Earlier in the week, reports had begun circling about a rumoured Yahoo data breach. Now Yahoo Chief Information Security Officer Bob Lord has officially confirmed that the company had been the victim of a state-sponsored hacking operation. Most surprisingly is the breadth of the attack, with over 500 million accounts having their information stolen. This makes the incident one of the largest ever to hit a single company.
According to Lord, the “account information may have included names, e-mail addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt), and, in some cases, encrypted or unencrypted security questions and answers“. Furthermore, the attack took place back in late 2014, meaning the hackers may have already done what they’ve wanted to do with the data.
There has been no explanation yet about how the attack took place, who did it or why it took so long for Yahoo to discover they were compromised. At this point, the investigation is still ongoing but there is no indication that attackers are still in the system. Yahoo is working with unspecified law enforcement agencies tin response to the data breach.
For now, Yahoo is notifying potentially compromised users and suggesting that they change their passwords, security questions as well using two-factor authentication. Given the time frame, most of the damage is likely already done. Even if Yahoo is not prompting you, I would suggest changing any passwords dating before 2015 as a precaution. Luckily, the majority of the passwords were hashed with bcrypt which is designed to slow down the attacker and increase the difficulty. Unfortunately, given the large size, even if a few percent of the passwords were hashed with MD5, those accounts have likely been comprised for a long time. There’s also the question of why some security questions were not encrypted, meaning they could be used to compromise other accounts.
Once it seems like that age old adage that there are only those who know they’ve been compromised and those who haven’t discovered they’ve been compromised holds true. For those users utilizing password managers, changing just the Yahoo password will suffice. But for those that reuse their passwords, now would be the time to reconsider that practice. You can find additional details and security settings to tweak on Yahoo here.
