Yahoo hack hit 500 mn users, likely 'state sponsored'

September 22, 2016
Yahoo believes that information associated with at least 500 million user accounts was stolen

Yahoo said Thursday a massive attack on its network in 2014 allowed hackers to steal data from half a billion users and may have been "state sponsored."

Yahoo, which confirmed details of the breach months after reports of a major hack, said its investigation concluded that "certain user account information was stolen" and that the attack came from "what it believes is a state-sponsored actor."

"Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen," said a statement by the US internet giant in what is likely the largest-ever breach for a single organization.

"Yahoo is working closely with law enforcement on this matter."

The comments come after a report earlier this year quoted a security researcher saying some 200 million accounts may have been accessed and that hacked data was being offered for sale online.

Yahoo said the stolen information may have included names, email addresses, birth dates, and scrambled passwords, along with encrypted or unencrypted security questions and answers that could help hackers break into victims' other online accounts.

While there is no official record of the largest breaches, many analysts have called the Myspace hack revealed earlier this year as the largest to date, with 360 million users affected.

Ammunition for hackers

Computer security analyst Graham Cluley said the stolen Yahoo data "could be useful ammunition for any hacker attempting to break into Yahoo accounts, or interested in exploring whether users might have used the same security questions/answers to protect themselves elsewhere on the web."

He noted that while Yahoo said that it believes the hack was state-sponsored, the company provided no details regarding what makes them think that is the case.

"If I had to break the bad news that my company had been hacked... I would feel much happier saying that the attackers were 'state-sponsored,'" rather than teen hackers, Cluley said in a blog post.

University of Notre Dame associate teaching professor and data security specialist Timothy Carone told AFP that the Yahoo hack fit the "big picture" when it comes to cyberattacks launched by spy agencies in Russia, China, North Korea or other countries.

"It just smacks of traditional trade craft," Carone said.

"It is a broad sweep of getting information on people and building up profiles on those who may be of use to them."

Carone described Russia, China and North Korea as the usual three suspects in state-sponsored hacks, but cautioned that allies are not above cyber snooping as well.

"People have to realize that anything they put out there is fair game," he said, stressing a need for internet users to remain wary.

It appeared that looted Yahoo data did not include unprotected passwords or information associated with payments or bank accounts, the Silicon Valley company said.

Yahoo is asking affected users to change passwords, and recommending anyone who has not done so since 2014 to take the same action as a precaution.

Users of Yahoo online services were urged to review accounts for suspicious activity and change passwords and security question information used to log in anywhere else if it matched that at Yahoo.

"Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry," Yahoo said in a statement.

"Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account."

Yahoo being bought

Confirmation of the major cyber breach comes two months after Yahoo sealed a deal to sell its core internet business to telecom giant Verizon for $4.8 billion, ending a two-decade run as an independent company.

It was not immediately clear if the data breach could impact the closing of the deal or the price agreed by Verizon.

"Frankly, the timing couldn't be worse for Yahoo," Cluley said.

The telecom firm said it was reviewing the new information.

"Within the last two days, we were notified of Yahoo's security incident," Verizon said in a statement.

"We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities."

Explore further: Yahoo CEO paints bright picture with potential sale looming

Related Stories

Dropbox says 68 million user IDs stolen

September 1, 2016

Cloud-based data storage company Dropbox said Thursday that user IDs and passwords of some 68 million clients were stolen four years ago and recently leaked onto the internet.

Yahoo in talks to buy NDN video

April 1, 2014

US Internet giant Yahoo is in talks to buy the online video service NDN, which could help it compete with YouTube, The Wall Street Journal reported Monday.

Yahoo Mail upgrade sheds passwords

October 15, 2015

Yahoo on Thursday set out to make its free email service hip again with upgrades that included getting rid of the need for passwords on mobile devices.

Recommended for you

Firms push hydrogen as top green energy source

January 18, 2017

Over a dozen leading European and Asian firms have teamed up to promote the use of hydrogen as a clean fuel and cut the production of harmful gasses that lead to global warming.

WhatsApp vulnerable to snooping: report

January 13, 2017

The Facebook-owned mobile messaging service WhatsApp is vulnerable to interception, the Guardian newspaper reported on Friday, sparking concern over an app advertised as putting an emphasis on privacy.

3 comments

Adjust slider to filter visible comments by rank

Display comments: newest first

JamesG
not rated yet Sep 22, 2016
They have always been insecure. I and several people I know had problems with my/our email sending spam mail to everyone in the address book making it look as if it came from me. I changed my password several times but it didn't stop. I cleared the address book and it stopped.
rrrander
not rated yet Sep 23, 2016
They hired a female CEO with little experience, to be politically-correct and to pander to millenials. Look what it got them.
antialias_physorg
not rated yet Sep 23, 2016
and scrambled passwords

What they mean here is password hashes. Which is as bad as getting the passwords in plain text as it allows for pass-the-hash attacks.

"People have to realize that anything they put out there is fair game,"

Which goes contrary to what all companies have been saying to date (ie. that "your data is safe with us")

and change passwords and security question information used to log in anywhere else if it matched that at Yahoo.

That's a tall order. Who remembers all the sites they have registered to on the web over the past 20 years?

They hired a female CEO with little experience, to be politically-correct and to pander to millenials. Look what it got them.

Since when are CEOs (or any manager - male or female) cybersecurity experts?

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.