Yahoo says a state-sponsored actor stole the account information for at least 500 million of its users in a breach that occurred back in late-2014. On 22 September, Yahoo CISO Bob Lord confirmed that the hack might have compromised several pieces of its users' account information:
"We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers."
There's good news and bad news. First the bad news. Yahoo's investigation into the security incident suggests the unnamed state-sponsored actor made off with at least 500 million of its users' account information. The good news? The American technology company's security team has found no indication that the hackers made off with unprotected passwords, payment card data, or banking information.
Technology news outlet Recode said something like this would happen. Its sources said Yahoo was getting ready to confirm the legitimacy of 200 million users' account details dating back to 2012 that a computer criminal named "Peace" posted for sale on a dark web marketplace back in August 2016. Peace is the same computer criminal behind many of the recent "mega-breaches," including Tumblr and LinkedIn. At the time of the leak, Yahoo said it was only "aware of a claim." Thursday's statement reveals that the 2014 breach was even bigger than the 2012 incident. Lord recommends that all Yahoo users who haven't changed their passwords since 2014 do so as soon as possible. Users are also urged to disable security questions so that attackers can't abuse those unencrypted answers to gain unauthorized access to their account. For its part, Yahoo is looking at upping the security on its systems and notifying affected users. As Lord explains:
"An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries. Through strategic proactive detection initiatives and active response to unauthorized access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure."
As of this writing, the company is working with law enforcement as it continues to investigate the breach.
