Back in 2014, Yahoo experienced a serious data breach of millions of its accounts, though it never publically revealed just how many.
Advertisement
The company said it believes a state-sponsored actor was behind the data breach, meaning an individual acting on behalf of a government.
The stolen data includes users’ names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions for verifying an accountholder’s identity.
“Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen”, said a statement by the U.S. internet giant in what is likely the largest-ever breach for a single organization.
The Sunnyvale, California, company declined to explain how it reached its conclusions about the attack for security reasons, but said it is working with the Federal Bureau of Investigation and other law enforcement. That data could make users vulnerable if they use the same answers on other sites. The stolen credentials would be at least four years old, so anyone who’s changed their password in the last four years wouldn’t be vulnerable.
First, the password. According to a Gartner survey, 50% of users reuse their passwords across multiple platforms.
The hacker bragged about possessing a billion more accounts’ worth of data, of which only a fraction has since materialized in collections of Twitter and Yahoo data. “This account has been disabled or discontinued”, read one autoresponse to numerous emails that failed to deliver properly, while others read “This user doesn’t have a yahoo.com account”. You won’t always get a timely notice from a company that an account was compromised – and sometimes it might not even know about a hack until much later. It includes not having a heart attack about the situation while, at the same time, understanding that one’s account breach could mean some very serious things.
At the time of the break-in, Yahoo’s security team was led by Alex Stamos, a respected industry executive who left a year ago to take a similar job at Facebook.
Paul Dwyer, chief executive of Cyber Risk International, an internet security company, said anyone who has a Yahoo account should follow a series of basic steps to ensure they are safe.
The incident is a big deal, since so many have a Yahoo account of some type or other – for email or finance or fantasy sports and so on. They also used compromised accounts to search the web for other vulnerable sites, eventually robbing over 420,000 sites of all sizes.
The company is urging users to look through their Yahoo accounts (email, calendar, groups, etc.) for any signs of suspicious activity.
Advertisement
On its own, a password isn’t a strong line of defense. Offered by a hacker using the name “Peace” for the price of three bitcoins (about $1,800), the user data appeared to have been taken in a breach that occurred in 2012.
