Yahoo! has confirmed early this morning that half a billion user accounts have been compromised in a widescale data breach that first occured in late 2014.
The data breach first came to light in August, when a hacker called “Peace” began selling information on TheRealDeal dark web marketplace for around $2385 (3 Bitcoin). At the time, Yahoo! released a statement saying that their “security team [was] working to determine the facts” and that users should use different passwords for different accounts, or abandon passwords entirely through the Yahoo! Account Key app.
Around 200 million user accounts were believed to have been affected back then. A source told Recode before the official announcement that the breach was “worse” than that.
Early this morning, Yahoo! released this statement:
A recent investigation by Yahoo! Inc. (NASDAQ:YHOO) has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.
The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.
Motherboard, which broke the original story, acquired around 5000 of the leaked records and reported that “most of the two dozen Yahoo! usernames tested by Motherboard did correspond to actual accounts on the service”. They added that other addresses in the sample data they acquired, however, returned as undeliverable email addresses.
The sample data at the time contained hashed usernames, hashed passwords, dates of birth, and secondary email addresses in some instances, corroborating Yahoo!’s statement. The data was shown to Yahoo!, but Yahoo! did not confirm or deny the legitimacy of the data back then.
It comes at a bad time for Yahoo!, which is currently in the process of selling its core business to telecom giant Verizon for a reported $US4.8 billion. Yahoo! also added that state-sponsored hackers are increasingly responsible for “online intrusion and thefts” across the technology sector.
Comments
7 responses to “Yahoo Confirms Hack Affecting At Least Half A Billion Users”
Anyone out there still using Yahoo?
Without a word of a lie, I created one in 2013 for the express purpose of being ‘my PSN account email’ when I got my PS3. In case PSN was ever compromised again.
This is a turn up for the books I can tell you.
Could be a problem if you’ve EVER used Yahoo and reuse your security questions.
I was wondering the same thing. Gotta wonder how much value the data of half a billion users would have given that most of it was probably last updated in 2001 😛
“FOR SALE: 500000000 YAHOO ACCOUNTS!! (*) 14 of them still active”
Yo :p
(though I’m sure this will come as little surprise to anyone in any way familiar with my other “anachronistic” tendencies)
Um. Not sure I’d be able to get back into it anyway as I think my old yahoo account was tied to my ISP email address which was the national telecoms company in a country I no longer live in.
*scratch head*
I have one for the entire purpose of spam, nothing else.