In July, news started to break about a massive Yahoo Inc data breach. It has taken some time, but the Yahoo Inc data breach has now been confirmed. And it was huge.
The Yahoo Inc data breach beats the massive cyberattack on Heartland Payment Systems in 2009 (130 million records), the LinkedIn cyberattack discovered this summer (117 million records), and the 2011 Sony data breach (100 million records). In fact, the Yahoo Inc data breach is the largest ever reported. More records were stolen in the cyberattack than those three breaches combined. More than 500 million accounts were compromised, according to Yahoo.
Yahoo Inc Data Breach Worse than Initially Thought
The Yahoo Inc data breach came to light when a hacker added a listing to the Darknet marketplace, theRealDeal. The credentials of 280 million account holders were offered for sale by a hacker called ‘Peace’. To anyone who follows Internet security news, the name of the hacker selling the data should be familiar. Peace recently listed the data from the LinkedIn hack for sale.
The 280 million Yahoo records were listed for a paltry $1,800. That payment would buy a cybercriminal names, usernames, easily crackable passwords, backup email addresses, and dates of birth. While the data were listed for sale 2 months ago, Yahoo has only just announced the breach.
After being alerted to the listing, Yahoo initiated an internal investigation. The investigation allegedly did not uncover any evidence to suggest that the claims made by “Peace” were genuine. However, the internal investigation did reveal that someone else had hacked Yahoo’s systems. Yahoo claims the hack was performed by a state-sponsored hacker.
Yahoo issued a statement saying “The investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network.” While that is undoubtedly good news, the bad news is that access is no longer required because user’s data have already been stolen.
The stolen data include names, email addresses, dates of birth, telephone numbers, security questions and answers, and hashed passwords. According to Yahoo, users’ bank account information and payment card details do not appear to have been stolen. Those credentials were stored in a separate system.
What is most concerning about the Yahoo Inc data breach is not the fact that its systems were compromised, but how it has taken so long for Yahoo to discover the cyberattack. The breach did not occur over the summer. The hack took place in 2014.
The results of the Yahoo Inc data breach investigation will have come as a nasty shock to Verizon. The company agreed to buy Yahoo’s core web business, including Yahoo email, in the summer for $4.8bn. It is possible that Verizon may now be having second thoughts about that deal. Whether the hack will have an impact on the purchase remains to be seen, but for Yahoo the timing could not be much worse.
Yahoo Account Holders Advised to Change Passwords and Security Q&As
Yahoo account holders are unlikely to be concerned about any potential sale of their email accounts to Verizon. They will however be concerned about the sale of their credentials to cybercriminal gangs. Even if the data that were listed for sale by Peace are not genuine, someone somewhere does have their data. Most likely, their data are in the hands of multiple criminals. Those data can – and will – be used in a variety of malicious ways.
Yahoo has now placed a notice on its website alerting users to the breach of their data. Yahoo has also sent out emails to affected users urging them to login to their accounts and change their passwords and security questions. The old security questions and answers have now been invalidated and Yahoo has told users to check their accounts for any suspicious activity, albeit out of “an abundance of caution”.
Fortunately for account holders, the majority of passwords were encrypted with bcrypt – a relatively secure form of encryption. However, that does not mean that the passwords cannot be cracked nor that email account holders are not at risk as a result of the Yahoo Inc data breach.
Yahoo Users at Risk of Phishing Attacks
Cybercriminals may not be able to crack the passwords and gain access to user accounts, but they have all the data they need to conduct phishing campaigns.
Yahoo has already emailed users alerting them to the breach, but the emails contained links that can be used to change passwords and security questions. Any cybercriminal in possession of the stolen data is likely to copy the official emails sent by Yahoo. However, instead of links to Yahoo’s website, the emails will contain links to phishing sites.
Those sites are likely to look exactly the same as the official Yahoo site. However, any user entering a new password or security question, would simply be disclosing that information to the attacker. Emails are also likely to be sent that direct users to websites containing exploit kits. Clicking the links will result in malware and ransomware downloads.
If the criminals behind the attack – or those in possession of the data – do manage to crack the passwords, it is not only Yahoo email accounts that could be compromised. Any individual who has used the same password on other websites faces a high risk of other accounts being compromised. Bank accounts, social media accounts, other email accounts, E-bay and Amazon.com accounts could all be at risk.
The data could also be used for social engineering scams, via email or telephone. Criminals will be looking to obtain the extra data they need to commit identity theft and other types of fraud.
How to Minimize Risk and Protect Yourself
- Never click on any links contained in emails. Even if an email looks official and contains a link to help.yahoo.com or login.yahoo.com, do not click on the links. Instead, login to your account in the usual way by entering the web address directly into your browser and change your password and security questions.
- Use a strong password containing letters (capitals, and lower case), numbers, and special characters.
- If you have used the same password for multiple websites, change those passwords immediately. Each website requires a different password. Use a password manager – either a free or paid service – to remember all your passwords.
- Use Yahoo Account Key, which will eliminate the need for a password altogether
- Never respond to any email request for personal information
- Never open any attachments sent via email unless you are certain of their genuineness