Yahoo has confirmed earlier reports suggesting that data from hundreds of millions of user accounts has been stolen. In brief, Yahoo says that "at least 500 million user accounts" were stolen in late 2014 by what it believes to be a "state-sponsored actor". Details such as names, email addresses, telephone numbers, dates of birth were part of the purloined data mass, however Yahoo says that user passwords were hashed, (the vast majority with bcrypt). It is believed that no unprotected passwords, payment card data, or bank account information was stolen.
The hacker no longer has access to its systems, reckons Yahoo. Potentially affected users, including myself, received emails in the last few hours which contained security recommendations. Users should take the following steps:
- Change your password and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.
- Review your accounts for suspicious activity.
- Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
- Avoid clicking on links or downloading attachments from suspicious emails.
- Consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether.
While Yahoo users fiddle around changing passwords and so on, the company says it is enhancing its security and working closely with law enforcement to find the hacker(s). A CNN report includes a statement from the FBI, who are part of the investigative team. Earlier reports pointed to a hacker by the name of 'Peace' who was previously hawking data from 200 million Yahoo users online.
It has taken Yahoo two months from the first rumours of this massive hack to reveal the full scale of what happened to its end users. Obviously its hard to know when Yahoo first became aware of the intrusion and theft. Verizon, the US telecoms giant which is in the process of buying Yahoo core assets, only found out about the huge user data breach a couple of days ago. There are questions as to whether Yahoo concealed data about the breach to help it get a better deal from Verizon.
Yahoo users can read more about what they should do at the official Account Security Issue FAQ pages.