Yahoo Inc. has officially confirmed rumors of a massive security breach from 2014 affecting at least 500 million users, believing it was a “state-sponsored actor”.
Yahoo said a copy of certain user account information—including names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers—was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor.
Yahoo began notifying its customers by email Thursday morning. This following is an excerpt from the email:
A copy of certain user account information was stolen from our systems in late 2014 by what we believe is a state-sponsored actor. We are closely coordinating with law enforcement on this matter and working diligently to protect you.
What Information Was Involved?
The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. Not all of these data elements may have been present for your account. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.
What We Are Doing We are taking action to protect our users:
● We are asking potentially affected users to promptly change their passwords and adopt alternate means of account verification.
● We invalidated unencrypted security questions and answers so they cannot be used to access an account.
● We are recommending that all users who haven’t changed their passwords since 2014 do so.
● We continue to enhance our systems that detect and prevent unauthorized access to user accounts.
● We are working closely with law enforcement on this matter. Our investigation into this matter continues.
Verizon penned a deal in July, agreeing to buy Yahoo’s core for the bargain price tag of $4.83 billion. Once valued at more than $125 billion at the heigh of the dot-com boom, the sale was the official end following an fortunate end of the company’s empire current CEO Marissa Mayer’s command.
Verizon on Thursday said it was notified of Yahoo’s security incident within the last two days but has “limited information and understanding of the impact …We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities,” Verizon said.
According to a Wall Street Journal, “B. Riley & Co. analyst Sameet Sinha said the breach is unlikely to affect terms of the Verizon deal.”
“Data breaches have become part of doing business now,” citing LinkedIn’s $26.2 billion premium from Microsoft Corp., following the underestimated impact a 2012 data breach. He added that in this case, both parties will need to “provide extensive communications and help to consumers to make sure passwords are changed quickly and of course bolster their security,” said Mr. Sinha.
For those with questions about the breach, there’s now a Yahoo help page dedicated to the topic at https://yahoo.com/security-update.