Change your password! Yahoo confirms data breach of 500 million accounts

Yahoo last night confirmed earlier reports that information pertaining to the unprecedented number of “at least” half a billion user accounts was stolen in a 2014 breach.

That may include names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with the password-hashing function bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.

Yahoo says the breach didn’t include unprotected passwords, payment card data, or bank account information. The company says it doesn’t store payment card data or bank account information in its system.

It’s blaming an unspecified “state-sponsored actor.” The FBI has confirmed that it’s investigating the attack.

Three unnamed US intelligence officials told Reuters that they believed the attack was state-sponsored because of its resemblance to previous hacks traced to Russian intelligence agencies or hackers acting under their command.

News of a possible major attack on Yahoo first emerged in August, when Peace – the infamous dark-web purveyor of humongous data sets that date back years – was trying to sell information on 200 million Yahoo accounts.

For some reason, Yahoo didn’t call for a mandatory reset password when news of the attack first broke last month.

Somebody familiar with the matter told Reuters that the August report turned out to be false, though Yahoo’s investigation did in fact uncover the separate 2014 theft.

The company said in a statement at the time that it was “committed to protecting the security of our users’ information and we take any such claim very seriously. Our security team is working to determine the facts.”

Those facts: Peace is the same name – he or she goes by peace_of_mind in the dark markets, or simply “Peace” – of the person who’s gone online recently to sell data sets from years-old breaches at Tumblr, LinkedIn and MySpace.

The Yahoo haul dwarves them all, according to Troy Hunt, who maintains the data breach awareness portal Have I Been Pwned.

What to do?

Change your password.

Yes. If you haven’t changed it since 2014, do it now.

And change that password on any other sites you use. Make sure each online account has a different password, and make them all strong.

Also, it’s a good time to change your security questions. If you’re one of the half a billion users who’s been affected by the breach, you won’t have a choice about that, since Yahoo’s gone and invalidated your security questions for your safety.

From Yahoo’s statement:

Yahoo is notifying potentially affected users and has taken steps to secure their accounts.

These steps include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords.

Why did it take 2 years to uncover?

Huge breached data sets emerging years after attacks have become a bit of a trend recently.

Over the past few months, we’ve seen multiple massive data sets put up for sale online, all dating back to breaches that are pretty ripe.

To wit:

The 500 million accounts affected in the Yahoo breach tops these 10 previous breaches, as listed by

  • MySpace: 359 million accounts
  • LinkedIn: 164 million accounts
  • Adobe: 152 million accounts
  • Badoo: 112 million accounts
  • VK: 93 million accounts
  • Dropbox: 68 million accounts
  • Tumblr: 65 million accounts
  • iMesh: 49 million accounts
  • Fling: 40 million accounts
  • 37 million accounts

There are rumblings about why Yahoo waited so long to disclose the attack.

Recode first reported on Tuesday that Yahoo planned to disclose details about a data breach affecting hundreds of millions of users.

Democratic Senator Mark Warner, a former technology executive, on Thursday issued a statement that said the “seriousness of this breach at Yahoo is huge.”

He called for a federal “breach notification standard” to replace data notification laws that vary by state. The senator also said he was “most troubled” that the public was only learning of the incident now, two years after it happened.

Image of Yahoo courtesy of Ken Wolter / Shutterstock.