Yahoo has confirmed that a data breach from 2014 hit 500 million users, allowing hackers access to sensitive information, including poorly encrypted passwords.
A press release from Yahoo confirms the news, and follows reports earlier today that Yahoo was set to confirm the breach. If true, stealing the user credentials from 500 million users would be one of the largest hacks ever to hit a US company.
In a release, the company said “A recent investigation by Yahoo has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”
Yahoo points out that no payment info was stolen. While some of the passwords stolen may be encrypted, data dumps like this tend to be decrypted reasonably quickly.
The statement goes on to confirm the extent of the hack, saying “Yahoo believes that information associated with at least 500 million user accounts was stolen.” However, Yahoo believes its systems are now safe and clear of hackers.
Needless to say, anyone with a Yahoo account should immediately change their password, and the password on any other accounts that might share a password. Yahoo will be prompting anyone who hasn’t changed their password since 2014 (!!!!!) to go do so now.
To help users deal with the fallout from the hack, Yahoo has created a dedicated page full of FAQs.
The most significant part of Yahoo’s statement isn’t the scale of the hack, but who the company believes to be behind it. Major breaches of user information are generally made by for-profit hackers, who steal the information and then sell it to other criminals, who can use it to gain money from identity fraud.
State-sponsored hackers often don’t have the same motives. We’ve already seen hackers linked to the Russian government conduct attacks against American political organizations, with the aim being to find sensitive documents and leak them to cause embarrassment. But a direct attack against a popular email host is a more nefarious and more direct attack on an American company.