The email provider estimates that more than 500 million users were impacted. The security breakdown risks magnifying Yahoo’s preexisting problems – specifically, that it is losing users, traffic and the advertising revenue that follows both, to rivals such as Google and Facebook. “Until then, we are not in position to further comment”.
Advertisement
What should I do on my Yahoo account?
It is the latest blow for troubled Yahoo, which sold its internet business to U.S. telecoms giant Verizon in July for $4.8bn (€4.3bn).
Yahoo says it has begun notifying “potentially affected users”.
Yahoo was already facing a steep decline in email traffic, despite CEO Marissa Mayer’s efforts to upgrade the service in order to foster more user loyalty.
It was 2013 when around 400,000 Xtra Mail customers had to change passwords after widespread phishing attacks that followed an apparent breach of Yahoo’s servers.
The firm announced in July that it would be buying Yahoo’s operating business – including its search and email services and news pages – for 4.83 billion United States dollars (£3.7 billion). By contrast, Google’s rival Gmail service saw desktop users rise 9 percent to almost 429 million over the same period.
At the time of the break-in, Yahoo’s security team was led by Alex Stamos, a respected industry executive who left a year ago to take a similar job at Facebook. Yahoo is blaming the hack on a “state-sponsored actor”. The company added that it looks as if the hacker is no longer in its network, and it’s working closely with law enforcement authorities on the investigation. However, Yahoo investigated the sale and found no evidence that it was legitimate, the source said.
Shuman Ghosemajumder, Chief Technology Officer of Shape Security, warns that the shockwaves from the breach could be felt far beyond Yahoo. They’re going be stealing your money.
Yahoo has confirmed that the stolen account information may have included names, email addresses, telephone numbers, dates of birth, and hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.
Yahoo’s investigation on this matter has found that hackers did not steal unprotected passwords, payment card data, or bank account information of users.
While the breach comprised mostly low-value information, it did include security questions and answers created by users themselves.
A former Yahoo employee said the Q&A were deliberately left unencrypted, which allowed Yahoo to catch fake accounts more easily because fake accounts tended to reuse questions and answers.
News of the security lapse could cause some people to have second thoughts about relying on Yahoo’s services, raising a prickly issue for the company as it tries to sell its digital operations to Verizon.
Confirmation of the major cyber breach comes two months after Yahoo sealed a deal to sell its core internet business to telecom giant Verizon for $4.8 billion, ending a two-decade run as an independent company.
The Yahoo breach follows a rising number of other large-scale data attacks and could make it a watershed event that prompts government and businesses to put more effort into bolstering defences, said Dan Kaminsky, a well-known internet security expert. That could happen if users shun Yahoo or file lawsuits because they’re incensed by the theft of their personal information.
On Thursday, Sen. Richard Blumenthal, D-Conn., called on investigators to determine whether Yahoo intentionally withheld information about the incident to “artificially bolster its valuation” by Verizon – a potentially serious act of deception.
“We will evaluate as the investigation continues through the lens of overall Verizon interests”, the company said.
Advertisement
“We would like to remind all customers to change their password and security questions for their Xtra account and any other account on which you used the same or similar information”.
