Yahoo! Inc. has confirmed rumors of a massive data breach of its service. The company announced on 22 September 2016 that roughly 500 million user accounts’ passwords (along with other sensitive information) were stolen, adding that it was perpetrated by a “state actor.”
In August, a hacker who went by “Peace” claimed that he was selling information from 200 million Yahoo accounts (going price: USD$1,800) from 2012:
In June, WIRED interviewed the hacker known as Peace or Peace of Mind, who’s behind the data sale on Real Deal. Peace claimed to be a former member of a team of Russian cybercriminal hackers. He or she later sent WIRED a sample of the purported Yahoo data, but when WIRED sent test messages to the email addresses, half of them were invalid.
But Yahoo’s announcement suggests a different breach. The timing, scale and Yahoo’s claim of state involvement indicate it may be distinct from the one that surfaced data on the dark web and could also be significantly more serious.
The information was taken in 2014, said Yahoo, and added in a statement that they have notified authorities:
The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.
The Federal Bureau of Investigation told CNN Money that the bureau is investigating the hack:
The FBI is aware of the intrusion and investigating the matter. We take these types of breaches very seriously and will determine how this occurred and who is responsible. We will continue to work with the private sector and share information so they can safeguard their systems against the actions of persistent cyber criminals.
News of the hack came just as Yahoo was trying to negotiate a sale to Verizon:
“Within the last two days, we were notified of Yahoo’s security incident,” said spokesman Bob Varettoni. “We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact. We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment.”
The company said that it is in the process of notifying affected users. Meanwhile, account holders should watch for unsolicited communications that ask for personal information, or try to refer users to a web site that asks for personal information.