Friday, September 23, 2016
Yahoo confirms hacker stole personal data of “at least” 500 million users
In case you're wondering why professionals suggest you use strong, distinct passwords for each account and change them, and any security questions, regularly ...
Yahoo today confirmed it’s working with law enforcement to investigate a data breach which affected the account information of “at least” 500 million users. The company says that the user account information was stolen from its network in late 2014 by what it now believes to be a state-sponsored actor. The stolen information includes people’s names, email addresses, telephone numbers, birth dates, passwords (most hashed with bcrypt), and, in some cases, encrypted or unencrypted responses to security questions and answers.
This makes the data breach one of the most serious to date, given not only who may be behind it, but the nature of the information the attackers were able to access, as well as the scale.
With the answers to security questions, a hacker could easily jump through a number of online forms to reset users’ passwords on sites where an additional means of account verification – like two-factor authentication – is not involved.
Yahoo says it has invalidated all the unencrypted security questions and answers so they can’t be used to access a Yahoo account, but of course those same questions are commonly repeated across the web.
However, the attacker did not gain access to unprotected passwords, says Yahoo. Nor were they able to get payment card information or bank account information, as these were housed in a different system that the one that was affected.
The company started notifying affected users via email beginning at 11:30 AM PDT, and asking them to change their passwords as well as adopt an alternate means of account verification. It will additional ask those who haven’t updated their passwords since 2014 to now do so, too.
Posted by Bob at 5:01 AM