Yahoo has confirmed that the user information for 500 million accounts was stolen in a 2014 data breach. The company is now recommending all users to change their Yahoo account passwords if they haven’t done so since 2014.
Yahoo’s Troubled Security Past
Back in 2013, Yahoo, along with Google, learned from Edward Snowden's documents that the NSA was inside its network and transferring millions of records every day to its own headquarters.
A year later, Snowden’s documents also revealed that UK’s GCHQ intelligence agency was spying on the webcams of millions of Yahoo Messenger users. The documents showed the data breach as dating between 2008 and 2010, but the spying may have continued in the following years.
Like many other large web services companies, Yahoo started taking security more seriously following Snowden’s revelations. That's when it began encrypting both its website’s traffic and the email data flowing between its servers.
2014 Data Breach
The 2014 data breach may have happened just before all security measures were in place, or the attackers may have remained in the network without Yahoo being aware of it. It’s also possible that the attackers got in even after Yahoo took a stronger security stance.
“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” said Bob Lord, Yahoo’s Chief Information Security Office (CISO).“The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected,” he added.
The company said it believes the attack was “state sponsored,” although it hasn’t revealed what information it has to support that claim. It's also not clear if it's referring to the same intelligence agencies we already know have hacked it before (NSA and GCHQ) or some other country's agency. Yahoo added that the attacker is no longer in the company’s network, so if users change their passwords now, they should be safe.
Yahoo’s Recommendations For Affected Users
Yahoo’s CISO said that the company has already notified all potentially affected users and asked them to change their passwords. Unencrypted security questions and answers were also disabled, and Yahoo is collaborating with law enforcement on the matter. The company asked users to look out for suspicious activity in their accounts, and avoid clicking on attachments from unsolicited email.
Yahoo recommended that users try the “Yahoo Account Key” as an alternative to passwords. The feature works the same as Google’s recently announced “Google Prompt.” The difference is that instead of acting as a second factor of authentication (with the password being the first), it’s acting as the first one. To make it work, you’ll have to download the Yahoo Mail app on Android or iOS and enable the feature.
Yahoo said that more information about the data breach could be revealed by the end of the investigation.
Why Verizon Communication wants any of it is a mystery. She just partied like the Costa Concordia cruise ship captain did while it was headed right for the rocks...except she will just get a nice $50 million severance package and no jail.
Supposing that's even true, it's at the expense of an organization that just waits for two years after being hacked to reveal to its users that their passwords and other personal info has been stolen.
If I had to choose between having my data mined versus having it withheld from me that my data was stolen, I choose mining. And in reality, I'm sure Yahoo is mining your data as much as Google and just not telling you.
They said it was a recent investigation that revealed the information. In other words, they didn't know they had been hacked for two years.
You say it like that's a defense.
Well, since she took the helm, the stock price has approximately tripled, adding about $30B to their market cap. So, I doubt most of their investors would agree with you.
I'm not going to argue whether or not she could've done better. About the only thing I would say is that it seemed bone-headed and probably hypocritical for her to ban employees from working from home.
Since their inception, Yahoo has played in just about every online business model there is: shopping, auctions, payments, social media, video sharing, dating, careers... you name it, they've tried it. It's kinda sad, and possibly reveals a deeper truth, that they couldn't really succeed in any of them.