It’s all over the press. Here is a quote from Reuters: “Yahoo Inc said on Thursday information associated with at least 500 million user accounts was stolen from its network in 2014 by what it believed was a “state-sponsored actor.”
The data stolen may have included names, email addresses, telephone numbers, dates of birth and hashed passwords (the vast majority with the relatively strong bcrypt algorithm) but may not have included unprotected passwords, payment card data or bank account information, the company said.
Right, that is how it usually goes. This whole disclosure smells like a professional crisis-handling exercise. Later, after more breach-investigation, they disclose that more credentials were stolen and that more data (credit cards) was exfiltrated than was known at the time of the discovery. It is disappointing that Yahoo doesn’t share more details about the hack, when it first discovered that it had been attacked.
And it’s easy to blame Russia (likely) or China (unlikely) If I had to break the bad news that my company had been hacked, I would feel much happier saying that the attackers were “state-sponsored” than a bunch of 15-year-old script kiddies in their parents’ basement.
“The investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network,” the company said. “Yahoo said it was working with law enforcement on the matter. It was not clear how this disclosure might affect Yahoo’s plan to sell its email service and other core internet properties to Verizon Communications Inc.
Yahoo launched an investigation into a possible breach in early August after a Russian hacker named “Peace” offered to sell a data dump of over 200 million Yahoo accounts on the darknet for just $1,800 including usernames, easy-to-crack password hashes, dates of birth and backup email addresses.
Yahoo put a security announcement on their website and has started to send users notices that they need to change their password. Here is an example and they make the classic mistake to use direct links in the email. Bad guys are just going to say Thank You and rip it off:
Subject: Your Yahoo account
The security of your Yahoo account, [Name], is important to us. Out of an abundance of caution, we are asking you to change your password. We are committed to protecting the security of our user’s information, and we take measures like this when appropriate in light of reported security issues or suspicious activity on an account.
We encourage you to take the following steps:
1. Sign into your account and change your password:
2. Visit our Help Page for information on safeguarding your account:
Start using Yahoo Account Key and never get locked out from forgetting or losing your password. Yahoo Account Key is a convenient way to control access to your account, and it’s more secure than a traditional password because once you activate Account Key – even if someone gets access to your account info – they can’t sign in.