Yahoo! has confirmed that details of over 500 million of its users' accounts were stolen by what it believes was a state-sponsored attack. The account information may have included names, email addresses, phone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. Yahoo said it does not believe any credit card or other payment details were taken, as this is not stored in the same system found to be hacked. The company added that it looks as if the hacker is no longer in its network, and it's working closely with law enforcement authorities on the investigation.
Affected users will be notified and steps taken to secure their accounts. These include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords. Yahoo is also recommending that users who haven't changed their passwords since 2014 do so. The company further recommends that users avoid clicking on links or downloading attachments from suspicious emails and that they be cautious of unsolicited communications that ask for personal information. Additionally, Yahoo asks users to consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether.
The company began investigating after reports in July of a hacker claiming to have hundreds of millions of stolen log-ins for sale on the black market, a person familiar with Yahoo’s probe told Bloomberg. This was part of a wider cache thought to include also details on Gmail and other accounts. While the initial investigation did not yield results, Yahoo decided to conduct a deeper, separate investigation. This uncovered the larger breach, and the company subsequently notified Verizon this week. It is unclear what the impact of the attack will be on Yahoo's proposed takeover by Verizon.
