are pretty ripe.
To wit:
- In May, Tumblr revealed that it had just discovered a 2013 breach of 65 million user email addresses and passwords.
- That same month, 164 million LinkedIn passwords were listed for sale on the Dark Web. They came from a 2012 breach
- An eye-popping 427 million passwords exposed from a past, unreported breach of MySpace.
The 500 million accounts affected in the Yahoo breach tops these 10 previous breaches, as listed by haveibeenpwned.com:
- MySpace: 359 million accounts
- LinkedIn: 164 million accounts
- Adobe: 152 million accounts
- Badoo: 112 million accounts
- VK: 93 million accounts
- Dropbox: 68 million accounts
- Tumblr: 65 million accounts
- iMesh: 49 million accounts
- Fling: 40 million accounts
- Last.fm: 37 million accounts
There are rumblings about why Yahoo waited so long to disclose the attack.
Recode first reported on Tuesday that Yahoo planned to disclose details about a data breach affecting hundreds of millions of users.
Democratic Senator Mark Warner, a former technology executive, on Thursday issued a statement that said the “seriousness of this breach at Yahoo is huge.”
He called for a federal “breach notification standard” to replace data notification laws that vary by state. The senator also said he was “most troubled” that the public was only learning of the incident now, two years after it happened.
Image of Yahoo courtesy of Ken Wolter / Shutterstock.
Karma
Several years ago on yahoo’s dating site, I reported profiles that had the same photo with similar details on nearly 20 accounts. They never took any of them down. A few months later there was a class action suit on them for using fake profiles to lure more paying customers. I stopped using all of Yahoo services (including free email) right then. They can crash and burn, it was earned.
Reader
Multiple dating profiles on Yahoo? This sounds like Wells Fargo’s executives ordering 5300 low-level employees to create more than TWO MILLION fake accounts in their customers’ names, without the knowledge of said customers. (The execs subsequently received bonuses for the fraud and the low-level employees were fired for same.)
Alistair
“Dwarves”?? I don’t think that’s a verb!
Tim Boddington
I have just been on the Yahoo! site to change my password. What an absolutely appalling process! There is nothing on the home page in the least bit suggestive of a means to change your password. One might have thought that in the present circumstances they would at the very least have displayed a banner link across the top of the home page to take users to the relevant page.
The route I eventually found was via the tiny Safety link in the extreme bottom right corner of the page. Still no indication of how to change your password! But, a settings cog has appeared beside my user name. This provides a link to Acount Info. Ah! A navigation item – Account Security. Sorry, I’ve lost the will to continue …
Larry M
Apparently some Yahoo customers (including me) have passwords managed by a different system. Yahoo manages email and contacts for customers of the former Bellsouth and SBC systems since acquired by AT&T. My email password is the same as my AT&T account password–change one and the other one changes.
HaveIBeenPwned does not report my email address as part of the Yahoo breach, but it does remind me once again of these breaches.
–Dropbox, 2012
–Experian T-mobile financing credit check (Doesn’t make sense since I haven’t financed anything since I bought a house in 1984 and have never considered using T-mobile)
LinkedIn, 2012
MySpace, 2008
And since it only shows email-related exposures, it doesn’t show the Target, TJMaxx, or BJ’s credit card card breaches. In 2014 I went through three credit cards in three months. Apparently security still only becomes a corporate priority after a breach occurs.
smiles
Lucky you! When I change att,, yahoo doesn’t change. I am stuck going around in circles on the phone looking for someone who can help me change it!
anon
2 years is a long time to not notify users. It appears they were unaware of this hack or chose to ignore it and see what happened. This in turn raises some questions: 1) If you were unaware, what other more recent hacks have occurred that they do not know about? 2) If they chose a wait and see policy, how many other companies are doing this too? If people allow these actions to go unchecked and traditional identity techniques no longer work, then the end consequence will result in being “chipped” to prove identity. It will also control every aspect of your life from the minute you are born. If you value your personal freedoms then you should value securing your identity and take security seriously.
Matt Parkes
I am a Sky TV subscriber in the UK and as a result of Sky using Yahoo services for email have along with all other Sky customers asked to change their password. Fine but when I came to do this passwords are restricted to letters and numbers and nothing else, what idiocy, so as you can tell I really believe them when they make the stupid statement that “Your security is important to us”. It can’t be, if it were they would have a far better password policy. Secondly back when Yahoo first introduced 2 step verification, Sky customers asked Sky if we were going to get the same feature, the reply back then was no and there were no plans to implement it or ask yahoo if they were going to make it available. While this would not have prevented the breach it adds an extra layer that a hacker needs to get through if they do manage to crack a password. But again, this simply proves that all these huge companies that store your data dont either have a clue or don’t really care.