Create a free account, or log in

More than 500 million users caught up in Yahoo security breach: Four things you need to know

Google and Yahoo strengthen security on ads in click fraud crackdown Businesses have been warned to up their security after tech giant Yahoo revealed it was subject to the second largest data breach ever reported. Over 500 million accounts were compromised in the data breach, which happened in 2014, and the company is currently taking […]
Dominic Powell
Dominic Powell

Google and Yahoo strengthen security on ads in click fraud crackdown
Businesses have been warned to up their security after tech giant Yahoo revealed it was subject to the second largest data breach ever reported.

Over 500 million accounts were compromised in the data breach, which happened in 2014, and the company is currently taking action to protect affected users.

Yahoo alerted users to the breach in a statement and recommended users update passwords and security questions.

As the full details of the breach are still emerging, here are four things to know.

1. Yahoo says it was performed by a โ€œstate-sponsored actorโ€

The breach occurred during 2014, and potential details first surfaced in August via a hacker known as โ€œPeaceโ€, who at the time claimed there were 200 million usersโ€™ credentials available. The hacker was attempting to sell them on data marketplace โ€œThe Real Dealโ€, reported Vice, but it is not confirmed whether that breach is linked to this one.

Yahoo has since revealed it believes the hacker to be a โ€œstate-sponsored actor,โ€ and the company is โ€œworking closely with law enforcement on this matterโ€. It has advised worried users it believes the hacker does not still have access to the companyโ€™s servers.

Michael McKinnon, cyber security expert at Sense of Security, told SmartCompany cyber terrorism attacks are becoming more common.

โ€œThese big companies with millions of users, they have and always will be a target for these sorts of threats,โ€ McKinnon says.

โ€œItโ€™s another example of big company that has let us all down, and this just gives attackers extra leverage.โ€

2. Security questions were revealed

Yahoo has stated the data breached includes โ€œnames, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt)โ€.

However, a number of unencrypted security questions were released with the data, which is worrying news for all users affected. Security questions are used as a way of identifying users for password recovery, often featuring topics like the name of a first pet, or your motherโ€™s maiden name.

McKinnon says Yahoo users should definitely be concerned, as there is a โ€œhuge commonalityโ€ with security questions across different websites.

โ€œWebsites always ask the same questions, and these are things that are a part of your core online identity,โ€ McKinnon says.

โ€œTheyโ€™re very difficult to change, and once theyโ€™re known itโ€™s high value for hackers.โ€

With the data included in the breach, it would be easy for a hacker to breach other accounts that use the same emails via password recovery systems. Yahoo has said it is taking steps to protect users with leaked security questions, saying it is โ€œinvalidating unencrypted security questions and answers so they cannot be used to access an accountโ€.

This is only a solution for Yahoo accounts, and for other accounts McKinnon says the best thing to do is to change your passwords and activate two-factor authentication. Two-factor authentication is offered by many major services, which requires confirmation from a mobile phone or separate email address before changes to a userโ€™s account is made.

Customers who use Yahooโ€™s banking services should not be worried, as the company has stated โ€œthe ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account informationโ€.

Stolen passwords are also unlikely to be hacked, due to the bcrypt hashing encryption method used by the company.

A โ€œhashedโ€ password is indicative of the hashing method used for password encryption, as companies almost never store passwords in plain text. Hashing involves scrambling the password, which can only be unscrambled with a specific key.

A bycrypt method of hashing is โ€œmuch more complexโ€ says McKinnon, requiring significant computing power to crack.

3. Itโ€™s unclear if it will affect the Verizon deal

Yahoo has been in negotiations with US telecommunications giant Verizon over a massive $US4.8 billion US ($5 billion) deal, which was confirmed in July this year.

The data breach could mean bad news for the deal, but the the anti-breach conditions for the purchase suggest Verizon would not be able to back out, reports Fortune.

Grounds on which the deal could be called off would be if the breach has caused damage to customer trust and usage for Yahoo, or if Yahoo knew about the breach while going ahead with the deal.

As the earliest reports of the breach occurred in August, weeks after the merger was agreed on, this seems unlikely. Verizon has said it will โ€œevaluate as the investigation continues through the lens of overall Verizon interestsโ€.

4. Itโ€™s one of the largest security breaches ever

With more than 500 million accounts compromised, it is likely this security breach is one of the largest ever seen. McKinnon says a Russian data breach in 2014 allegedly contained over 1 billion passwords, but it โ€œwasnโ€™t taken very seriouslyโ€.

โ€œI certainly think this is one of the largest ever,โ€ McKinnon says.

In 2013, Adobe revealed 150 million usersโ€™ data was breached, up from 38 million, which it initially claimed.

Earlier this year, social media site MySpace revealed 427 million usersโ€™ data was hacked, which were dumped online for anyone to access.

It is a timely reminder for users to update their passwords, and make them secure.

SmartCompany asked Yahoo how many Australian accounts were affected by the breach and was provided with this statement:

โ€œWe recently disclosed a theft of Yahoo user account information by whatโ€™s believed to be a state-sponsored actor. For those user accounts potentially at risk, we are notifying them and prompting them to take remedial action.

โ€œWeโ€™re committed to keeping our users secure, both by continuously striving to stay ahead of ever-evolving online threats and to keep our users and platforms secure. More information on our ongoing investigation and our efforts to secure our users will soon be available at https://yahoo.com/security-update.โ€

This article was first published on SmartCompany.

Follow StartupSmart onย Facebook,ย Twitter,ย LinkedIn.