Yahoo has confirmed a massive data breach that stole information from at least 500 million user accounts, leaving many to wonder who’s behind the attack and what this means for their security.
Yahoo is alerting affected users and is taking some steps to protect users. There are also steps you can take to try to keep your information secure.
We’ve gathered up everything you need to know about the Yahoo hack, plus advice on what you can do to protect yourself.
Who’s the hacker?
The breach stems from a late 2014 hack by what Yahoo calls a state-sponsored actor. As our David Allen reported earlier, the attack was allegedly carried out by a hacker known as ‘peace’ (full name ‘peace_of_mind’).
Peace identified themselves to Wired as a former member of a team of Russian hackers who attacked a number of sites in 2012 and 2013 and sold stolen data on the dark web.
In August, peace claimed to be selling stolen login details for 200 Yahoo million accounts for around $2,000 (around £1,500, AU$2,700) a pop.
Yahoo was aware of peace’s claim at the time but did not issue a password reset. The company says its current investigation has not turned up evidence that the state-sponsored actor is currently in Yahoo’s network.
Stolen account information
According to Yahoo, information associated with at least 500 million user accounts was stolen. That information may include:
- Email addresses
- Telephone numbers
- Dates of birth
- Hashed passwords, the vast majority with bcrypt.
- In some cases, encrypted or unencrypted security questions and answers
Bcrypt is a password hashing mechanism that incorporates security features, including salting and multiple rounds of computation, to provide advanced protection against password cracking, Yahoo explains in an FAQ about the breach.
Yahoo’s investigation suggests stolen information doesn’t include unprotected passwords, payment card data, or bank account information. The company notes payment card data and bank account information aren’t stored on the system that was hacked.
Steps Yahoo is taking
Yahoo says it’s alerting affected users via email. It cautions that its email will feature the company’s purple “Y” Yahoo icon, and won’t ask users to click on a link, contain any attachments or request personal information. Emails that do are likely an attempt to steal your information.
Yahoo advises affected users to change their passwords and implement alternative means of account verification.
It also advises all users change their passwords if they haven’t done so since 2014.
The company has also invalidated unenrypted security questions and answers, and says it’s continuing to enhance its systems to detect and prevent unauthorized account access.
Finally, Yahoo’s investigation is ongoing, and it’s working alongside law enforcement on the case.
Steps you can take
The most proactive step users can take is to change any passwords and security questions and answers for other, non-Yahoo accounts where you may have used the same or similar credentials as the ones for your Yahoo Account.
You can also check over your accounts for suspicious activity. Yahoo advises being cautious with unsolicited requests for your personal information or communications that take you to a web page asking for that information.
Avoid clicking on links or download attachments from suspicious emails as those might be an attempt to steal your personal information.
Lastly, while affected Yahoo Account information doesn’t include unprotected passwords, email content, payment card data, or bank account information, it always pays to keep a close eye on your bank accounts and credit reports.
You can contact one of the three national credit reporting agencies for a credit report, and if you’re really concerned, you can issue a security freeze on your credit file at each agency. That may cost you a fee, however.
Article continues below