Yahoo today confirmed that state-sponsored attackers compromised the company’s network in 2014, stealing data belonging to 500 million users.
The stolen data includes names, email addresses, phone numbers, hashed passwords, dates of birth, and security questions and answers, some of which were unencrypted. Yahoo officials said it doesn’t believe that bank account data, payment card data, or unencrypted passwords were stolen.
“Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter,” the company said in a statement Thursday.
The confirmation from Yahoo comes months after news of a potential breach broke. A hacker claimed to be selling hundreds of millions of Yahoo user credentials online, but Yahoo officials only said they were aware of the hacker’s claims.
“The ease of getting tons of stolen credentials, with the fact that users will always continue to reuse passwords simply because they are human, make brute force attacks more effective than ever and force application providers to take proper measures to protect their users,” Amichai Shulman, CTO of Imperva, said.
“Data from breaches is hot merchandise on both sides of the legitimacy fence, the security marketplace on one side and the dark market on the other.”
Although the data from the Yahoo breach isn’t fresh, it still has value to attackers thanks to users’ propensity to reuse passwords on multiple sites and rarely, if ever, update them. Earlier this week, researchers at Digital Shadows revealed that 97 percent of the top 1,000 global companies have leaked user credentials online, and many of them are from third-party breaches. Given the scope of the Yahoo breach, it’s entirely likely that there are corporate email addresses and other information in the stolen data.
Yahoo said it is forcing affected users to change their passwords, and is recommending that any user who hasn’t done so since 2014 do the same, regardless of whether they’re affected. The company also has invalidated the security questions and answers compromised in the breach.
Image from Flickr stream of Abhisawa.