Yahoo released an important message about Yahoo User Security on the official company blog a moment ago confirming that information on at least 500 million Yahoo accounts was stolen in late 2014.
The company believes that a state-sponsored actor is behind the attack. According to the blog post, names, email addresses, telephone numbers, birth dates, hashed passwords, and in some cases encrypted or unencrypted security questions and answers were stolen.
Yahoo states that there is no evidence currently that unprotected passwords, payment card data, bank account information or other financial information were among the stolen data.
Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.
Yahoo plans to inform affected users starting doing. The message that the company plans to send out may differ from region to region. You can check the U.S. message here (PDF document).
The email includes information on what happened, what information was involved, what Yahoo is doing, and what individual users can do about it.
Yahoo will ask users that are affected to change their passwords and add alternate means of account verification to the account. The company has invalidated any unencrypted security questions and answers, and recommends that users who have not changed their Yahoo passwords since 2014 to do so immediately.
To change the Yahoo password, do the following:
Yahoo asks users furthermore to change account passwords and security questions/answers for any other account that has been associated with the Yahoo account, or where the same email address and password were used.
Yahoo users should expect to get spam communications and emails that may be personalized.
One option to strengthen the security of the Yahoo account is to use Yahoo Account Key. This is an authentication tool that is integrated into the Yahoo application for Android and iOS, and available for set up from a web browser as well.
Additional information about Yahoo Account Access are available here.
It is rather frightening that information about year-old hacks that dumped millions of user account information come to light years later only, if at all.
It is clear that anyone with access to the data had years to exploit the information and decrypt passwords. While it makes sense for Yahoo to inform users now that they need to change passwords on Yahoo and on third-party sites if username and password was shared, it may very well be too late for a lot of accounts.
Now You: Are you affected by the security breach?
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.