Yahoo Data Breach Exposed 500 Million Accounts In 2014

By Lucian Armasu
published

Yahoo has confirmed that the user information for 500 million accounts was stolen in a 2014 data breach. The company is now recommending all users to change their Yahoo account passwords if they haven’t done so since 2014.

Yahoo’s Troubled Security Past

Back in 2013, Yahoo, along with Google, learned from Edward Snowden's documents that the NSA was inside its network and transferring millions of records every day to its own headquarters.

A year later, Snowden’s documents also revealed that UK’s GCHQ intelligence agency was spying on the webcams of millions of Yahoo Messenger users. The documents showed the data breach as dating between 2008 and 2010, but the spying may have continued in the following years.

Like many other large web services companies, Yahoo started taking security more seriously following Snowden’s revelations. That's when it began encrypting both its website’s traffic and the email data flowing between its servers.

2014 Data Breach

The 2014 data breach may have happened just before all security measures were in place, or the attackers may have remained in the network without Yahoo being aware of it. It’s also possible that the attackers got in even after Yahoo took a stronger security stance.

“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” said Bob Lord, Yahoo’s Chief Information Security Office (CISO).“The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected,” he added.

The company said it believes the attack was “state sponsored,” although it hasn’t revealed what information it has to support that claim. It's also not clear if it's referring to the same intelligence agencies we already know have hacked it before (NSA and GCHQ) or some other country's agency. Yahoo added that the attacker is no longer in the company’s network, so if users change their passwords now, they should be safe.

Yahoo’s Recommendations For Affected Users

Yahoo’s CISO said that the company has already notified all potentially affected users and asked them to change their passwords. Unencrypted security questions and answers were also disabled, and Yahoo is collaborating with law enforcement on the matter. The company asked users to look out for suspicious activity in their accounts, and avoid clicking on attachments from unsolicited email.

Yahoo recommended that users try the “Yahoo Account Key” as an alternative to passwords. The feature works the same as Google’s recently announced “Google Prompt.” The difference is that instead of acting as a second factor of authentication (with the password being the first), it’s acting as the first one. To make it work, you’ll have to download the Yahoo Mail app on Android or iOS and enable the feature.

Yahoo said that more information about the data breach could be revealed by the end of the investigation.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
Topics
Security
17 Comments Comment from the forums
  • DookieDraws
    2014 data breach and now FINALLY recommending all users change their Yahoo account passwords. WOW! Thanks for the heads up, Yahoo!
    Reply
  • kenjitamura
    Oh my god this is huge. There were still 500 million people even using yahoo in 2014?!
    Reply
  • captaincharisma
    the only thing i ever used yahoo for was a dummy e-mail account
    Reply
  • jasonelmore
    yea people still use yahoo, because it's email is 100x better than gmail, and has the added bonus of not being a data miner
    Reply
  • 10tacle
    Marissa Mayer has been an epic failure and was not qualified to be CEO of Yahoo. Yahoo was a sinking ship, but her failed app acquisitions and countless other failed business decisions have all but destroyed Yahoo.

    Why Verizon Communication wants any of it is a mystery. She just partied like the Costa Concordia cruise ship captain did while it was headed right for the rocks...except she will just get a nice $50 million severance package and no jail.
    Reply
  • dstarr3
    18635143 said:
    yea people still use yahoo, because it's email is 100x better than gmail, and has the added bonus of not being a data miner

    Supposing that's even true, it's at the expense of an organization that just waits for two years after being hacked to reveal to its users that their passwords and other personal info has been stolen.

    If I had to choose between having my data mined versus having it withheld from me that my data was stolen, I choose mining. And in reality, I'm sure Yahoo is mining your data as much as Google and just not telling you.
    Reply
  • beayn
    >>>Supposing that's even true, it's at the expense of an organization that just waits for two years after being hacked to reveal to its users that their passwords and other personal info has been stolen.

    They said it was a recent investigation that revealed the information. In other words, they didn't know they had been hacked for two years.
    Reply
  • dstarr3
    18635558 said:
    >>>Supposing that's even true, it's at the expense of an organization that just waits for two years after being hacked to reveal to its users that their passwords and other personal info has been stolen.

    They said it was a recent investigation that revealed the information. In other words, they didn't know they had been hacked for two years.

    You say it like that's a defense.
    Reply
  • DannyBr
    Who cares now. Everyone is using google in 2016 :P
    Reply
  • bit_user
    18634446 said:
    2014 data breach and now FINALLY recommending all users change their Yahoo account passwords. WOW! Thanks for the heads up, Yahoo!
    They say they didn't know about it, 'till now. I think the timing (relative to the Verizon acquisition) is suspicious. A big hack, like this, could've hurt their valuation and made them a less desirable target.

    18635143 said:
    has the added bonus of not being a data miner
    Oh, really?

    18635314 said:
    Marissa Mayer has been an epic failure and was not qualified to be CEO of Yahoo. Yahoo was a sinking ship, but her failed app acquisitions and countless other failed business decisions have all but destroyed Yahoo.

    Why Verizon Communication wants any of it is a mystery. She just partied like the Costa Concordia cruise ship captain did while it was headed right for the rocks...
    Well, since she took the helm, the stock price has approximately tripled, adding about $30B to their market cap. So, I doubt most of their investors would agree with you.

    I'm not going to argue whether or not she could've done better. About the only thing I would say is that it seemed bone-headed and probably hypocritical for her to ban employees from working from home.

    Since their inception, Yahoo has played in just about every online business model there is: shopping, auctions, payments, social media, video sharing, dating, careers... you name it, they've tried it. It's kinda sad, and possibly reveals a deeper truth, that they couldn't really succeed in any of them.
    Reply