With nearly half a billion accounts compromised, it makes it one of the largest data breaches of the Internet age.
Advertisement
The company launched a program to notify users if their accounts had been compromised by state-sponsored hackers in 2015 – a year after this breach.
Three US intelligence officers told Reuters that “because of its resemblance to previous hacks traced to Russian intelligence agencies or hackers acting at their direction”, the cyber attack was probably state-sponsored. The latter is not out of the realms of possibility, and could happen if users shun Yahoo or file lawsuits against the company.
The hacker – known as “Peace” – stole information including names, email addresses, telephone numbers, dates of birth, passwords, and security questions and answers. The company said the attacker didn’t get any information about its users’ bank accounts or credit and debit cards.
Joining the list of global companies who have faced users’ data breach in the recent past, a Yahoo investigation has confirmed that at least 500 million user accounts were hacked in late 2014 which, it believes, was a “state-sponsored” attack. These include invalidating unencrypted security questions and answers so that they can not be used to access an account and asking potentially affected users to change their passwords.
The company urged anyone who has not changed passwords since 2014 to do so immediately. During the investigation, however, the company’s researchers found a data breach on a much higher scale, which had gone undetected for two over years.
It is the latest blow for troubled Yahoo, which sold its internet business to USA telecoms giant Verizon in July for $4.8bn (€4.3bn).
Yahoo Inc said that it was working with law enforcement on the matter. If the same password is used to access other sites, it should be changed too, as should any security questions similar to those used on Yahoo.
Security researcher Kurt Baumgartner from Kaspersky Lab also criticised Yahoo for its slow response to the attack but said it was not unexpected. “We will evaluate as the investigation continues through the lens of overall Verizon interests”, the company said.
It was not clear how this disclosure might affect the deal of Yahoo with Verizon Communications.
Advertisement
Democratic Senator Mark Warner, a former technology executive, on Thursday issued a statement that said the “seriousness of this breach at Yahoo is huge”.
