Yahoo on Thursday confirmed our biggest fear—half a billion accounts may have been breached by a “state-sponsored actor.” This is no doubt the largest online data breach, beating the LinkedIn hack some months ago. It is also coming at a time when change of ownership from Yahoo to Verizon is being finalized by parties involved.
The company said certain user account info, such as names, email addresses, phone numbers, date of birth, hashed passwords, and in some cases encrypted or unencrypted security questions and answers was stolen from its database two years ago. This, according to the company, is believed to be a state-sponsored actor.
“We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter,” Yahoo said.
Yahoo said actions are already being taken, especially with notifying affected users by email. Here is a guide on what to do if you are one of 500 million users affected by the breach:
- Change their passwords and adopt alternate means of account verification.
- It is recommended to change your password if you haven’t done so in the past two years.
- Change your security questions and answers.
- Don’t use the same password across multiple accounts on the internet [this can’t be stressed enough]
- Sign in to your account and check for any suspicious activity, and promptly act if there is an urgent need to do so.
- Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
- Avoid clicking on links or downloading attachments from suspicious email.
Yahoo has started sending emails to those affected by the security breach. However, caution is required at this point to avoid receiving email from wrong sources. Yahoo gave a hint of what to expect from the email and how to identify a fake one:
“Please note that the email from Yahoo about this issue does not ask you to click on any links or contain attachments and does not request your personal information. If an email you receive about this issue prompts you to click on a link, download an attachment, or asks you for information, the email was not sent by Yahoo and may be an attempt to steal your personal information. Avoid clicking on links or downloading attachments from such suspicious emails.”