Yahoo Hacked! 500 million accounts breached
In what appears as the biggest cyber breach ever, Yahoo Inc on Thursday said information of at least 500 million user accounts was stolen from its network in 2014 by what it believed was a state-sponsored actor.
Yahoo said data stolen may have included names, email addresses, telephone numbers, dates of birth and encrypted passwords but that unprotected passwords, payment card data and bank account information did not appear to have been compromised.
“This is the biggest data breach ever,” said well-known cryptologist Bruce Schneier.
He said it was too early to say what impact the breach might have on Yahoo and its users because many questions remain, including the identity of the state-sponsored hackers behind it.
Three US intelligence officials, who declined to be identified by name, said they believed the attack was state-sponsored because of its resemblance to previous hacks traced to Russian intelligence agencies or hackers acting at their direction.
Yahoo said it was working with law enforcement on the matter. The FBI said it was aware of the matter, and the U.S. Secret Service was not immediately available for comment.
“The investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network,” the company said.
Shares of Yahoo stock were barely changed for the day after the news, while shares of Verizon Communications, which has agreed to buy the company’s Internet business, were up about 1 percent.
It was not clear how this disclosure might affect Yahoo’s deal with Verizon.
Verizon, which announced in July an agreement to buy Yahoo’s core internet properties for $4.83 billion, said in a statement it was made aware of the breach within the last two days and had limited information about the matter.
“We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities,” the company said.
Technology website Recode first reported Tuesday that Yahoo planned to disclose details about a data breach affecting hundreds of millions of users.
That followed an August 1 story on the technology news site Motherboard, which said a cyber criminal known as Peace was selling the data of about 200 million Yahoo users but did not confirm its authenticity. Peace has previously claimed responsibility.
Peace also previously attempted to sell on a hacker forum information purportedly belonging to hundreds of millions of accounts at MySpace and LinkedIn, including names, passwords and email addresses.
If you’ve ever created a Yahoo account, take these steps immediately to protect your data
If you’ve ever signed up for an account with Yahoo, there’s cause for concern. The company confirmed today, after Recode broke the story last night, that 500 million user accounts were breached in a massive hack.
That’s larger than the population of the United States and Mexico combined.
Yahoo says the attack likely included email addresses, passwords, names and phone numbers — not payment card data or bank account information.
But our email accounts are packed with personal information. We send people we trust our account details for all kinds of services over email, and whether it’s as benign as a Netflix password or as potentially devastating as a pornography website login or credit card number, we expect our email accounts to be password protected and private.
If you have a Yahoo account, here’s what you should do.
Change all your passwords
Not just your Yahoo account. Make a list of all the online accounts where you store sensitive information. Update all your passwords to make them long and strong. Be sure to give each separate account a unique password, too. No repeats.
The best way to keep track of all your new passwords is with a password manager, which stores all your account details in an encrypted vault on your smartphone and your desktop. You can find some great free or extremely cheap ones online. Do some digging and find an option that works best for you.
Review old emails, delete sensitive content and disconnect accounts
If your Yahoo account information is indeed for sale, someone can hack into your email and find information you’d rather keep locked safe. Search your emails for sensitive correspondence, delete liberally, and empty the trash folder.
Then visit the account settings of services you’ve connected to your Yahoo account and disconnect them immediately.
Switch to Gmail or use encryption
Gmail is endorsed by security researchers for being a secure service that most people can trust. If you want an airtight layer of protection, you can always setup a PGP key so only the intended recipient can decrypt your emails.
Enable two-factor authentication for all accounts and update apps
If you want to login to your accounts, you should be able to verify you’re the one trying to login and not someone else. That means employing more than just an easily sharable password to authenticate your login attempt.
Most services offer the option to text a code to a phone number on file for your account so only a person with both your password and your cell phone can access. Make sure all your apps and services are fully updated to take advantage of any recent security improvements.
Don’t open shady emails
Hackers often try to bait people into opening emails or attachments that may contain malware. Don’t open the email if you’re unsure. And if you do open an email and then decide it might be a hacker, do not open the attachments. Delete it.