Yahoo will confirm later this week that hackers did breach its systems in 2012, stealing personal data for about 200 million accounts, including easily decrypted passwords.
UPDATE: Make that 500 million accounts…
Sources close to the situation confirmed the massive data breach to Recode. Yahoo admitted this summer that it was investigating reports of a data breach. In August, a hacker called Peace was selling credentials of 200 million Yahoo users from 2012 for around $1,800. At the time, Yahoo said it was aware of the claim but did not say whether it was legitimate.
The data dump allegedly included user names, easily decrypted passwords, birth dates, and other email addresses.
“It’s as bad as that,” one source told Recode. “Worse, really.”
The sources did not provide specific details about the hack, but they noted it was widespread and series. It’s likely that government investigations and legal actions will follow. Even the Verizon $4.8 billion deal might be in danger. According to Recode, Verizon and Yahoo are working closely to make sure the planned acquisition goes smoothly. But there’s no telling what might happen if Verizon will have to deal with this data breach’s fallout.
Yahoo did not issue a password reset in August, but it might have to do it now. You’d better change your Yahoo account password as soon as possible, and if you’re using the same Yahoo username and password combination anywhere else, change those as well.
If confirmed, the Yahoo hack may turn out to be one of the worst data breaches in recent years.