Yahoo announced a state-sponsored actor stole email addresses, passwords and birth dates. Change your passwords. Now.

yahoo-hackHackers swiped personal information associated with at least a half billion Yahoo accounts, the company said Thursday (Sept. 22, 2016), marking the biggest data breach in history. The hack, which took place in 2014, revealed names, email addresses, phone numbers, birth dates and, in some cases, security questions and answers, Yahoo said in a press release. Encrypted passwords, which are jumbled so only a person with the right passcode can read them, were also taken.

The internet company is in the process of selling itself to Verizon, said it’s “working closely” with law enforcement. It called the hackers a “state-sponsored actor,” though it didn’t identify a country behind the breach. Yahoo urged users to change their passwords if they haven’t since 2014. The company has 1 billion monthly active users for all its internet services, which span finance, online shopping and fantasy football. Its mail service alone has about 225 million monthly active users, Yahoo told CNET in June.

The hack serves as a reminder of how widespread hacking is and highlights the vulnerability of passwords. Cybersecurity specialists recommend using a different password for each account you have on the internet. Other experts are working on alternatives to passwords, such as biometrics like your fingerprint or retina.

“Cybercriminals know that consumers use the same passwords across websites and applications, which is why these millions of leaked password credentials are so useful for perpetuating fraud,” said Brett McDowell, executive director of the FIDO Alliance, an organization that vets the security of password alternatives. “We need to take that ability away from criminals, and the only way to do that is to stop relying on passwords altogether.”

The breach has exposed at least 500 million accounts’ names, email addresses, phone numbers and dates of birth. In some cases, security questions and answers too.

Verizon, which is paying $4.83 billion for Yahoo, said it was notified of the massive breach within the last two days. The telecommunications giant had “limited information and understanding of the impact,” according to a statement.  “We will evaluate, as the investigation continues, through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities,” according to Verizon.


Additional information was reported by the Financial Times that management knew about the hack as early as in July thus chief executive Marissa Mayer and her board are facing serious questions over the handling of the largest-ever cyber attack recorded, as customers, regulators and even its new owners search for answers on why a two-year-old data breach has only just come to light.

The revelation that the details of 500m Yahoo accounts were hacked in late 2014 was confirmed on Thursday, only 13 days after the company issued a statement to the Securities and Exchange Commission that said it had no knowledge of “any incidents” of “security breaches, unauthorised access or unauthorised use” of its IT systems.

Yet Yahoo is understood to have kicked off an investigation into a potential attack on July 30, which carried on into August. The investigation of a potential breach came only five days after a deal to sell Yahoo’s core business to Verizon for $4.8bn was struck.

Source:  Financial Times

Editorial comment:  Why are the high and mighty of Silicon Valley to aloof and reckless?  The SEC may take a hard line on this event.