YAHOO! today confirmed that the personal details of ‘up to 500 million users’ may have been stolen, back in 2014, by a data breach that Yahoo believes initiated by “state-sponsored actor”.
That’s a stunning data breach, potentially compromising one in fifteen people worldwide.
Rumours of the breach started back in August when a hacker called ‘Peace’ claimed to be selling data from 200 million Yahoo clients.
At that time Yahoo dismissed the claims, saying that the data probably related to a 2012 data breach when a mere 400,000 of its user accounts were compromised.
In 2012 Yahoo said “At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products.”
The timing of the announcement of this breach couldn’t be worse for Yahoo!, as they negotiate sale of their core business to Verizon for $4.8 billion.
Nordic cybersecurity expert Per Thorsheim – who broke the news of the 2012 LinkedIn data breach – described the latest Yahoo! data breach as “massive” adding “It will cause ripples online for years to come.”
Perhaps more telling are the comments from U.S. Senator Richard Blumenthal who is calling for tougher legislation to “make sure companies are properly and promptly notifying consumers when their data has been compromised.”
Senator Blumenthal said in a statement “If Yahoo knew about the hack as early as August, and failed to coordinate with law enforcement, taking this long to confirm the breach is a blatant betrayal of their users’ trust.”
Yahoo! Were at pains to point out that no payment card data was compromised in the hack, but as we reported earlier this year, the stolen data – names, email addresses, telephone numbers, dates of birth, security questions and answers, and (encrypted) passwords – can be used to ‘pad’ fake online identities and facilitate identity theft.
Obviously, if you have a Yahoo! Account, it would be wise to change your password, and those on any accounts where you re-use that password.
Better not to re-use passwords, but sometimes that’s not as easy as it sounds, so many sites, so many passwords.
And, of course if you own a public facing site, make sure you’re not exposing personal data to the bad guys.
We can help, get in touch.