Yahoo confirms 'state-sponsored' attack and theft of 500 million account details
Yahoo users who have not changed their passwords for a while are being advised to do so. The company has confirmed that it suffered a major security breach back in 2014 and information relating to 500 million accounts was stolen.
Yahoo says that the attack was carried out by a "state-sponsored actor" but does not elaborate on who it might be. The data accessed includes "names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers".
This is clearly a huge deal, and the one saving grace is that users' payment and bank details were not included in the breach. Yahoo says that there is no evidence that the culprit is still in its network, and the company is working with law enforcement to seek justice.
Despite the scale of the security breach, Yahoo chose to issue a statement about the incident via its Investor Relations website rather than something more consumer-focused. The company says:
Yahoo is notifying potentially affected users and has taken steps to secure their accounts. These steps include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords. Yahoo is also recommending that users who haven't changed their passwords since 2014 do so.
Yahoo encourages users to review their online accounts for suspicious activity and to change their password and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account. The company further recommends that users avoid clicking on links or downloading attachments from suspicious emails and that they be cautious of unsolicited communications that ask for personal information. Additionally, Yahoo asks users to consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether.
There is, however, also a FAQ page which contains advice for concerned Yahoo users. With Yahoo's sale to Verizon not too far in the future, questions will almost certainly be raised about why details of the attack were not released sooner.
Industry analysts expect the backlash to be unforgiving, and it's an event that's likely to cost Yahoo a portion of its user base. Encryption company Alertsec found that the vast majority of Americans (97 percent) were unsettled by data breaches, and more than a fifth lose faith in a company affected by a security breach. Alertsec CEO Ebba Blitz said:
Alertsec's brand value research demonstrates just how difficult it will be for Yahoo!'s brand to recover from this breach. Customers who are affected by data breaches suffer a significant loss of trust, and this is particularly true of men. According to our study, nearly one in three Americans said it would take them several months to begin trusting a company like Yahoo again following a data breach. Twenty-two percent said it would only take them a month to forgive, but 17 percent of men and 11 percent of women said their trust would be permanently lost. Men are also more likely to switch to a competitor following a data breach than are women.