Yahoo has confirmed that a 2014 data breach affected over 500 million user accounts.
Reports of the breach first surfaced on Thursday after Recode published a post suggesting that Yahoo was about to confirm rumours of a large breach. Furthermore however, Motherboard first published rumours of a breach back in August, which were posted a week after Verizon announced its intention to acquire Yahoo’s core business.
It was revealed at the time that a cybercriminal by the name of “Peace” was selling over 200 million user accounts on the dark web for 3 bitcoins, or approximately $1860. It’s unclear, however, how this news will affect the pending $4.8 billion acquisition of Yahoo’s assets.
The breach supposedly happened in 2014, potentially leaving users exposed for two years before Yahoo confirmed the accusations. Yahoo may decide to force users to reset their usernames and passwords in light of the breach .
Bob Lord, CISO of Yahoo! Inc. said in a statement that Yahoo believes the hacker to be a state-sponsored actor. The statement goes on to say that the account information may have included names, email addresses, telephone numbers, dates of birth and hashed passwords.
An ongoing investigation suggests that the information stolen did not include unprotected passwords, payment card data, or bank account information as payment card data and bank account information are not stored alongside the affected information.
So far, Yahoo has taken steps to notify potentially affected users and asks them to change their passwords and security questions. Furthermore, the company has revealed that it’s working with law enforcement to resolve the issue, and have gone as far to invalidate unencrypted security questions so they cannot be used to access an account.
Users are being advised to change their passwords and security questions, review their accounts for suspicious activity, be cautious of communications that ask for personal information and to avoid clicking links or downloading attachments in suspicious emails.
Lord also wrote that, “An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries. Through strategic proactive detection initiatives and active response to unauthorized access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure.”
Yahoo has stated that there is no evidence that the hacker still has access to its internal services. The last breach of this magnitude to take place involved over 427 million MySpace accounts a few months ago. However, these events may take its place as the biggest data breach of all time, some have reported.
MobileSyrup reached out to several security experts to discuss the integrity of our digital identities and the steps users should take to avoid having their information stolen.
John Peterson, a vice president and general manager at the global cybersecurity firm Comodo Enterprise stated that users can protect themselves by staying on top of their “password hygiene.”
“They should use strong passwords — a combination of uppercase, lowercase and special characters – and make them longer than they’d like them to be. Also, everyone should be aware of what’s going on. If an organization that you interact with reports a breach, don’t wait to update your password. Do it immediately.”
Related: Yahoo expected to confirm massive data breach that affects over 500 million accounts