Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Yahoo Confirms Massive Data Breach of 500 Million Accounts

Following rumors that an announcement was soon to come, Yahoo! said Thursday that hackers managed to access data from at least 500 million user accounts in a cyberattack dating back to 2014.

Following rumors that an announcement was soon to come, Yahoo! said Thursday that hackers managed to access data from at least 500 million user accounts in a cyberattack dating back to 2014.

The company said hackers breached its network in late 2014 in what it believes was a state-sponsored attack.

“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” Yahoo! said in its security notice.

In early August, a hacker claimed to possess 200 million Yahoo user accounts that he offered for sale on a dark web cybercrime marketplace for a just few Bitcoins.

The hacker, known online as “Peace” and “peace_of_mind” was selling usernames, easily crackable MD5 password hashes and dates of birth for 3 Bitcoin (roughly $1,800) on a website called TheRealDeal. The cybercriminal, who has an excellent reputation on TheRealDeal, has also sold hundreds of millions of accounts belonging to Tumblr, Myspace, VK and LinkedIn users.

Yahoo! is asking potentially affected users to change their passwords and adopt alternate means of account verification as soon as possible.

Unencrypted security questions and answers were also invalidated so they cannot be used to access a Yahoo! account.

Users who haven’t changed their passwords since 2014 should do so, Yahoo said.

Advertisement. Scroll to continue reading.

The company also encouraged users to consider using Yahoo Account Key, which that eliminates the need to use a password completely.

The public disclosure of the breach comes shortly after Verizon agreed to acquired Yahoo’s core business for $4.8 billion.

“The Verizon purchase apparently comes with some ‘baggage’. The likelihood of this beach affecting the purchase is however, quite small,” Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS, told SecurityWeek.

Yahoo! previously confirmed suffering another breach in 2012. At the time, a group called D33ds Company gained access to more than 450,000 usernames and passwords after stealing a file from the Yahoo! Contributor Network. 

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.