In what appears to be the biggest data breach in history, Yahoo has been hit by a massive hack affecting at least 500 million user accounts, the company said Thursday.
While the scale of the attack is huge, the potential for damage is limited because users’ financial information was not compromised, analysts said. But Yahoo customers need to be wary of the possibility criminals could use stolen personal data to extract more sensitive information from them, they said.
Yahoo blamed a “state-sponsored actor” for the huge theft, which it said occurred in 2014 when thieves hacked into the Sunnyvale tech firm’s data centers. Neither Yahoo nor federal investigators indicated what nation was believed to be behind the attack.
Yahoo said it had no evidence the hacking entity was still in its system, and that the company was working closely with law enforcement on the matter.
“We take these types of breaches very seriously and will determine how this occurred and who is responsible,” the FBI said, confirming its role in the investigation.
The breach also raises troubling issues for Yahoo itself, which has agreed to sell key company assets to Verizon. It can be costly to repair vulnerabilities and compensate customers after a hack, and Verizon said Thursday it is monitoring closely the fallout of the incident.
The stolen account information may have included names, email addresses, telephone numbers, dates of birth, passwords, and security questions and answers, Yahoo said. However, the company said, stolen passwords were “hashed,” meaning converted into randomized characters, and that the “vast majority” were heavily encrypted.
“Passwords that have been hashed can’t be converted into the original plain text password,” Yahoo said. The “bcrypt” heavy encryption on the bulk of the passwords provides “advanced protection against password cracking,” the company said.
The fact that the data was stolen in 2014 and that there appear to have been no reports of individual Yahoo users being victimized mitigates the effects of the breach, said Pivotal Research analyst Brian Wieser.
“Most consumers who might’ve been impacted would presumably already have been impacted to some degree,” Wieser said. “It would be different if all the data, email addresses and passwords had been sucked out today.
“Obviously, it’s negative, but is it manageable? Probably. Is it going to cause users to stop using Yahoo? Probably not, at least not any more than they have already. It’s probably not a big deal, but we’ll have to see.”
However, the stolen data that wasn’t encrypted, such as birth dates, phone numbers and email addresses, could put users at risk of attacks by criminals who could contact them by email, phone or text and pose as representatives of banks, or even the Internal Revenue Service, said Adam Levin, chair of identity-protection firm IDT911. The attackers could then use any personal data they have acquired to persuade a person to give them additional information that would enable theft from bank accounts or fraudulent credit card use, Levin said.
Additionally, a user’s stolen Yahoo data could be combined with other information taken from publicly available sites online and via previous hacks of other businesses, agencies and services to build a more comprehensive identity profile of the user and boost the chances criminals could use the data for illegal purposes, Levin said.
“These are very clever, sophisticated, persistent people,” Levin said. “There’s a pot of money at the end of the rainbow.”
Yahoo users should be concerned over the firm’s “lack of (user-security) investment and the lack of communication in how they are keeping consumers’ personal information as secure as digitally possible,” said Eric Schiffer, a cybersecurity expert and CEO of private equity firm The Patriarch Organization. “Whenever your personal information is released to nefarious dark characters that have evil intent, all bets are off.”
Users of Yahoo should not only change passwords and consider using platforms other than Yahoo, they should check all their financial records, including bank accounts, credit cards and stock holdings, Schiffer said. “I’d be looking at any activity involving money or assets,” Schiffer said.
The breach put Yahoo in the sights of U.S. Sen. Mark Warner, a member of the Senate banking and intelligence committees.
“While we have seen more and more data breaches in the private sector in recent years, many of them affecting millions of consumers, the seriousness of this breach at Yahoo is huge,” Warner said in a statement. “I am perhaps most troubled by news that this breach occurred in 2014, and yet the public is only learning details of it today.”
Yahoo said it had found out about the breach through a “recent investigation.” A source familiar with the matter said Yahoo’s internal investigators probed a July report that a hacker was selling 280 million Yahoo user credentials on the black market, but found no evidence to support the report. But after the investigation, Yahoo’s security team, while examining the firm’s systems, found evidence that a data theft by a state-sponsored actor occurred in 2014, the source said.
Forrester analyst Jeff Pollard called Yahoo’s failure to protect and notify users earlier “completely unacceptable.”
“It’s taken almost two years for Yahoo to discover, verify, come clean and inform them,” Pollard said.
Security firms that monitor the “dark web,” or online black market, for postings indicating data thefts started to see Yahoo user information being traded about six weeks ago, said Alberto Yépez, co-founder of Trident Capital Cybersecurity, a San Mateo venture capital firm that invests exclusively in cybersecurity companies.
Firms usually don’t know they’ve been hacked until evidence of such information trading is uncovered, Yépez said.
Troubled Yahoo put itself up for sale in February, and in July announced Verizon would buy its internet business for $4.83 billion.
For Yahoo and CEO Marissa Mayer, revelations of the breach bring complications amidst a sale process to Verizon that isn’t expected to conclude until in the first quarter of next year. Mayer has faced frequent and loud calls for her ouster as the firm racked up major losses while Google and Facebook dominated the digital advertising market.
“If you are Marissa Mayer, you’re going to feel a little like Queen Elizabeth, who a few years back was asked, ‘How would you describe the past year?’ and she called it an ‘annus horribilis’ — a horrible year,” said venture capitalist Venky Ganesan, chair of the National Venture Capital Association.
Pivotal’s Wieser said the breach was unlikely to stop the sale, but that Verizon could conceivably use it to leverage a better deal. Also, the sale agreement may include penalties against Yahoo if hits to its brand value occur, Wieser added.
And because federal law requires companies to provide at least two years of identity-security monitoring to customers affected by data breaches, the issue of who would pay for those services to hundreds of millions of users could affect the terms of the Verizon sale, Trident’s Yépez said.
“It’s a lot of money,” Yépez said. “Who’s going to pay — is it Yahoo or Verizon?”
Verizon on Thursday issued a statement saying it knew little beyond the fact that Yahoo had suffered a “security incident” and was investigating. “We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities,” the company said said.
Although Yahoo has “missed the mark” on promises to improve email security, investors in major companies expect data breaches from time to time, said Mizuho Securities analyst Neil Doshi. “What they don’t expect is massive financial breaches — that’s where I think you’d see stocks getting more punished than an email data breach,” Doshi said, noting that Yahoo’s stock price rose slightly on Thursday. After opening at $43.94, the share price closed Thursday at $44.14. But in after-hours trading to 6 p.m., the share price had fallen to $43.60.
The size of the Yahoo hack makes all other such corporate attacks pale in comparison. In 2014, hackers stole data from 145 million eBay users. But because the material stolen from Yahoo did not apparently include data such as payment card numbers, the damage is unlikely to be as bad as in some of the other major hacks, analysts said.
Heartland Payment Systems, for example, had to pay more than $110 million to credit and debit card companies after hackers stole 130 million card numbers from the firm in 2009. Target, which lost 40 million credit and debit card numbers to hackers in 2013, spent more than $100 million to deal with the fallout.
Yahoo said Thursday it was telling “potentially affected users” to change their passwords and create different means for account verification, and it recommended that all users who hadn’t changed their passwords since 2014 should do so.
What users can do
Yahoo recommends:
- Change your password and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.
- Review your accounts for suspicious activity.
- Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
- Avoid clicking on links or downloading attachments from suspicious emails.
Cybersecurity experts recommend:
- Use two-factor authentication for logins.
- Make up security question answers that aren’t true, so they can’t be easily guessed by criminals who may have other information about you.
- Don’t use the same usernames and passwords across multiple accounts and services.
