Yahoo Reveals Theft of 500m Users Account Data – in 2014

Yahoo-HQ-logo-IRL.jpgThere are data breaches and there are data breaches, but the one that Yahoo just fessed up to is in a whole different league. The company revealed yesterday that information associated with at least 500m user accounts had been stolen by what it believes is a “state-sponsored actor”, though it did not name the country it believes to be responsible. The hack eclipses the previous biggest data breaches – MySpace (359m); LinkedIn (164m); and Adobe (152m).

According to a statement issued by Yahoo CISO Bob Lord, the account information “may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”

The statement went on to say that at this point in time, Yahoo believes that the stolen information did not include unprotected passwords, payment card data, or bank account information. Yahoo is advising its users to change their passwords if they have not done so since 2014.

The data breach is bad enough; what makes it even worse is that it has taken two years for Yahoo to inform its users of it. It only came to light while Yahoo was looking into reports of a separate breach, that in fact turned out to be false.

US telco Verizon agreed to buy Yahoo for $4.8bn (£3.7bn) in July, and said it only found out about the data breach a couple of days ago. Whether this will have any implications for the sale of the business is unclear, but for a company down on its luck, yesterday was another bad day in the office that Yahoo could well have done without.