September 23rd 2016
Online giant Yahoo! has revealed that the personal data associated with at least 500 million accounts was stolen from its network two years ago. Security experts, law enforcement and account holders are heavily criticising the company for taking so long to release the information at the time, a move which could have helped customers to move to safeguard themselves on the site and other online accounts.
The company claims that it was a state-sponsored hacking group which stole the confidential details, which included names, passwords, email addresses, phone numbers and security questions. It does not believe that financial details such as bank account and credit card information was among the information compromised.
The breach is being investigated with law enforcement.
In a statement, Yahoo! has said: “The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected."
The company is notifying users who may have been affected, advising anyone who has not changed their Yahoo password since 2014 to do so. It has also invalidated affected users’ security questions so that they cannot be used to access accounts. The statement added: “Yahoo encourages users to review their online accounts for suspicious activity and to change their password and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account."
Yahoo! users should also be very wary of any emails purporting to come from the company, particularly those prompting recipients to click on links, download attachments or provide personal information.
Get Safe Online CEO commented: “This latest hack of 500 million Yahoo! accounts goes to show yet again that big organisations are not immune from attacks by cyber criminals. What’s also worrying is that the security breach took place in 2014, meaning that customers could have had their sensitive details exposed for a long period of time.
“As the investigation into this latest attack is still unfolding, our advice is for all Yahoo users to change their account passwords immediately – making sure to use a combination of three random words with capital letters, symbols and numbers too. What’s more, we’d also advise people to change the security questions they get when forgetting their passwords, as answers to these may have been compromised as a result of this hack. It's also important for people to look at any other online accounts they currently have in order to ensure that no suspicious activity has been taking place – particularly those where they had the same login details, which is a practice we advise against. Although not directly linked to their Yahoo account, cyber criminals may have been able to gain access to personal information which could potentially help them unlock other online accounts. Finally, this presents fraudsters with an opportunity to capitalise on the back by sending out 'phishing' emails claiming to be from Yahoo! but actually trying to get your confidential login or other details."
In the meantime, Verizon – the company which in July agreed to acquire Yahoo!'s core business for $4.8 billion – has told the BBC that it only learned about the hack “within the last two days” – saying it has limited information on the incident.