Update: Yahoo is confirming it has been the victim of a massive data breach – reportedly over 500 million Yahoo accounts have been compromised by hackers according to emerging reports.
If that 500 million number holds up Yahoo will have been the victim of the largest data breach in U.S. history. At this time Yahoo is reporting the breach comes care of a “state sponsor” though they have not named which state or what evidence there is that points to that.
Yahoo has confirmed that copy of certain user account information—including names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers—was stolen from the company’s network in late 2014. The firm has also confirmed that effected users have been notified that they should change their passwords- preferably two years ago if they have a time machine on hand.
Yahoo’s current investigation with law enforcement indicates no payments data, bank account information or unprotected passwords were stolen.
500 million user accounts affected adds up to the largest-ever publicly disclosed data breach, according to Paul Stephens, director of policy and advocacy with Privacy Rights Clearing House, a not-for-profit group that compiles information on data breaches.
Verizon Communications Inc. in July agreed to buy Yahoo’s Web assets for $4.83 billion in cash, ending a drawn-out process of trying to split the beleaguered internet company from its lucrative stake in Alibaba Group Holding Ltd.
Verizon confirmed that it had been notified of Yahoo’s security incident within the last two days but has “limited information and understanding of the impact.”
“We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities,” Verizon said.
Yahoo did announce over the summer that is was investigating a possible data breach wherein hackers claimed to have accessed 200 million Yahoo user accounts that they were selling online.
“It’s as bad as that,” one source told re/code. “Worse, really.”
Much worse apparently
If the scale of liability is large enough, it could be a costly problem for Yahoo’s new owners — and the firm’s shareholders are likely to worry that it could lead to an adjustment in the price of the transaction. As of now the deal is moving forward as it goes through a variety of regulatory clearances. The deal must also pass final muster with Yahoo’s shareholders. Representatives of both firms have recently began meeting to review the Yahoo business and to make sure the transition runs smoothly.
We’re sure those meeting will be delightfully fun this week.
If this is the same hack that was reported over the summer, the actor behind the mayhem is an infamous cybercriminal named “Peace.” Peace was, by his own admission, selling credentials of 200 million Yahoo users from 2012 on the dark web for just over $1,800. The data allegedly included user names, easily decrypted passwords, personal information like birth dates and other email addresses. At the time (in August 2016) Yahoo noted being “aware of the claim,” but did not confirm or deny it.
At the time Yahoo did not issue a password reset recommendation.
If this hack is what it seems to be, it will be a depressing coda on CEO Marissa Mayer’s run at the head of Yahoo. Though brought in to turn the firm around, Mayer was unable to find traction for a reset, refocused Yahoo — which eventually precipitated the sale.