As expected, Yahoo has confirmed it faced a gigantic breach and has finally recommended users change their passwords.
If you have an account with Yahoo and haven’t changed your password since 2014, now is the time to do it. The company confirmed today a copy of sensitive user account information was stolen from its network in “late 2014” and suspects the attacker was a state-sponsored actor.
Details exposed included “names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers”, Yahoo said.
“We are working closely with law enforcement authorities and notifying potentially affected users of ways they can further secure their accounts,” Yahoo said.
Yahoo’s disclosure came a day after a report by Recode that the company was preparing to announce details of a breach this week, with sources claiming it was worse than the 200 million users affected as previously reported. It comes at a delicate time for the Yahoo which is midway through an $4.8bn sale of its core business to US telecoms giant Verizon.
A hacker using the name Peace in August told Motherboard he was selling 200 million Yahoo user credentials that were thought to be stolen in 2012, but clearly the date and scale of the breach disclosed today make it far worse than previously thought.
Yahoo subsequently launched an investigation to determine the extent of the breach, but did not recommend users change their passwords or, as some companies do following a breach, force a password reset.
Indeed, the breach of 500 million user credentials may go down as the largest breach in history, following similarly massive credential leaks of LinkedIn, Last.fm, and Myspace passwords in the past year.
Yahoo said the suspected state-sponsored actor was not currently in its network.
Yahoo’s investigation is ongoing, but it believes that details stolen did not include payment card data, bank account information, which were stored in a different system to the one that was breached.
While it’s only recommending users change their password if they haven’t done so since 2014, Yahoo hasn’t said when the breach occurred.
The company’s notification to affected users will also include steps to invalidate unencrypted security questions and answers.
Yahoo has also published an FAQ about the breach here.