Ya­hoo ‘state’ hack­ers stole data from 500 mil­lion users

Malta Independent - - TECHNOLOGY -

Ya­hoo says “state-spon­sored” hack­ers stole in­for­ma­tion from about 500 mil­lion users in what ap­pears to be the largest pub­licly dis­closed cy­ber-breach in his­tory.

The breach in­cluded swathes of per­sonal in­for­ma­tion, in­clud­ing names and emails, as well as “un­en­crypted se­cu­rity ques­tions and an­swers”.

The hack took place in 2014 but has only now been made pub­lic.

The FBI has con­firmed it is in­ves­ti­gat­ing the claims.

Stolen data in­cludes names, email ad­dresses, tele­phone num­bers, dates of birth and en­crypted pass­words, but not credit card data, Ya­hoo said.

It said the in­for­ma­tion was “stolen by what we be­lieve is a state-spon­sored ac­tor” but did not say which coun­try it held re­spon­si­ble.

News of a pos­si­ble ma­jor at­tack on the tech­nol­ogy firm emerged in Au­gust when a hacker known as “Peace” was ap­par­ently at­tempt­ing to sell in­for­ma­tion on 200 mil­lion Ya­hoo ac­counts.

On Thurs­day, Ya­hoo con­firmed the breach was far big­ger than first thought.

Ya­hoo is rec­om­mend­ing all users should change their pass­words if they have not done so since 2014.

In the UK, ISPs Sky and BT is­sued warn­ings for cus­tomers that they may be af­fected by the breach as Ya­hoo pro­vides email ser­vices for both ISPs. Sky ad­vised all its cus­tomers to change their pass­words as Ya­hoo is be­hind all Sky.com email ac­counts.

BT said it was car­ry­ing out its own in­ves­ti­ga­tion but ad­vised the “mi­nor­ity” of its cus­tomers who use Ya­hoo mail to change their pass­words.

In July, Ya­hoo was sold to US tele­coms gi­ant Ver­i­zon for $4.8bn.

Ver­i­zon said it had learned of the hack “within the last two days” and said it had “limited in­for­ma­tion”.

It added: “Un­til then, we are not in po­si­tion to fur­ther com­ment.”

Ya­hoo said in a state­ment: “On­line in­tru­sions and thefts by state-spon­sored ac­tors have be­come in­creas­ingly com­mon across the tech­nol­ogy in­dus­try.”

Reuters re­ported three un­named US in­tel­li­gence of­fi­cials as say­ing they be­lieved the at­tack was state-spon­sored be­cause it was sim­i­lar to pre­vi­ous hacks linked to Rus­sian in­tel­li­gence agen­cies.

Nikki Parker, vice-pres­i­dent at se­cu­rity com­pany Co­vata, said: “Ya­hoo is likely to come un­der in­tense scru­tiny from reg­u­la­tors, the me­dia and pub­lic and rightly so. Cor­po­ra­tions can’t shy away from data breaches and they must hold their hands up and show that they are com­mit­ted to re­solv­ing the prob­lem.”

She added: “Let’s hope the ink is dry on the con­tract with Ver­i­zon.”

Ques­tions are be­ing asked about the length of time it took Ya­hoo to fully ac­knowl­edge the breach.

“It is re­ally wor­ry­ing that a breach from 2014 can have gone un­de­tected for so long,” said Prof Alan Wood­ward from the Uni­ver­sity of Sur­rey.

“It is also sur­pris­ing the pub­lic state­ment took so long to ap­pear.”

“I would have thought most com­pa­nies had learned by now that early dis­clo­sure is bet­ter, even if you have to re­vise and up­date as you learn more.”

The scale of the hack eclipses other re­cent, ma­jor tech breaches - such as MyS­pace (359 mil­lion), LinkedIn (164 mil­lion) and Adobe (152 mil­lion).

The na­ture of the in­for­ma­tion stolen feels some­what run-of-the-mill - no pay­ment info, and pass­words were en­crypted. But the chain of events lead­ing up to this un­prece­dented an­nounce­ment gives rise to some in­cred­i­bly press­ing ques­tions for Ya­hoo.

Why did it take so long to con­firm the hack and its scale?

Why did it take so long to tell users and prompt them to pro­tect them­selves?

State-spon­sored at­tacks are typ­i­cally for po­lit­i­cal, not fi­nan­cial gain. So why were de­tails re­port­edly be­ing sold on­line? What ev­i­dence is there that it was state­spon­sored?

Ver­i­zon, which has agreed to buy Ya­hoo, said it had not been told un­til a cou­ple of days ago - why not? And why is Marissa Mayer, a chief ex­ec­u­tive who has presided over bad deals and now the big­gest breach in in­ter­net his­tory, still in charge?

Newspapers in English

Newspapers from Malta

© PressReader. All rights reserved.