Yahoo has confirmed in a press release that a hacker, possibly working with a foreign government, stole at least 500 million users' account information in 2014.
The company said that it is working with law enforcement to catch the hacker. The data breach may have included names, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers. Financial data, according to Yahoo, were not part of the information taken. Yahoo declined to disclose which country it believed the attack originated from, citing company policy on state-sponsored attacks.
Recode reports that a hacker nicknamed "Peace" may be responsible. In early August, a hacker by the same name had listed data from 200 million Yahoo accounts for sale on the Dark Web. At the time, Yahoo said it was aware of the listing, but it did not issue a password reset. A source close to the investigation told BuzzFeed News that Yahoo investigated Peace's claim in July 2016 and found no direct evidence to substantiate it. According to the source, Yahoo then began another, wider investigation that led them to discover the breach of 500 million accounts. Yahoo did not disclose its earlier findings about the purported Peace hack, which may have comforted users, because it believed the information may have affected the second investigation, the source said.
Yahoo is asking users to change their passwords and to be wary of any unsolicited communication. The company has updated its security FAQ page to include response measures, sent a security email to affected users, and issued a slew of other recommendations to users, including changing security questions, reviewing accounts for suspicious activity, and not clicking any links or downloading any materials from unverified emails. The company's investigation into the hack is ongoing.
The hack may affect the $4.8 billion sale of Yahoo's core business to Verizon. Verizon said in a prepared statement, “Within the last two days, we were notified of Yahoo's security incident. We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact. We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment.” Yahoo declined to respond to Verizon's comments and did not say how the hack and ongoing investigation may affect the deal.
Senator Mark Warner, D-VA, founder of the Senate Cybersecurity Caucus, said in a prepared statement, "While this breach's scale puts it among the largest on record, I am perhaps most troubled by news that it occurred in 2014, and yet the public is only learning details of it today. Action from Congress to create a uniform data breach notification standard so that consumers are notified in a much more timely manner is long overdue."
Many online responses criticized the pace of Yahoo's response and joked about its relevance in 2016:
The hack may also spread to other websites and accounts. Yahoo account holders should change their passwords for other websites as well, cybersecurity experts advise. Shuman Ghosemajumder, CTO of the Shape Security, said, "The real issue now is that these passwords will be used to breach thousands of other websites unrelated to Yahoo, as cybercriminals use advanced automated tools to discover where users have used those same passwords on other sites."
A second source close to Yahoo's investigation told BuzzFeed News that Flickr users' accounts may have been compromised and that their public and private photos may be at risk. Yahoo has reached out to Flickr users to advise them on taking precautionary security measures.