“Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen”, a statement from the United States internet giant in what is likely the largest-ever breach from a single organisation.
Advertisement
Yahoo encourages users to review their online accounts for suspicious activity and to change their password and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account.
Yahoo said it was working with law enforcement on the matter.
“All of this compromised information is very useful for criminals in order to hijack user identities and use them for fraudulent purposes”, Avivah Litan, an analyst with Gartner, said. Yahoo will be prompting anyone who hasn’t changed their password since 2014 (!) to go do so now. The price, which includes Yahoo’s core internet business and some real estate, capped a remarkable fall for the Silicon Valley web pioneer that had a market capitalization of more than $125 billion at the height of the dot-com boom in early 2000.
Yahoo said the stolen information may have included names, e-mail address, birth dates, and scrambled passwords, along with encrypted or unencrypted security questions and answers that could help hackers break into victims’ other online accounts.
No evidence has been found to suggest the state-sponsored actor is now in Yahoo’s network. The company said the attacker didn’t get any information about its users’ bank accounts or credit and debit cards. That included invalidating unencrypted security questions and answers and asking users to change their passwords.
Update: Yahoo has confirmed the breach. Additionally, Yahoo asks users to consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether.
MobileSyrup has reached out to cybersecurity experts to comment on the breach.
Yahoo is in the process of notifying potentially affected users and has “taken steps to secure their accounts”. “It can be easy for the “right thing to do” to slip through the cracks in a multi-billion dollar transition”, said Tim Erlin, senior director of IT security and risk strategy at Tripwire, a computer security firm. Recode’s source told the site the planned announcement was as bad or worse than that.
“Within the last two days, we were notified of Yahoo’s security incident”.
Advertisement
“We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities”, Verizon said.
