14 DAY TRIAL // Yahoo has formally admitted a data breach reported at the start of August, but things are many times worse than initial estimations, the company revealing that over 500 million users are affected, compared to the initial rumors of 200 million.
In a press release the company published today, Yahoo says the data was stolen in 2014, not 2012 (as initially reported), and blames the intrusion on a "state-sponsored actor," a term used to describe another country's cyber-intelligence division or hacking crews protected by state officials.
Only user records stolen, no financial details
Yahoo says the intruders stole names, email addresses, telephone numbers, dates of birth, hashed passwords and, for some users, encrypted or unencrypted security questions and answers.
The company said most of the passwords were hashed with bcrypt, a strong encryption algorithm used to secure passwords when stored on an online server.
The good news is that the intruder never had access to sensitive information such as unprotected passwords, payment card data, or bank account information. Yahoo said this data was stored on another system where the attackers haven't managed to gain access.
The company also said there are no signs that the intruders are still in its system. If this breach is fully-confirmed following the investigation's conclusion, at 500 million user records, this will be the biggest data breach of all time.
Affected users will be prompted to change passwords
Yahoo is currently notifying affected users. All potentially affected users will be asked to choose new passwords and security questions.
"End users can help protect themselves by staying on top of their own password hygiene," John Peterson, vice president & general manager of Comodo Enterprise recommends. "If an organization that you interact with reports a breach, don’t wait to update your password. Do it immediately."
The Yahoo data breach first came to light in August, when a hacker named Peace put up an ad on a Dark Web marketplace. The hacker claimed to be in possession of 200 million user records, which he said he received from a group of Russian hackers. Peace was asking 3 Bitcoin (approximately ~$1,800) for the Yahoo data. Two weeks later, the hacker removed the ad.
