Yahoo says it was the victim of state-sponsored hackers who stole information associated with 500 million accounts.
Yahoo CISO Bob Lord said the attack happened on the company’s network in late 2014; he did not name the country responsible.
“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” Lord said in a statement. “The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.”
Yahoo, which said law enforcement is investigating the breach, believes the attackers are no longer on its network. The confirmation of the attack comes as Verizon continues its $4.83 billion acquisition of Yahoo’s core business. It’s unknown how the news of the attack will impact the deal going forward.
Affected users are going to be notified via email and Yahoo will force a password reset and also urge the use of multifactor authentication, including its Yahoo Account Key. Yahoo has also invalidated unencrypted security questions and answers for affected accounts, and recommends that all users change their passwords if they haven’t done so since 2014.
“An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries,” Lord said. “Through strategic proactive detection initiatives and active response to unauthorized access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure.”
Yahoo’s confirmation comes after an Aug. 1 report that said a cache of 200 million Yahoo user credentials were put up for sale on a dark web site called The Read Deal by a hacker who goes by the handle “Peace” or “peace_of_mind.” The asking price was 3 Bitcoin, or about $1,800 USD.
Initially, it was believed that the data stolen in the attack dated back to 2012. Given that users will reuse passwords over and over for different accounts online, the stolen credentials can give the attackers access to multiple accounts belonging to the same victim.
Already this year, a number of high-profile websites have had user account information and credentials dumped online. Most of those leaks, however, have been data accumulated from a number of locations online stolen in a number of older breaches.
The Yahoo breach represents the largest number of stolen credentials to date this year (a collection of 470,000 MySpace credentials was put online earlier this year).
LeakedSource, an subscriber-based aggregator of personal data found online, told Threatpost that two files containing Yahoo credentials have been available for years, including a sample text file containing 5,000 credentials, and an encrypted file containing 40 text files claiming to be from Yahoo. “We have both of them as well as the decryption key for the 40 text files which we determined to be fake,” LeakedSource said. “The 5,000 sample however may be real and provide enough evidence for Yahoo to begin resetting passwords.”