Yahoo confirms state-sponsored attacker stole personal data of “at least” 500 million users
As indicated by an earlier report, Yahoo today confirmed it’s working with law enforcement to investigate a data breach which affected the account information of “at least” 500 million users. The company says that the user account information was stolen from its network in late 2014 by what it now believes to be a state-sponsored actor.
The stolen information includes people’s names, email addresses, telephone numbers, birth dates, passwords (most hashed with bcrypt), and, in some cases, encrypted or unencrypted responses to security questions and answers.
This makes the data breach one of the most serious to date, given not only who may be behind it, but the nature of the information the attackers were able to access, as well as the scale.
With the answers to security questions, a hacker could easily jump through a number of online forms to reset users’ passwords on sites where an additional means of account verification – like two-factor authentication – is not involved.
Yahoo says it has invalidated all the unencrypted security questions and answers so they can’t be used to access a Yahoo account, but of course, web users have the culture of using the same question and answer in different online accounts.
However, the attacker did not gain access to unprotected passwords, according to Yahoo and also they were unable to get payment card information or bank account information, as these were housed in a different server.
The company started notifying affected users beginning at 11:30 AM PDT, and asking them to change their passwords as well as adopt an alternate means of account verification. It will also ask those who haven’t updated their passwords since 2014 to now do so, too.
Even if you weren’t affected by the breach, Yahoo suggests using Yahoo Account Key, a newer authentication tool that increases security but eliminates the need to use a password.
Yahoo says it’s working with law enforcement on the matter, and that it found no evidence that the state-sponsored actor is currently on its network. However, the investigation is ongoing.
Yahoo users are therefore advised to take extra care by avoiding links from emails because, following a large-scale breach like this, other hackers will attempt to capitalize on the news for their own ends.
Yahoo cautions users to be on the lookout for any unsolicited emails, and to avoid clicking links or downloading the attachments they may contain.