Information including names, email addresses, telephone numbers and hashed passwords may have been stolen. “They couldn’t just come in and take the grand piano”.
Advertisement
Prior to Thursday’s confirmed breach, Yahoo had already been investigating another leak. “Yahoo was so grossly negligent in securing its users’ personal information that it says that it did not even discover the incident until the summer of 2016”, the complaint states. It might also be an easy excuse to deflect blame for a company’s own security lapses, by suggesting it had no hope of defeating hackers who had all the resources of a government intelligence agency behind them, warned Gunter Ollmann, chief security officer at Vectra Networks, a San Jose, California, security firm. The security breakdown risks magnifying Yahoo’s preexisting problems – specifically, that it is losing users, traffic and the advertising revenue that follows both, to rivals such as Google and Facebook. “Yahoo was once the number one email provider”. Russian hackers are suspected as being behind the breach. This has led to criticism from analysts over Yahoo’s security set-up and failure to report the breach.
Why it took so long for Yahoo to find out and inform the public wasn’t clear from the company’s statement on the breach.
“This is probably the worst thing that could have happened”, said Brad Bussie, director of product management at Stealthbits Technologies.
Yahoo has said that it believes that the breach was perpetrated by a state-sponsored actor. “The seriousness of this breach at Yahoo is huge”, Democratic Senator Mark Warner said Thursday. “We will evaluate as the investigation continues”, Verizon said.
“Within the last two days, we were notified of Yahoo’s security incident”, Verizon said in a statement. The company added that most of the passwords stolen were hashed with bcrypt, making them exceptionally hard to crack. If the same password is used to access other sites, it should be changed too, as should any security questions similar to those used on Yahoo. The stolen email addresses alone put users at risk of spam attacks and the additional information could be used to trick users into divulging more information about themselves.
These steps include invalidating unencrypted security questions and answers so that they can not be used to access an account and asking potentially affected users to change their passwords.
Several users said they were scrambling to change log-in information, not just for Yahoo but for multiple internet accounts with the same passwords.
Security experts say it’s not uncommon for there to be a significant delay between a breach and its disclosure. Yahoo is just the latest high-profile company to fall victim.
Advertisement
Verizon declined to comment on how the breach might affect the deal. He noted that the 2010 attack on Google was blamed on Chinese hackers who also targeted US companies outside the tech industry. The company said the attacker didn’t get any information about its users’ bank accounts or credit and debit cards.
