Yahoo revealed that one billion of its user accounts were hacked in August of 2013. The information of this breach was announced on December 14, 2016, and comes after an announcement from Yahoo that 500 million of its user accounts were breached in a data theft hack in 2014.
Bob Lord, Yahoo’s Chief Information Security Officer (CISO), admitted that they didn’t know how one billion of its accounts were hacked. He did say that the stolen data could have included email addresses, names, dates of births, phone numbers, and hashed passwords (using MD5). Stolen data could have also included encrypted and non-encrypted security questions and answers.
Law enforcement alerted Yahoo about this breach and provided the data files. Yahoo, along with outside forensic experts, examined the data, which was found not to include text only passwords or payment details. However, the hashing algorithm MD5 is no longer secure. Anyone can now search MD5 hashes and get the passwords. Yahoo stated that they alerted all account holders who were affected, and said that they will be required to change their passwords.
How Did This Happen?
Facebook and Google have remained tight with their security, while Yahoo has played it a bit loose. Yahoo’s security team disagreed with the execs, including Marissa Mayer, the chief executive, about tightening up Yahoo’s security. They reportedly argued about the inconvenience to users and how much proposed security measures would cost.
It’s unsettling that all of these breaches and hacks happened years ago, and nothing was done to increase or better security for Yahoo’s users. They weren’t even aware of the one billion accounts being hacked until law enforcement discovered the breaches and provided the data.
According to Lord, they believe that the hackers stole Yahoo’s proprietary source code, and that is how they were able to access user accounts without passwords. It’s believed that the hackers created forged cookies to not only gain access to the accounts but also to make actions on the hacked accounts.
Yahoo hesitated on implementing stronger security measures, even after a breach on 450 thousand accounts in 2012 and spam attacks in 2013 in which mass mailings of unwanted messages were sent.
What Will Happen with the Yahoo and Verizon Deal?
In July, Yahoo agreed to sell its core business to Verizon for $4.8 billion. But, with this new knowledge of security problems, Verizon may seek to renegotiate their deal since these breaches were not disclosed to them during the initial negotiations, and Verizon may even walk out from the deal altogether.
Yahoo and Verizon have moved the deal, if it still goes through, to the second quarter of 2017, rather than the first. Yahoo has released its earnings statement for the fourth quarter of 2016, and the results were better than expected – a 15% increase in revenue than the same time the year before. That’s incredible, considering the security breaches were made public in September of 2016.
Protect Your Information
- Change your passwords every 30 days.
- Use a secure password that includes at least one capital letter, number, and special character.
- Do not use personal information in your passwords (pet names, birthdates, street names, etc.)
- Avoid using the same password for other accounts.
- Use a two-step authentication process whenever possible (password and mobile number, for example).
Be aware of attempts to get your personal information. Morey Haber, VP of Technology, BeyondTrust warns that some Facebook posts, for instance, try to get you to give the names of your pets and streets you lived on. See step number three.
Yahoo has encouraged users to change their passwords to their Yahoo accounts, including any other accounts linked to Yahoo.
Users should also change any other passwords, especially if they are similar to what they used on their Yahoo accounts. Yahoo users should also use the Yahoo Account Key, an authorization tool that verifies a user’s identity with their mobile phone. A password isn’t needed with this tool.
Have you ever had your information stolen? Tell us about it in the comment section below.