Yahoo yesterday confirmed it’s working with law enforcement to investigate a data breach which affected the account information of more than 500 million users.
The company says that the user account information was stolen from its network in late 2014 by what it now believes to be a state-sponsored actor. The stolen information includes people’s names, email addresses, telephone numbers, birth dates, passwords (most hashed with bcrypt), and, in some cases, encrypted or unencrypted responses to security questions and answers.
This makes the data breach one of the most serious to date, given not only who may be behind it, but the nature of the information the attackers were able to access, as well as the scale.
With the answers to security questions, a hacker could easily jump through a number of online forms to reset users’ passwords on sites where an additional means of account verification – like two-factor authentication – is not involved.
Yahoo says it has invalidated all the unencrypted security questions and answers so they can’t be used to access a Yahoo account, but of course those same questions are commonly repeated across the web.
However, the attacker did not gain access to unprotected passwords, says Yahoo. Nor were they able to get payment card information or bank account information, as these were housed in a different system that the one that was affected.
The company started notifying affected users via email beginning at 11:30 AM PDT, and asking them to change their passwords as well as adopt an alternate means of account verification. It will additional ask those who haven’t updated their passwords since 2014 to now do so, too.
Below is a copy of the email being sent to Yahoo users:
Even if you weren’t affected by the breach, Yahoo suggests using Yahoo Account Key, a newer authentication tool that increases security but eliminates the need to use a password.
Yahoo says it’s working with law enforcement on the matter, and that it found no evidence that the state-sponsored actor is currently on its network. However, the investigation is ongoing.
As always following a large-scale breach like this, other hackers will attempt to capitalize on the news for their own ends.
That means you may begin to receive phishing emails that purport to help you reset your password, but will really redirect you to malicious websites where they can more easily capture your personal information. Yahoo cautions users to be on the lookout for any unsolicited emails, and to avoid clicking links or downloading the attachments they may contain.
For those with questions about the breach, there’s now a Yahoo help page dedicated to the topic at https://yahoo.com/security-update.