Yahoo Inc. has confirmed rumors of a massive security breach affecting at least 500 million Yahoo Mail users in what is possibly the largest data breach in history.
Breached account information may include names, email addresses, telephone numbers, dates of birth, bcrypt hashed passwords and encrypted or unencrypted security questions and answers, according to the official Yahoo Tumblr post confirming the breach.
Yahoo has said that stolen information did not include unprotected passwords, payment card data, or bank account information, as payment card data and bank account information are not stored in the breached system.
In an official statement, Yahoo’s Chief Information Security Officer (CISO) Bob Lord blamed the attack on “state-sponsored” malicious actors, though just what state he means, and why they want access to Yahoo user accounts, is unclear. Yahoo is working closely with law enforcement on the matter, according to Lord’s statement.
For many, Yahoo’s announcement comes as no surprise. In August, hackers were discovered trying to sell 200 million Yahoo accounts, and on Thursday morning Recode reported that the company was preparing to confirm the breach reports. But the announcement couldn’t possibly come at a worse time for Yahoo and its CEO Marissa Mayer, who is looking to complete a $4.8. billion sale of Yahoo’s core Internet business to media giant Verizon Communications.
While many of the stolen passwords are bcrypt hashed, and thus well protected, Yahoo has strongly encouraged users to change their passwords, security questions and answers for Yahoo accounts and any other accounts that use the same or similar passwords and security questions.
In the enterprise realm, the loss of unencrypted security questions and answers creates a large risk for businesses and organizations that rely on those techniques to enhance security for traditional credentials, according to Leo Taddeo, CSO of Cryptzone and former Special Agent in Charge of the Special Operations/Cyber Division of the FBI’s New York Office.
“The best defense is to deploy access controls that examine multiple user attributes before allowing access,” Taddeo told Solutions Review. “This type of “digital identity” makes it much harder for a hacker to take advantage of the type of information lost by Yahoo.”
And watch this for the 10 Best Resources for Evaluating IAM solutions:
- 17 Cybersecurity Podcasts You Should Listen to in 2020 - January 3, 2019
- What’s Changed: Gartner 2017 Magic Quadrant for Identity Governance and Administration (IGA) - January 28, 2018
- Crossmatch Integrates Keyboard Capture to Identity Management Software - November 27, 2017