Yahoo hit by huge hack
A ‘state-sponsored actor’ was responsible for theft of 500M users’ data, company confirms
In what appears to be the biggest data breach in history, Yahoo has been hit by a massive hack affecting at least 500 million user accounts, the company said Thursday.
While the scale of the attack is huge, the potential for damage is limited because users’ financial information was not compromised, analysts said. But Yahoo customers need to be wary of the possibility criminals could use stolen personal data to extract more sensitive information from them, the analysts said.
Yahoo blamed a “state-sponsored actor” for the extensive theft, which it said occurred in 2014 when thieves hacked into the Sunnyvale tech firm’s data centers. Neither Yahoo nor federal investigators indicated what nation was believed to be behind the attack.
Yahoo said that it had no evidence the hacking entity was still in its system and that the company was working closely with law enforcement on the matter.
“We take these types of breaches very seriously and will determine how this occurred and who is responsible,” the FBI said, confirming its role in the investigation.
The breach also raises troubling issues for Yahoo itself, which has agreed to sell key company assets to Verizon. It can be costly to repair vulnerabilities and compensate customers after a hack, and Verizon said Thursday it is monitoring closely the fallout of the incident.
The stolen account information may have included names, email addresses, telephone numbers, dates of birth, passwords and security questions and answers, Yahoo said. However, the company said, stolen passwords were “hashed,” meaning converted into randomized characters, and that the “vast majority” were heavily encrypted.
“Passwords that have been hashed can’t be converted into the original plain text password,” Yahoo said. The “bcrypt” heavy encryption on the bulk of the passwords provides “advanced protection against password cracking,” the com- pany said.
The fact that the data were stolen in 2014 and that there appear to have been no reports of individual Yahoo users being victimized mitigates the effects of the breach, said Pivotal Research analyst Brian Wieser.
“Most consumers who might’ve been impacted would presumably already have been impacted to some degree,” Wieser said. “It would be different if all the data, email addresses and passwords had been sucked out today.
“Obviously, it’s negative, but is it manageable? Probably. Is it going to cause users to stop using Yahoo? Probably not, at least not any more than they have already. It’s probably not a big deal, but we’ll have to see.”
However, the stolen data that wasn’t encrypted, such as birth dates, phone numbers and email addresses, could put users at risk of attacks by criminals who could contact them by email, phone or text and pose as representatives of banks, or even the Internal Revenue Service, said Adam Levin, chairman of identity-protection firm IDT911. The attackers could then use any personal data they have acquired to persuade a person to give them additional information that would enable theft from bank accounts or fraudulent credit card use, Levin said.
Additionally, a user’s stolen Yahoo data could be combined with other infor- mation taken from publicly available sites online and via previous hacks of other businesses, agencies and services to build a more comprehensive identity profile of the user and boost the chances criminals could use the data for illegal purposes, Levin said.
“These are very clever, sophisticated, persistent people,” Levin said. “There’s a pot of money at the end of the rainbow.”
Yahoo users should be concerned over the firm’s “lack of (user-security) investment and the lack of communication in how they are keeping consumers’ personal information as secure as digitally possible,” said Eric Schiffer, a cybersecurity expert and CEO of private equity firm The Patriarch Organization. “Whenever your personal information is released to nefarious dark characters that have evil intent, all bets are off.”
Users of Yahoo should not only change passwords and consider using platforms other than Yahoo, they should check all their financial records, including bank accounts, credit cards and stock holdings, Schiffer said. “I’d be looking at any activity involving money or assets,” he said.
The breach put Yahoo in the sights of U.S. Sen. Mark Warner, a member of the Senate banking and intelligence committees.
“While we have seen more and more data breaches in the private sec- tor in recent years, many of them affecting millions of consumers, the seriousness of this breach at Yahoo is huge,” Warner said in a statement. “I am perhaps most troubled by news that this breach occurred in 2014, and yet the public is only learning details of it today.”
Yahoo said it had found out about the breach through a “recent investiga- tion.” A source familiar with the matter said Yahoo’s internal investigators probed a July report that a hacker was selling 280 million Yahoo user credentials on the black market but found no evidence to support the report. But after the investigation, Yahoo’s security team, while examining the firm’s systems, found evidence that a data theft by a statesponsored actor occurred in 2014, the source said.
Security firms that monitor the “dark web,” or online black market, for postings indicating data thefts started to see Yahoo user information being traded about six weeks ago, said Alberto Yépez, co-founder of Trident Capital Cybersecurity, a San Mateo venture capital firm that invests exclusively in cybersecurity companies.
Troubled Yahoo put itself up for sale in February, and in July announced Verizon would buy its internet business for $4.83 billion.
For Yahoo and CEO Marissa Mayer, revelations of the breach bring complications amid a sale process to Verizon that isn’t expected to conclude until the first quarter of next year. Pivotal’s Wieser said that the breach was unlikely to stop the sale, but that Verizon could conceivably use it to leverage a better deal.
And because federal law requires companies to provide at least two years of identity-security monitoring to customers affected by data breaches, the issue of who would pay for those services to hundreds of millions of users could affect the terms of the Verizon sale, Trident’s Yépez said.
Although Yahoo has “missed the mark” on promises to improve email security, investors in major companies expect data breaches from time to time, said Mizuho Securities analyst Neil Doshi. “What they don’t expect is massive financial breaches — that’s where I think you’d see stocks getting more punished than an email data breach,” Doshi said, noting that Yahoo’s stock price rose slightly Thursday. After opening at $43.94, the share price closed Thursday at $44.15. But in after-hours trading, the share price had fallen to $43.58.
The size of the Yahoo hack makes all other such corporate attacks pale in comparison. In 2014, hackers stole data from 145 million eBay users. But because the material stolen from Yahoo did not apparently include data such as payment card numbers, the damage is unlikely to be as bad as in some of the other major hacks, analysts said.
Heartland Payment Systems, for example, had to pay more than $110 million to credit and debit card companies after hackers stole 130 million card numbers from the firm in 2009. Target, which lost 40 million card numbers to hackers in 2013, spent more than $100 million to deal with the fallout.