Billion Yahoo accounts breached by hacker
Attack happened three years ago but just uncovered
SAN FRANCISCO // Yahoo has discovered a three- year- old security breach that enabled a hacker to compromise more than a billion user accounts, including tens of thousands belonging to United States military and government officials. The attack, disclosed on Wednesday, took place in August 2013, more than a year before a separate hack that Yahoo announced three months ago. That breach affected at least 500 million users and was the most far-reaching hack known until the latest revelation.
“It’s shocking,” said Avivah Litan, a security expert at the IT research and advisory company Gartner.
More than 150,000 US government and military employees are among the victims of the newly disclosed data breach, and their names, passwords, telephone numbers, security questions, birth dates, and backup email addresses are now in the hands of cybercriminals.
The leak could allow foreign intelligence services to identify employees and hack their personal and work accounts, posing a threat to national security. These employees had given their official government accounts to Yahoo in case they were locked out of their email.
Among those affected are current and former White House staff, US politicians and their aides, diplomats, FBI agents, officials at the National Security Agency, the Central Intelligence Agency, the office of the director of national intelligence, and each branch of the US military. Both breaches at Yahoo occurred during the reign of chief executive Marissa Mayer, a once-lauded leader who found herself unable to turn around the company in the four years since her arrival.
The latest revelation could affect a deal Yahoo reached this year to sell its digital operations to Verizon Communications for US$4.8 billion (Dh 17.6bn).
Yahoo did not say if it believed the same hacker might have pulled off two attacks. The California company blamed the late 2014 attack on a hacker affiliated with an unidentified foreign government, but said it had not been able to identify the source behind the 2013 intrusion.
It does not appear that much personal data from Yahoo accounts has been posted for sale online, meaning the hack probably was not the work of ordinary criminals. That means most Yahoo users probably do not have anything to worry about, said J J Thompson, chief executive of Rook Security.
Hackers apparently stole passwords in both attacks, however, which could mean trouble for any users who reused their Yahoo password for other online accounts. Yahoo is asking users to change their passwords and invalidating security questions.