Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Yahoo Confirms Massive Data Breach of 500 Million Accounts

Following rumors that an announcement was soon to come, Yahoo! said Thursday that hackers managed to access data from at least 500 million user accounts in a cyberattack dating back to 2014.

Following rumors that an announcement was soon to come, Yahoo! said Thursday that hackers managed to access data from at least 500 million user accounts in a cyberattack dating back to 2014.

The company said hackers breached its network in late 2014 in what it believes was a state-sponsored attack.

“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” Yahoo! said in its security notice.

In early August, a hacker claimed to possess 200 million Yahoo user accounts that he offered for sale on a dark web cybercrime marketplace for a just few Bitcoins.

The hacker, known online as “Peace” and “peace_of_mind” was selling usernames, easily crackable MD5 password hashes and dates of birth for 3 Bitcoin (roughly $1,800) on a website called TheRealDeal. The cybercriminal, who has an excellent reputation on TheRealDeal, has also sold hundreds of millions of accounts belonging to Tumblr, Myspace, VK and LinkedIn users.

Yahoo! is asking potentially affected users to change their passwords and adopt alternate means of account verification as soon as possible.

Unencrypted security questions and answers were also invalidated so they cannot be used to access a Yahoo! account.

Advertisement. Scroll to continue reading.

Users who haven’t changed their passwords since 2014 should do so, Yahoo said.

The company also encouraged users to consider using Yahoo Account Key, which that eliminates the need to use a password completely.

The public disclosure of the breach comes shortly after Verizon agreed to acquired Yahoo’s core business for $4.8 billion.

“The Verizon purchase apparently comes with some ‘baggage’. The likelihood of this beach affecting the purchase is however, quite small,” Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS, told SecurityWeek.

Yahoo! previously confirmed suffering another breach in 2012. At the time, a group called D33ds Company gained access to more than 450,000 usernames and passwords after stealing a file from the Yahoo! Contributor Network. 

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Artificial Intelligence

Two new surveys stress the need for automation and AI – but one survey raises the additional specter of the growing use of bring...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...