Yahoo has confirmed that the user information for 500 million accounts was stolen in a 2014 data breach. The company is now recommending all users to change their Yahoo account passwords if they haven’t done so since 2014.
Yahoo’s Troubled Security Past
Back in 2013, Yahoo, along with Google, learned from Edward Snowden's documents that the NSA was inside its network and transferring millions of records every day to its own headquarters.
A year later, Snowden’s documents also revealed that UK’s GCHQ intelligence agency was spying on the webcams of millions of Yahoo Messenger users. The documents showed the data breach as dating between 2008 and 2010, but the spying may have continued in the following years.
Like many other large web services companies, Yahoo started taking security more seriously following Snowden’s revelations. That's when it began encrypting both its website’s traffic and the email data flowing between its servers.
2014 Data Breach
The 2014 data breach may have happened just before all security measures were in place, or the attackers may have remained in the network without Yahoo being aware of it. It’s also possible that the attackers got in even after Yahoo took a stronger security stance.
“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” said Bob Lord, Yahoo’s Chief Information Security Office (CISO).“The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected,” he added.
The company said it believes the attack was “state sponsored,” although it hasn’t revealed what information it has to support that claim. It's also not clear if it's referring to the same intelligence agencies we already know have hacked it before (NSA and GCHQ) or some other country's agency. Yahoo added that the attacker is no longer in the company’s network, so if users change their passwords now, they should be safe.
Yahoo’s Recommendations For Affected Users
Yahoo’s CISO said that the company has already notified all potentially affected users and asked them to change their passwords. Unencrypted security questions and answers were also disabled, and Yahoo is collaborating with law enforcement on the matter. The company asked users to look out for suspicious activity in their accounts, and avoid clicking on attachments from unsolicited email.
Yahoo recommended that users try the “Yahoo Account Key” as an alternative to passwords. The feature works the same as Google’s recently announced “Google Prompt.” The difference is that instead of acting as a second factor of authentication (with the password being the first), it’s acting as the first one. To make it work, you’ll have to download the Yahoo Mail app on Android or iOS and enable the feature.
Yahoo said that more information about the data breach could be revealed by the end of the investigation.
