Yahoo confirms at least 500M accounts impacted by 2014 security breach
Yahoo on Thursday announced that information associated with at least 500 million accounts was stolen in a security breach of its network in 2014, claiming a "state-sponsored actor" was behind the attack.
According to a statement released through Yahoo's official Tumblr page, the data leak includes names, email addresses, telephone numbers, dates of birth, passwords and security questions. Yahoo does not believe unprotected passwords, payment card or banking account information was stolen in the breach, as such data was not stored on the compromised system.
Yahoo stumbled upon the breach this summer while investigating a separate incident involving data stolen from the company's servers, The New York Times reports. At the time, hackers posted an alleged cache of Yahoo user data to underground forums and marketplaces. While Yahoo's findings were inconclusive, the investigation unearthed a 2014 breach claimed to have been executed by a state-sponsored actor, the report said.
Though Yahoo declined to name the country it believes was involved in the attack, the company said an ongoing investigation found no evidence that the person or persons are currently on its network.
In addition to its own internal investigation, Yahoo is cooperating with law enforcement agencies to resolve the matter.
"An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries," said Bob Lord, CISO at Yahoo. "Through strategic proactive detection initiatives and active response to unauthorized access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure."
Yahoo is in the process of notifying users who might be affected by the breach via email. Those impacted are urged to change their passwords and method of account verification. The company also suggests users who have not updated their password credentials since 2014 do the same. As a precaution, Yahoo invalidated unencrypted security questions and answers to deny unsolicited access into compromised accounts.
News of the security breach comes at a sensitive time for Yahoo, which is in the midst of being taken over by Verizon Communications in an acquisition worth $4.8 billion. The Times reports Verizon is still moving forward with the purchase, though what effect the breach might have on Yahoo's price is unclear.
According to a statement released through Yahoo's official Tumblr page, the data leak includes names, email addresses, telephone numbers, dates of birth, passwords and security questions. Yahoo does not believe unprotected passwords, payment card or banking account information was stolen in the breach, as such data was not stored on the compromised system.
Yahoo stumbled upon the breach this summer while investigating a separate incident involving data stolen from the company's servers, The New York Times reports. At the time, hackers posted an alleged cache of Yahoo user data to underground forums and marketplaces. While Yahoo's findings were inconclusive, the investigation unearthed a 2014 breach claimed to have been executed by a state-sponsored actor, the report said.
Though Yahoo declined to name the country it believes was involved in the attack, the company said an ongoing investigation found no evidence that the person or persons are currently on its network.
In addition to its own internal investigation, Yahoo is cooperating with law enforcement agencies to resolve the matter.
"An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries," said Bob Lord, CISO at Yahoo. "Through strategic proactive detection initiatives and active response to unauthorized access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure."
Yahoo is in the process of notifying users who might be affected by the breach via email. Those impacted are urged to change their passwords and method of account verification. The company also suggests users who have not updated their password credentials since 2014 do the same. As a precaution, Yahoo invalidated unencrypted security questions and answers to deny unsolicited access into compromised accounts.
News of the security breach comes at a sensitive time for Yahoo, which is in the midst of being taken over by Verizon Communications in an acquisition worth $4.8 billion. The Times reports Verizon is still moving forward with the purchase, though what effect the breach might have on Yahoo's price is unclear.
Comments
"Yahoo will notify users by email"
except my email was hacked and I can't log in.
The question I have is about my long time AT&T email address. Yahoo has hosted AT&T’s email services for over ten years and the reports don’t mention if those email addresses were compromised.
https://verizon.yahoo.com/#5zNetworks
Richard Sison Ferrer Sr.
GMA- Google Microsoft Apple
iRS -Information Right Software...
Its about time that law or regulation gets passed that requires prompt and full disclosure of hacking. Also, there should be a huge penalty to stores, credit card companies, ISPs, email service providers, etc., if they do not offer and encourage the use of things like two factor authentication and ApplePay.
Right now its considered a cost of doing business, but it is terrible inconvenience and in some cases financial crisis for users. The big concern is NOT the pain and risk but rather the bad PR. Their actions are to give users "free credit checking services." This is grossly inadequate since it is troublesome, after the fact, generally a placebo for real correction, and dirt cheap.
At a minimum there should be a $100 to $1000 fine for each account potentially hacked with the funds put into escrow for reparations and whatever is left over goes into general fund to research and deploy improved security measures by businesses.
The criminally negligent deployment of smart credit cards in the US [note world wide for over a decade] should make clear the utter disregard that business has for customer privacy and protection.
Automatic encryption of all email and "data at rest" on computers and email servers should be required including mobile devices. The Government interest in access to my data should be secondary to this capability.