Yahoo! Inc. said the personal information of at the least 500 million users was stolen in an attack on its accounts in 2014, exposing a wide swath of its roughly 1 billion users ahead of Verizon Communications Inc.s planned acquisition of the web portals assets.
The attacker was a state-sponsored actor, and stolen information may include names, e-mail addresses, phone number, dates of birth, encrypted passwords and, in some cases, un-encrypted security questions and answers, Yahoo said Thursday in a statement. The continuing investigation doesnt indicate stealing of payment card data or bank account information, or unprotected passwords, the company said. Affected users are being notified, accounts are being secured, and theres no proof the attacker is still in the network, Yahoo also said.
Yahoo is working closely with law enforcement on this matter, the company said in the statement. Online intrusions and steals by state-sponsored actors have become increasingly common across the technology industry.
The disclosure of the data theft arrives at a particularly sensitive time for Chief Executive Officer Marissa Mayer, as she navigates the company toward a schemed $4.8 billion acquisition by Verizon, set to close by early next year. Mayer, who has dealt with difficulties and complaints about Yahoos e-mail service in the past, needs to keep users logging in to drive traffic and depict the advertising that fuels the companys revenue growth, which has been sluggish under her leadership.
The company began investigating after receiving a report in July of a hacker claiming to have hundreds of millions of stolen Yahoo log-ins for sale on the black market, according to a person very well known Yahoos probe. Researchers couldnt find evidence backing up those claims. However, the person told Yahoo decided to conduct a deeper, separate investigation that uncovered the larger breach and apprise Verizon this week. The person asked for anonymity to discuss internal findings.
Two other people familiar with the Yahoo investigation said the link to a nation country is not iron-clad. And Yahoo has yet to disclose the evidence on which it is basing the link to a nation state.
Claiming a hacker was launched by a foreign government is the ultimate get-out-of-jail-free card for disconcerted corporate executives. As Bloomberg News previously reported, senior leaders at JPMorgan Chase& Co. lobbied the White House and various federal agencies to attribute a hacking assault against the bank in 2014 as being sponsored by Russia, but the FBI disagreed, and later filed criminal charges connecting the violate to a stock pump-and-dump strategy, although there remained debate in the intelligence community about a possible government link.
Verizon was notified of the incident within the last two days, the company said in an e-mailed statement.
“We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact, ” Verizon said in an e-mail. “We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and pertained communities.”
The confirmation that accounts were compromised arrived virtually two months after the company said it was investigating claims that a hacker was offering to sell user account details stolen in a data violate. The same hacker, who previously sold data taken from LinkedIn and MySpace, posted datum from 200 million Yahoo accounts on a dark web marketplace, Motherboard reported in early August. The stolen info being offered was most likely from 2012, Motherboard reported, quoting the hacker, who uses the name Peace.
“All of this compromised information is very useful for offenders in order to hijack user identities and use them for fraudulent intents, ” said Avivah Litan, an analyst with Gartner. “Identity impersonation has become a global criminal epidemic and there are no simple solutions.”
Yahoo is fostering users to review their accounts for suspicious activity and to change their password and security topics — along with answers for other online accounts where they use the same or similar info. The company also recommends users avoid clicking on links or downloading attachments from suspicious e-mails.
Many of the stolen accounts in a sample of data obtained by Motherboard were no longer in use and had been canceled. The sale of all of the data for only under $2,000 suggested much of the information was obsolete, made up, or useless because the hackers had already assaulted legitimate accounts and exhausted their need for the material.
While the breach is a blow to Yahoo, more broadly it underscores the danger of large datasets spilling into the hacker underground and being used for criminal purposes for years without the breached companies knowing, or with them merely taking minimal action based on whatever data hackers tell them was taken.
LinkedIn said in May it was investigating whether a breach of more than 6 million users passwords in 2012 was bigger than originally thought, following a hackers attempt to sell what was purported to be login codes for 117 million accounts. LinkedIn said it seemed more data was taken in the initial assault and that the company was just learning about the larger quantity through the hackers posting.
Like many internet companies that have been breached, LinkedIn merely reset passwords of everyone it believed comes within the framework of the breach at the earlier time, which amounted to 6.5 million users.
Read more: www.bloomberg.com