Yahoo CISO Bob Lord writes:
We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network.
This doesn’t look good at all.
500 million Yahoo users are discovering that not only might hackers know their names and email addresses (potentially helping criminals craft malicious attacks and phishing campaigns) but they also have their phone numbers and dates of birth.
Passwords (thankfully) were held in a hashed format, mostly using the strong bcrypt algorithm… but it seems that some unencrypted security questions and answers were also accessed by the hackers. These could be useful ammunition for any hacker attempting to break into Yahoo accounts, or interested in exploring whether users might have used the same security questions/answers to protect themselves elsewhere on the web.
In its defence, I fully expect Yahoo to emphasise that they believe a “state-sponsored attacker” was responsible for the breach. Unfortunately the company hasn’t shared any information as to how it came to that conclusion.
I have no idea if they’re right or not about the culprits being state-sponsored, but let me put it this way…
If I had to break the bad news that my company had been hacked, and that at least 500 million of its users had been put at risk, I would feel much happier saying that the attackers were “state-sponsored” than a bunch of 15-year-old spotty oiks from the wrong side of town.
In the eyes of the public, if a hack is state-sponsored then, well, “hey, who could have reasonably stopped that?”
If you think that, then I suspect Yahoo are pleased that you have come to that conclusion. Here’s what they say in their statement:
An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries. Through strategic proactive detection initiatives and active response to unauthorized access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure.
Yes, you can call me a cynic if you like. That’s what 25 years in the computer security industry does to a man. And no, I’m not saying that it wasn’t a state-sponsored attack.
It’s also a little disappointing that Yahoo doesn’t share when it first discovered that it had been attacked.
Murmurings of a serious data breach at Yahoo have been spreading for some months, but this is a bigger hack than anyone previously feared.
Earlier today, as rumours spread widely across the net that Yahoo was about to officially confirm a massive data breach, there was a huge spike in traffic to this site coming to an article about how to better protect Yahoo accounts.
- Reset your Yahoo password. Make it a strong, complex password – and make sure that you are not using the same password anywhere else on the net. Yahoo says it is recommending that all users who have not changed their passwords since 2014 do so.
- If you were using the same password in multiple places, you need to get out of that habit right now. Reusing passwords is a disaster waiting to happen, and could allow hackers to crack open other accounts using the same credentials.
- Invest in a decent password manager program to generate random, hard-to-crack passwords, store them securely and remember them for you.
- Watch out for phishing emails that pretend to come from Yahoo.
- And yes, if you haven’t already done so, enable two-step verification on your Yahoo account.
For more information, check out Yahoo’s blog post.
Frankly, the timing couldn’t be worse for Yahoo – which is trying to sell itself to Verizon.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
21 comments on “Yahoo confirms: hackers stole 500 million account details in 2014 data breach”
Not too worried about the password personally because I used 32 characters with special characters and I've changed it already, more worried about the unencrypted security questions which can be used in social engineering with customer support staff…
"State-sponsored" attacks tend to be pretty sophisticated (and persistent) so an assurance that "there is no evidence that the state-sponsored actor is currently in Yahoo's network" is hopelessly optimistic, especially given the time it has taken for Yahoo to discover they have been attacked.
Being equally cynically, they may have discovered it a long time ago and waited until the Verizon deal was complete.
is it common for a state sponsored group to sell data on the black market ?
the good excuse of "it is the russian" looks like a way not to admit they have simply been hacked by a well organized criminal group trying to make money with data ?
Francois-Bernard Huyghe (a French expert in info wars) explains well that when you are hacked , attributing the attack to an enemy is a way to get some benefit from a failure…
Attribution is very hard, and recently it seems that attribution was absurd, ignoring the internal menace…
another question is also if the detection is linked to recent 0-day vulnerabilities and tools which were stolen from NSA. Did yahoo realize they were hacked by NSA unpublished holes (probably used by hackers too)?
Bruce Schneier have received confirmation of my uninformed intuition
loose job, allowing bandits to get in.
