Yahoo says it was the victim of state-sponsored hackers who stole information associated with 500 million accounts.

Yahoo CISO Bob Lord said the attack happened on the company’s network in late 2014; he did not name the country responsible.

“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” Lord said in a statement. “The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.”

Yahoo, which said law enforcement is investigating the breach, believes the attackers are no longer on its network. The confirmation of the attack comes as Verizon continues its $4.83 billion acquisition of Yahoo’s core business. It’s unknown how the news of the attack will impact the deal going forward.

Affected users are going to be notified via email and Yahoo will force a password reset and also urge the use of multifactor authentication, including its Yahoo Account Key. Yahoo has also invalidated unencrypted security questions and answers for affected accounts, and recommends that all users change their passwords if they haven’t done so since 2014.

“An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries,” Lord said. “Through strategic proactive detection initiatives and active response to unauthorized access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure.”

Yahoo’s confirmation comes after an Aug. 1 report that said a cache of 200 million Yahoo user credentials were put up for sale on a dark web site called The Read Deal by a hacker who goes by the handle “Peace” or “peace_of_mind.” The asking price was 3 Bitcoin, or about $1,800 USD.

Initially, it was believed that the data stolen in the attack dated back to 2012. Given that users will reuse passwords over and over for different accounts online, the stolen credentials can give the attackers access to multiple accounts belonging to the same victim.

Already this year, a number of high-profile websites have had user account information and credentials dumped online. Most of those leaks, however, have been data accumulated from a number of locations online stolen in a number of older breaches.

The Yahoo breach represents the largest number of stolen credentials to date this year (a collection of 470,000 MySpace credentials was put online earlier this year).

LeakedSource, an subscriber-based aggregator of personal data found online, told Threatpost that two files containing Yahoo credentials have been available for years, including a sample text file containing 5,000 credentials, and an encrypted file containing 40 text files claiming to be from Yahoo. “We have both of them as well as the decryption key for the 40 text files which we determined to be fake,” LeakedSource said. “The 5,000 sample however may be real and provide enough evidence for Yahoo to begin resetting passwords.”

Categories: Government, Web Security

Comments (3)

  1. Jared
    1

    Do you think this and the other large scale hacks seen recently will prompt people to migrate to using non password based security for their accounts like account key tools or key-fobs?

  2. James
    2

    If it is up to me I would use tokens everywhere. I see Dell’s purchase of EMC is what they are aiming for. Combine Dell products with the RSA Security part. At least that is what I would do if I am working in DELL.

  3. V
    3

    What I want to know (as a victim of yahoo email hacking) Is why in Sam Hell Did it take the Company almost 3 years to ADMIT They Were Hacked!!!! My Life has been turned upside down due to NO ONE Believing ALL My Emails/accounts were hacked. For Yahoo to be such a Coward in Not coming forward with this information sooner to PROTECT its users is COMPLETELY UNACCEPTABLE!!!!!!!!!!!!!!……For all of Those affected by this Breach I send you peace and love and hope you can get your emails secured. Thank You K Team For all that you do to fight against this Horrific Reality of the world hidden from the one we see to try to keep your clients secure. Now my family FINALLY SEES YES I WAS HACKED….Thanks to MSM for FINALLY adding it to the Current News.

Comments are closed.