Yahoo admits information on 500m users stolen by hackers

The Office of the Data Protection Commissioner is awaiting further information on a “number of issues” regarding the Yahoo data breach, it said, and is expected to issue an update statement on Friday.

The internet company announced on Thursday the account information of at least 500 million users was stolen by hackers two years ago.

In a statement, Yahoo said user information – including names, email addresses, telephone numbers, birth dates, passwords, and in some cases security questions – was compromised in 2014 by what it believed was a “state-sponsored actor.”

It did not name the country involved. The company said it was working with law enforcement officials. It encouraged users to review their online accounts for suspicious activity and to watch out for suspicious emails.

The announcement comes as Verizon Communications moves forward with its $4.8 billion acquisition of Yahoo. It is unclear what effect the breach, if any, will have on Yahoo's sale price.

That will most likely depend on what Verizon learns about Yahoo’s security controls. But security experts say the incident could have far-reaching consequences for users beyond Yahoo’s services.

“The stolen Yahoo data is critical because it not only leads to a single system but to users’ connections to their banks, social media profiles, other financial services and users’ friends and family,” said Alex Holden, the founder of Hold Security, which has been tracking the flow of stolen Yahoo credentials on the underground web.

“This is one of the biggest breaches of people’s privacy and very far reaching.”

The revelation would confirm earlier reports that the same hacker who stole data from LinkedIn was now selling information from Yahoo! accounts on a dark web marketplace.

Hacker named Peace

The data for sale includes user names, scrambled passwords and birth dates and probably dates from 2012, Motherboard reported in August, citing the cyber-attacker, who went by the name Peace.

Yahoo! said at the time it was investigating the claim. Many of the stolen accounts in a sample of data obtained by Motherboard were no longer in use and had been cancelled.

The sale of all of the data for just under $2,000 (€1,781) also suggested that the information itself was of little value, either because most of it was obsolete, made up, or useless because the hackers had already attacked legitimate accounts and exhausted their need for the data.

Whatever the scale of the alleged breach, the incident shows the danger of large datasets spilling into the hacker underground and being used for criminal purposes for years without the breached companies knowing or taking minimal action based on whatever data hackers tell them was taken.

LinkedIn said in May it was investigating whether a breach of more than six million user passwords in 2012 was bigger than originally thought, following a hacker’s attempt to sell what was purported to be login codes for 117 million accounts.

Reset passwords

The company said it appeared more data was taken in the initial compromise and that the company was just learning about the larger amount through the hacker’s posting. Like many internet companies that have been breached, LinkedIn only reset passwords of everyone it believed was part of the breach at the earlier time, which amounted to 6.5 million users.

It is unclear what steps, if any, Yahoo has taken since learning about the alleged compromise.

Reports of the security breach come just as chief executive Marissa Mayer is about to close a deal that ends the once-dominant internet firm's independence.

Verizon is acquiring its internet assets for $4.8 billion, bringing the web portal together with long time rival AOL. The telecommunications company will pick up services that still draw a billion monthly users, including mail, news and sports content and financial tools.

– Bloomberg

/

Reuters