500 Million Yahoo Accounts Hacked: Here’s What We Know

yahoo-data-breach

Yahoo Inc. has confirmed rumors of  a massive security breach affecting at least 500 million Yahoo Mail users in what is possibly the largest data breach in history.

Breached account information may include names, email addresses, telephone numbers, dates of birth, bcrypt hashed passwords and encrypted or unencrypted security questions and answers, according to the official Yahoo Tumblr post confirming the breach.

Yahoo has said that stolen information did not include unprotected passwords, payment card data, or bank account information, as payment card data and bank account information are not stored in the breached system.

In an official statement, Yahoo’s Chief Information Security Officer (CISO) Bob Lord blamed the attack on “state-sponsored” malicious actors, though just what state he means, and why they want access to Yahoo user accounts, is unclear. Yahoo is working closely with law enforcement on the matter, according to Lord’s statement.

For many, Yahoo’s announcement comes as no surprise. In August, hackers were discovered trying to sell 200 million Yahoo accounts, and on Thursday morning Recode reported that the company was preparing to confirm the breach reports.  But the announcement couldn’t possibly come at a worse time for Yahoo and its CEO Marissa Mayer, who is looking to complete a $4.8. billion sale of Yahoo’s core Internet business to media giant Verizon Communications.

While many of the stolen passwords are bcrypt hashed, and thus well protected, Yahoo has strongly encouraged users to change their passwords, security questions and answers for Yahoo accounts and any other accounts that use the same or similar passwords and security questions.

In the enterprise realm, the loss of unencrypted security questions and answers creates a large risk for businesses and organizations that rely on those techniques to enhance security for traditional credentials, according to Leo Taddeo, CSO of Cryptzone and former Special Agent in Charge of the Special Operations/Cyber Division of the FBI’s New York Office.

“The best defense is to deploy access controls that examine multiple user attributes before allowing access,” Taddeo told Solutions Review. “This type of “digital identity” makes it much harder for a hacker to take advantage of the type of information lost by Yahoo.”

And watch this for the 10 Best Resources for Evaluating IAM solutions:

Jeff Edwards
Follow Jeff

Jeff Edwards

Editor, Cybersecurity at Solutions Review
Jeff Edwards is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large.He holds a Bachelor of Arts Degree in Journalism from the University of Massachusetts Amherst, and previously worked as a reporter covering Boston City Hall.
Jeff Edwards
Follow Jeff

2 thoughts on “500 Million Yahoo Accounts Hacked: Here’s What We Know”

  1. Couldn’t agree more with you Jeff! Recently, As per Cisco’s Annual Security Report for 2016, though threat perception among SMBs is increasing, there is still a section that believes their businesses are not high value targets for online criminals. Businesses must understand that whether small or big, if they are dealing with the customer data, they must ensure a high layer of security measures.
    Bonny Jones

Comments are closed.