Not Putin, just shot down IDS to save bucks.
Two things that occur to me. One, Yahoo was forced to reveal this as some kind of disclosure thing to Verizon, and/or Verizon uncovered it as part of its due dilligence when looking to buy Yahoo. In other words, Yahoo still wouldn't have come clean about this if they weren't forced to, which is deeply uncool.
And the other thing, I am also cynical about the state-sponsored thing – for a company which apparently took that long to even work out that it had been compromised on a massive scale, it seems awfully certain of that. It's no secret that plenty of current and former Yahoo employees have become extremely disenchanted with the direction and leadership of the company in recent years. I'd have thought that one or more insider(s) would be more likely as a source of the breach…
I have three Yahoo email accounts. If this happened in 2014, I would have thought I'd have noticed someone using the information they'd stolen, by now. Why steal the information and then just sit on it?
I have suspected that something happened to Yahoo Mail over a year ago when my entire contact list was lifted and used to send spam to. The same thing also happened to a colleague of mine who also on Yahoo Mail at roughly the same time and we have been plagued ever since.
one more reason to think the attack is not state sponsored, but simply criminal.
I've had this same experience. I've also received spam from *everyone I know who has a Yahoo account* in the last couple of years (not to mention other acquaintances who also experienced this).
This indicates to me there must have been a massive breach of the Yahoo email servers in order for spammers to obtain this many whole contact lists from so many different people. Yahoo has never acknowledged this that I know of (I've tried Google searches on this in past).
I still get these same kinds of spam occasionally, typically saying it is from a known Yahoo user (but actually originating from an email address with an overseas domain name) and addressed to multiple recipients obviously lifted from someone's contact list.
2014 had Heartbleed, which could be exploited in various scenarios to get to this point. Just my 2 cents.
The breach was in 2014, Yahoo does realize this is 2016
Graham always talks about password management programs but can someone tell me how they would work if two separate people (e.g., my wife and I) on two separate computers want to access the same location (e.g., a joint bank account)? If the password mgmt software on my computer generates a unique password with the joint bank account, and my wife's same software on her computer generates another unique password, how can we both get into the same bank account when it is only looking for a single password?
You'll find that some password manager software takes exactly this into account with shared family accounts and shared password vaults for teams.
This is incorrect. You should never share a pasword, especially for financial accounts. Joint accounts holders should have their own individual logins.
People share logins for social media because it was never designed for use by teams but they shouldn't really.
Joint holders should have their own individual login with their own password. If you are sharing the password then you're doing something wrong. You've only registered one user but all the holders need to register individually and choose their own passwords.
The job of a password manager, such as LastPass or KeePass, is to remember your log-in details for each account for you, and supply them on demand. They normally come with a password generator, but you are not obliged to use the passwords they suggest. You can set up a password in your password manager and then your wife can tell her password manager to remember the same password for that account. It becomes a bit more complicated if you use two-factor authentication. Some accounts will allow you to set up more than one second factor, such as two phone numbers, or a phone number and an email address. You would have to figure that on a case by case basis.
I assume this data breach is mainly about the Yahoo email accounts. I don't keep an address book in Yahoo nor do I send out any emails, but I do use Yahoo groups. I assume this data breach is mainly about the Yahoo email accounts. I have not read if Yahoo Groups would be affected by the data breach.
Does anyone know if this breach also affects users who use Yahoo Groups?
What is really disturbing, is knowing that Yahoo has more than 500.000.000 users ..
In the recent past quite a few data breaches have been disclosed or discovered a couple of years after they took place. So is it a good idea to change all of our passwords regularly, say every six months?
A Yahoo help page says: "There's no better way to protect your account from being compromised than changing your password regularly."
I've tackled the topic of whether you should regularly change your passwords in this video:
Also read this article, https://grahamcluley.com/password-changes-dont-improve-security-says-ftc-technologist/
Hope that helps!
That video is about Amazon. I think you meant this one: https://www.youtube.com/watch?v=kJVrV2HT-s4