Information from at least 500 million Yahoo accounts was stolen from the company in 2014, the company said Thursday, indicating it believes a state-sponsored actor was behind the hack. The theft may have included names, email addresses, telephone numbers, dates of birth, and in some cases, encrypted or unencrypted security answers and questions, Yahoo said.
Do you have a Yahoo email account?
Even in an Internet-dependent population accustomed to the regular occurrence of massive data breaches, the size of this particular one – thought to be the largest ever with regards to user accounts – is attention-grabbing. And the possibility that another country might be behind the attack increases the shock factor.
The FBI said it was aware of the intrusion and is investigating the matter but did not give any specifics of whether it had specific insight into who happens to be behind the attack.
“We take these types of breaches very seriously and will determine how this occurred and who is responsible,” the agency said in an emailed statement Thursday.
Claims surfaced at the beginning of August that a hacker using the name “Peace” was trying to sell personal information of Yahoo account users on the dark web – a black market of thousands of secret websites.
Yahoo, which says about 1 billion people globally engage with one of its properties each month, said it was notifying potentially affected users and taking action to secure their accounts, such as invalidating unencrypted security questions and answers. Users who haven’t changed their passwords since 2014 should do so, it said.
Yahoo owns the photo sharing site Flickr and the blogging site Tumblr. No Tumblr accounts were affected. Some Flickr accounts might have been, because in some instances, users’ Flickr and Yahoo IDs are linked. Yahoo is getting in touch with those users.
Yahoo is working to complete a $4.8 billion sale of its core Internet business to media giant Verizon Communications, which said it was notified of the Yahoo breach “within the last two days.”
“We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact,” Verizon said.
Considering the unsettled nature of Yahoo’s ownership, “regulators should be concerned with who will take responsibility for the response to this compromise. It can be easy for the ‘right thing to do’ to slip through the cracks in a multi billion-dollar transition,” said Tim Erlin, senior director of IT security and risk strategy at Tripwire, a computer security firm.
The breach doesn’t threaten Verizon’s acquisition of Yahoo, says Robert Peck, Internet equity analyst with SunTrust Robinson Humphreys, however the investigation will probably result in findings that perhaps 5 percent of users have left Yahoo, and this could yield a lower price for Verizon.
Since the security breach is so massive, users’ Internet accounts beyond Yahoo could be affected.
As is typical with these large hacks, experts recommend account holders change passwords and security questions and answers for virtually every other accounts on which they use the same or similar information used for their Yahoo account.
In addition, people should avoid clicking on links or downloading attachments from suspicious emails that make claims to be updates from Yahoo about the breach.
Hackers often use news of huge breaches to conduct “phishing” campaigns.