Earlier today we reported that based on a ReCode announcement, some 200
million Yahoo user accounts (yes, apparently Yahoo has that many users)
may have been hacked. Moments ago, Yahoo confirmed the report, only it
increased the total from 200 to 500 million, and- in keeping with all the
recent Democratic Party hacks - blamed a "state-sponsored actor." Which is
ironic because as we said this morning, "the latest massive data breach
may or may not be blamed on Putin." It looks like it just was.
Here is the official announcement:
Yahoo! Inc. (NASDAQ:YHOO) has confirmed that a copy of certain user
account information was not secured and stolen from the company's network
in late 2014 by what it believes is a state-sponsored actor. The account
information may have included names, email addresses, telephone numbers,
dates of birth, hashed passwords (the vast majority with bcrypt) and, in
some cases, encrypted or unencrypted security questions and answers. The
ongoing investigation suggests that stolen information did not include
unprotected passwords, payment card data, or bank account information;
payment card data and bank account information are not stored in the
system that the investigation has found to be affected. Based on the
ongoing investigation, Yahoo believes that information associated with at
least 500 million user accounts was stolen and the investigation has found
no evidence that the state-sponsored actor is currently in Yahoo's
network. Yahoo is working closely with law enforcement on this matter.
Yahoo is notifying potentially affected users and has taken steps to
secure their accounts. These steps include invalidating unencrypted
security questions and answers so that they cannot be used to access an
account and asking potentially affected users to change their passwords.
Yahoo is also recommending that users who haven't changed their passwords
since 2014 do so.
Yahoo encourages users to review their online accounts for suspicious
activity and to change their password and security questions and answers
for any other accounts on which they use the same or similar information
used for their Yahoo account. The company further recommends that users
avoid clicking on links or downloading attachments from suspicious emails
and that they be cautious of unsolicited communications that ask for
personal information. Additionally, Yahoo asks users to consider using
Yahoo Account Key, a simple authentication tool that eliminates the need
to use a password altogether.
Online intrusions and thefts by state-sponsored actors have become
increasingly common across the technology industry. Yahoo and other
companies have launched programs to detect and notify users when a company
strongly suspects that a state-sponsored actor has targeted an account.
Since the inception of Yahoo's program in December 2015, independent of
the recent investigation, approximately 10,000 users have received such a
Additional information will be available on the Yahoo Security Issue
FAQs page, https://yahoo.com/security-update, beginning at 11:30 am
Pacific Daylight Time (PDT) on September 22, 2016.
So much for using secure 9-character or more long passwords including
capital letters, special characters and numbers. What is more ironic is
that Verizon is paying $4.8 billion for the only asset that Yahoo has, or
rather had, its user information, which is now publicly available for
$1800 on the dark web.
Located: 2803 Troy Road in Springfield Ohio.
Tel: (937) 718-3586