Hackers backed by an anonymous foreign government had breached into more than 500 million Yahoo accounts, the company officially confirmed on Thursday. With almost half a billion accounts compromised, it makes it one of the largest data breaches of the Internet age.
Yahoo said in a press release the breach which took place in late 2014, revealed names, email addresses, phone numbers, birth dates and, in a few instances, security questions and answers. Even encrypted passwords which only users with the right passcode can read, were also compromised. However, the company’s investigation suggests that information stolen did not include unprotected passwords, debit or credit card data, or bank account information.
Yahoo further said its now working closely with law enforcement agencies, and calls the act a ‘state-sponsored-actor’.
Besides, the company is notifying potentially affected users and is taking steps to secure their accounts, which include invalidating security questions and answers so they cannot be used as bait to access user accounts. In addition, the company is urging users to change their passwords if they haven’t since 2014.
Back in August, a website called Motherboard reported that a hacker who goes by the alias “Peace” was trying to sell copies of a file with 200 million stolen Yahoo user accounts for about $1,900. That time, Yahoo’s investigation came to the conclusion that there was no truth behind the hacker’s claim. During the investigation, however, the company’s researchers found a data breach on a much higher scale, which had gone undetected for two over years. Yahoo said in a press release
Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry. Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account. Since the inception of Yahoo’s program in December 2015, independent of the recent investigation, approximately 10,000 users have received such a notice.
Furthermore, the company is encouraging users to review their online accounts for suspicious activity and to change their security questions and answers for any other account if they use similar information as their Yahoo account. Users are also advised to avoid clicking on links or downloading attachments from unreliable sources or suspicious emails and be careful of sort of communication asking for personal information. Yahoo is also recommending Yahoo Account Key, an authentication tool that does away the need to use a password altogether.