Yahoo Confirms Half A Billion User Accounts Hacked, Blames "State-Sponsored Actor" For Breach
Tyler Durden's picture
by Tyler Durden
Sep 22, 2016 1:37 PM
Earlier today we reported that based on a ReCode announcement, some 200
million Yahoo user accounts (yes, apparently Yahoo has that many users)
may have been hacked. Moments ago, Yahoo confirmed the report, only it
increased the total from 200 to 500 million, and- in keeping with all
the recent Democratic Party hacks - blamed a "state-sponsored
actor." Which is ironic because as we said this morning, "the
latest massive data breach may or may not be blamed on Putin." It looks
like it just was.
Here is the official announcement:
A recent investigation by Yahoo! Inc. (NASDAQ:YHOO)
has confirmed that a copy of certain user account information was
stolen from the company's network in late 2014 by what it believes is a
state-sponsored actor. The account information may have included names,
email addresses, telephone numbers, dates of birth, hashed passwords
(the vast majority with bcrypt) and, in some cases, encrypted or
unencrypted security questions and answers. The ongoing investigation
suggests that stolen information did not include unprotected passwords,
payment card data, or bank account information; payment card data and
bank account information are not stored in the system that the
investigation has found to be affected. Based on the ongoing
investigation, Yahoo believes that information associated with at least
500 million user accounts was stolen and the investigation has found no
evidence that the state-sponsored actor is currently in Yahoo's
network. Yahoo is working closely with law enforcement on this matter.
Yahoo is notifying potentially affected users and
has taken steps to secure their accounts. These steps include
invalidating unencrypted security questions and answers so that they
cannot be used to access an account and asking potentially affected
users to change their passwords. Yahoo is also recommending that users
who haven't changed their passwords since 2014 do so.
Yahoo encourages users to review their online
accounts for suspicious activity and to change their password and
security questions and answers for any other accounts on which they use
the same or similar information used for their Yahoo account. The
company further recommends that users avoid clicking on links or
downloading attachments from suspicious emails and that they be
cautious of unsolicited communications that ask for personal
information. Additionally, Yahoo asks users to consider using Yahoo
Account Key, a simple authentication tool that eliminates the need to
use a password altogether.
Online intrusions and thefts by state-sponsored
actors have become increasingly common across the technology industry.
Yahoo and other companies have launched programs to detect and notify
users when a company strongly suspects that a state-sponsored actor has
targeted an account. Since the inception of Yahoo's program in December
2015, independent of the recent investigation, approximately 10,000
users have received such a notice.
Additional information will be available on the
Yahoo Security Issue FAQs page, https://yahoo.com/security-update,
beginning at 11:30 am Pacific Daylight Time (PDT) on September 22, 2016.
So much for using secure 9-character or more long passwords including
capital letters, special characters and numbers. What is more ironic is
that Verizon is paying $4.8 billion for the only asset that Yahoo has,
or rather had, its user information, which is now publicly available
for $1800 on the dark web.