A recent investigation by Yahoo has confirmed
that a copy of certain user account information was stolen from the company’s network in
late 2014 by what it believes is a state-sponsored actor. The account information may have included
names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some
cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen
information did not include unprotected passwords, payment card data, or bank account information;
payment card data and bank account information are not stored in the system that the investigation
has found to be affected. Based on the ongoing investigation, Yahoo
believes that information associated with at least 500 million user accounts was stolen
and the investigation has found no evidence that the state-sponsored actor is currently
in Yahoo’s network. Yahoo is working closely with law enforcement
on this matter. Yahoo is notifying potentially affected users
and has taken steps to secure their accounts. These steps include invalidating unencrypted
security questions and answers so that they cannot be used to access an account and asking
potentially affected users to change their passwords. Yahoo is also recommending that users who
haven’t changed their passwords since 2014 do so. Yahoo encourages users to review their online
accounts for suspicious activity and to change their password and security questions and
answers for any other accounts on which they use the same or similar information used for
their Yahoo account. The company further recommends that users
avoid clicking on links or downloading attachments from suspicious emails and that they be cautious
of unsolicited communications that ask for personal information. Additionally, Yahoo asks users to consider
using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password
altogether. Online intrusions and thefts by state-sponsored
actors have become increasingly common across the technology industry. Yahoo and other companies have launched programs
to detect and notify users when a company strongly suspects that a state-sponsored actor
has targeted an account. Since the inception of Yahoo’s program in
December 2015, independent of the recent investigation, approximately 10,000 users have received such
a notice. Yahoo has taken steps to protect its users,
including invalidating security questions and answers, but the real risk lies in hackers
using the passwords on other websites For Example, Facebook co-founder Mark Zuckerberg’s
Twitter account was hacked using a similar method after the passwords of more than 100
million LinkedIn members were leaked.
