Unprotected passwords weren’t part of the breach, Yahoo said, but hashed or digitally obscured passwords may have been taken.
Advertisement
He was asking three bitcoin for the information – around £1,400 at the time, Motherboard said. Any unencrypted security questions and answers will be invalidated, meaning that users will have to submit new ones.
Thorsheim said the other issue is that there are probably millions of people who have forgotten about a Yahoo email account they used to have.
Could this happen again?
The attorney on the San Diego case, David Casey, told the Mercury News he expected many other lawsuits to be filed against Yahoo over the breach, and he anticipated they’d all be rolled into one class action suit. The worst hack to ever hit them.
Yahoo is under pressure to release more details on the attack and explain why it took so long to detect.
Corey Williams, from security software firm Centrify, said: “Yahoo may very well be facing an existential crisis”. The hackers may have stolen email addresses, names, dates of birth, telephone numbers and encrypted passwords.
Yahoo confirmed on Thursday that more than 500 million of its user accounts had been stolen in a breach said to have occurred in late 2014.
“We understand that Yahoo is conducting an active investigation of this matter, but otherwise we have limited information and understanding of the impact”, Verizon said in a statement. It did say, however, that users’ Tumblr accounts have not been affected. Yahoo has also invalidated unencrypted security questions and answers so they can not be used to access an account. This has led to criticism from analysts over Yahoo’s security set-up and failure to report the breach. These hackers had breached and sold credentials from several major online services between 2012 and 2013. Users should also check their various online accounts for suspicious activity, the company says.
The breach targeted passwords and users security questions and answers. It suggests that it was the victim of a nation-state attack – an attack by a country’s security service.
It’s hard to say at this point exactly who carried out the hack and why.
Advertisement
Yahoo refers constantly to a “state sponsored actor” but so far has given no evidence for that, let alone which state sponsored it and why Yahoo was attacked.
