Technology / Yahoo mega-breach: ‘State-sponsored actor’ steals 500 million users’ details

Yahoo mega-breach: ‘State-sponsored actor’ steals 500 million users’ details

Yahoo has confirmed that a "state-sponsored" hacker has stolen 500 million users' account details in the largest ever known data breach.

The firm said the data, which was stolen in late 2014, included names, email addresses, phone numbers, dates of birth, hashed passwords, and security questions and answers.

"We have confirmed, based on a recent investigation, that a copy of certain user account information was stolen from our network in late 2014 by what we believe is a state-sponsored actor," it said in a statement confirming the breach.

"The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data or bank account information.

"Payment card data and bank account information are not stored in the system that the investigation has found to be affected."

The FBI is investigating the breach. Yahoo is notifying affected users and asking them to change their passwords and "adopt alternative means of account verification".

Verizon, which agreed to buy Yahoo for $4.8 billion (£3.7 billion) back in July, told the BBC it had learned about the breach "within the last two days".

The breach follows an incident back in August, when a hacker named Peace claimed to have 200 million Yahoo account credentials for sale.

“In terms of the number of user accounts compromised, this is likely one of the largest breaches in recorded history — if not the largest,” said Jeremiah Grossman, chief of security strategy at SentinelOne, commenting on the incident.

“There are a lot of unanswered questions here—the biggest one being that while we know the information was stolen in late 2014, we don’t have any indication as to when Yahoo first learned about this breach. This is an important detail in the story.

“Additionally, there are questions to be answered around Yahoo’s claim that this was a state-sponsored hacker. State-sponsored adversaries don’t typically publicly share stolen data or sell it, like profiteer hacker ‘Peace of Mind’.

“Peace of Mind was all about selling stolen Yahoo account data, so it’s unlikely he was state-sponsored. And if so, this means it’s possible we’re looking at two different Yahoo breaches with two different hacking groups in their system.”

Some security experts speculated about how the breach will affect Yahoo’s future.

“Yahoo may very well be facing an existential crisis,” said Corey Williams, senior director of products and marketing at Centrify. “Already besieged by business execution issues and enduring a fire sale to Verizon, this may be the straw that breaks the camel’s back.

“Since this breach occurred in 2014, and wasn’t properly communicated or handled, it may very well give Verizon an ‘out’ or a reason to renegotiate.

“This is less of a story about 500 million user accounts being stolen and more about how lax security and poor handling of incidents can impact the very existence of a company.

“The stakes for properly securing access to corporate resources and handling security incidents couldn’t be higher.”

For more on the breach, see Yahoo’s website.

Photo © Josh Hallett (CC BY-SA 2.0). Cropped.



Get our latest features in your inbox

Join our community of business leaders