“Yahoo confirmed on Thursday data “associated with at least 500 million user accounts” have been stolen in what may be one of the largest cybersecurity breaches ever.
The company said it believes a “state-sponsored actor” was behind the data breach, meaning an individual acting on behalf of a government. The breach is said to have occurred in late 2014.
“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” Yahoo said in a statement.
Yahoo urges users to change their password and security questions and to review their accounts for suspicious activity.
The silver lining for users — if there is one — is that sensitive financial data like bank account numbers and credit card data are not believed to be included in the stolen information, according to Yahoo.
Yahoo is working with law enforcement to learn more about the breach.
“The FBI is aware of the intrusion and investigating the matter,” an FBI spokesperson said. “We take these types of breaches very seriously and will determine how this occurred and who is responsible. We will continue to work with the private sector and share information so they can safeguard their systems against the actions of persistent cyber criminals.”
A large-scale data breach was first rumored in August when a hacker who goes by the name of “Peace” claimed to be selling data from 200 million Yahoo users online. The same hacker has previously claimed to sell stolen accounts from LinkedIn and MySpace.
Yahoo originally said it was “aware of a claim” and was investigating the situation. Nearly two months later, it turns out the situation is even worse.
“This is massive,” said cybersecurity expert Per Thorsheim on the scale of the hack. “It will cause ripples online for years to come.”
U.S. Sen. Richard Blumenthal called for tougher legislation to “make sure companies are properly and promptly notifying consumers when their data has been compromised.”
“If Yahoo knew about the hack as early as August, and failed to coordinate with law enforcement, taking this long to confirm the breach is a blatant betrayal of their users’ trust,” he said in a statement.
Here are steps to take to secure your online accounts.
Change passwords often
Yahoo is asking anyone who hasn’t changed their password since 2014 to update it. This is good advice for everyone: Passwords should be changed often. You won’t always get a timely notice from a company that an account was compromised — and sometimes it might not even know about a hack until much later. In this case, it took two years for the company to confirm the breach.
Never use the same password twice
Never use the same password twice. If hackers get the password for one of your online accounts, they can try to use it to access your other accounts that take the same credentials.
Pick better passwords
Consider using a phrase instead of single words that are more easily guessed. Don’t go for common phrases like cliches: Pick a combination of words that don’t go together — i.e. rather than “herecomesthesun,” go for something like “wombatbootsparade”.
Avoid using common passwords like 1-2-3-4-5-6 or p-a-s-s-w-o-r-d, and include a mixture of numbers, letters and characters.
Update those security questions
If you forget a password, using security questions is an easy way to gain access back into your own account — its not like you’ll ever forget your mom’s maiden name. But some Yahoo security answers and questions were a part of the breach. The company has already disabled any unencrypted security answers on its accounts.
If you frequently use the same security questions and answers for other online accounts, you’ll want to change those, as well. Attackers could use the information taken from Yahoo to obtain access to other online accounts that contain even more sensitive information.
Avoid choosing the obvious questions and don’t provide answers that are easy to find online through Google searches, social media sites or old Live Journal entries.
The company is urging users to look through their Yahoo accounts (email, calendar, groups, etc.) for any signs of suspicious activity. Although it doesn’t say what to look for, start by checking outgoing emails.
Be extra careful about clicking on links or opening downloads from unknown email addresses. If anyone emails asking for your password, it’s a red flag — even if it looks like it’s coming from a legitimate place like Yahoo or a bank. Never share any account information or passwords over email.”