Yahoo CISO Bob Lord writes:
We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network.
This doesn't look good at all.
500 million Yahoo users are discovering that not only might hackers know their names and email addresses (potentially helping criminals craft malicious attacks and phishing campaigns) but they also have their phone numbers and dates of birth.
Passwords (thankfully) were held in a hashed format, mostly using the strong bcrypt algorithm... but it seems that some unencrypted security questions and answers were also accessed by the hackers. These could be useful ammunition for any hacker attempting to break into Yahoo accounts, or interested in exploring whether users might have used the same security questions/answers to protect themselves elsewhere on the web.
In its defence, I fully expect Yahoo to emphasise that they believe a "state-sponsored attacker" was responsible for the breach. Unfortunately the company hasn't shared any information as to how it came to that conclusion.
I have no idea if they're right or not about the culprits being state-sponsored, but let me put it this way...
If I had to break the bad news that my company had been hacked, and that at least 500 million of its users had been put at risk, I would feel much happier saying that the attackers were "state-sponsored" than a bunch of 15-year-old spotty oiks from the wrong side of town.
In the eyes of the public, if a hack is state-sponsored then, well, "hey, who could have reasonably stopped that?"
If you think that, then I suspect Yahoo are pleased that you have come to that conclusion. Here's what they say in their statement:
An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries. Through strategic proactive detection initiatives and active response to unauthorized access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure.
Yes, you can call me a cynic if you like. That's what 25 years in the computer security industry does to a man. And no, I'm not saying that it wasn't a state-sponsored attack.
It's also a little disappointing that Yahoo doesn't share when it first discovered that it had been attacked.
Murmurings of a serious data breach at Yahoo have been spreading for some months, but this is a bigger hack than anyone previously feared.
Earlier today, as rumours spread widely across the net that Yahoo was about to officially confirm a massive data breach, there was a huge spike in traffic to this site coming to an article about how to better protect Yahoo accounts.
- Reset your Yahoo password. Make it a strong, complex password - and make sure that you are not using the same password anywhere else on the net. Yahoo says it is recommending that all users who have not changed their passwords since 2014 do so.
- If you were using the same password in multiple places, you need to get out of that habit right now. Reusing passwords is a disaster waiting to happen, and could allow hackers to crack open other accounts using the same credentials.
- Invest in a decent password manager program to generate random, hard-to-crack passwords, store them securely and remember them for you.
- Watch out for phishing emails that pretend to come from Yahoo.
- And yes, if you haven't already done so, enable two-step verification on your Yahoo account.
For more information, check out Yahoo's blog post.
Frankly, the timing couldn't be worse for Yahoo - which is trying to sell itself to Verizon.