The breach is said to have occurred in late 2014 and included names, email addresses, phone numbers and birth dates. Their investigation suggests that information did not include unprotected passwords.
Advertisement
The company confirmed that a hack, which took place in 2014, saw details associated with 500 million user accounts being stolen.
Yahoo announced that it is working with law enforcement on investigating the matter.
Yahoo had no evidence that the stolen bcrypt-protected passwords or security questions and answers were used to gain unauthorised access to Spark accounts.
For now, Yahoo is recommending that users change their passwords if they have not done so since 2014.
While this goes on, Yahoo said it will be notifying potentially affected user and prompting them to change their passwords, as well as invalidate unencrypted security questions. “It’s unfortunate that when we are talking about this organization, a massive breach doesn’t come as a big surprise”, he said.
Data of 500 million Yahoo users has been stolen in what has been described as the largest hack of its kind to date, prompting cyber security experts to unleash an avalanche of criticism about the lack of circumspection in the industry.
Alex Mathews, from online security firm Positive Technologies, said: “The elephant in the room is Yahoo’s admission that “encrypted or unencrypted security questions and answers” might be amongst the hackers’ haul”.
For Yahoo, the timing of the leaked data could not be worse as it is now in the process of being bought by Verizon for £3.7 billion. Like many internet companies that have been breached, LinkedIn only reset passwords of everyone it believed was part of the breach at the earlier time, which amounted to 6.5 million users.
It was 2013 when around 400,000 Xtra Mail customers had to change passwords after widespread phishing attacks that followed an apparent breach of Yahoo’s servers. Why did it take so long to tell users and prompt them to protect themselves?
The data breach is bad enough; what makes it even worse is that it has taken two years for Yahoo to inform its users of it.
Advertisement
Reuters reported three unnamed USA intelligence officials as saying they believed the attack was state-sponsored because it was similar to previous hacks linked to Russian intelligence agencies.
