We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.
As Forbes points out, bcrypt is a very strong encryption method, so these passwords could still be safe. However, if this is a ‘state-sponsored’ act, it might not be unreasonable to assume that the powers that now have possession of this data might have more robust decryption technology than your regular basement hacker. Takeaway here: you probably want to change your Yahoo password. And if you’re in the 59% of the population that resuses the same passwords on multiple services, then you should change all of those passwords too.
It is reported that no bank account information was compromised in this breach.
Yahoo says that an internal investigation has left them confident that the “state-sponsored actor” is no longer active in Yahoo’s network. The company is working with law enforcement to further investigate this matter.
Yahoo says that they are reaching out to affected users. To ensure that users have the ability to confirm that this outreach comes from a legitimate source, they are making public the content of the email that they will be sending. Once they’ve finished drafting the email, it will appear in full here. At time of writing this is a dead link, but Yahoo says it should be available by 11:30am (PDT).
The company is working with law enforcement to further investigate this matter.
In addition to changing your account password, you should also change your security questions and review your account for any suspicious activity.
This may actually be the largest data breach of all time. When knew something was bad when 200 million Yahoo account records went up for a dark web sale earlier this summer, but it seems that was less than half of the actual damage. This comes at a bad time for Yahoo, which is slated to be sold to Verizon for $4.8 billion. This incident may wind up affecting that price tag.
What are your thoughts regarding this massive data breach? Let us know your take in the comments below!