News
Detailed personal information stolen in attack that took place in 2014; buyer Verizon informed just this week.
Yahoo has confirmed that a suspected state-sponsored cyberattack has compromised the personal information of up to 500 million users.
In a statement on Thursday, the Internet company said the attack took place in late 2014, and accessed information including names, email addresses, phone numbers, dates of birth, encrypted passwords, and in some cases, encrypted or unencrypted security questions and answers.
As far as Yahoo can ascertain, the attackers did not steal unprotected passwords, payment card or bank account information because this is information is stored on a separate system from the one that was compromised.
"Yahoo is notifying potentially affected users and has taken steps to secure their accounts. These steps include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords," said Yahoo. "Yahoo is also recommending that users who haven’t changed their passwords since 2014 do so."
Verizon, which in July agreed a $4.83 billion deal to acquire Yahoo’s core assets, was only told about 2014’s massive cyberattack earlier this week.
"We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact," said the U.S. telco, in a statement. "We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities."
Reports in August alleged that the personal information of as many as 200 million Yahoo users was put up for sale on the dark Web. It would appear that 200 million was a conservative estimate.
"What is shocking is the date, 2014," said professor Mark Skilton, a cyber security expert at Warwick Business School.
"The lateness of the attack discovery, a whole two years, and the indication that it was a government state-sponsored attack suggests both a highly professional stealth attack or perhaps some failure in basic perimeter monitoring by Yahoo’s internal security practice," he said.
As well as denting Yahoo’s reputation, the attack could also lead to legal action by compromised users, Skilton said.
"This could yet be significant and a headache for Verizon in its planned imminent takeover of Yahoo," he suggested.
Yahoo said it is working closely with law enforcement on the matter.
