It’s been a few weeks coming, but Yahoo! has confirmed the breach of 500 million credentials.
Back in August, the hacker responsible for dumping hundreds of millions of MySpace, LinkedIn and other credentials online in recent months claimed to have put up for sale 200 million Yahoo log-ins.
Yahoo said at the time that it was “aware” of the incident, although it didn’t initiate a user-wide password reset.
Now, the online giant—which is in the process of being acquired by US telecoms behemoth Verizon, has confirmed the situation, but the breach is larger than expected, and Yahoo said that the heist was carried out by a state-sponsored attacker.
It said in a statement that certain user account information was stolen from the company’s network in late 2014, including names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected, it said.
“Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network,” it said in its statement. “Yahoo is working closely with law enforcement on this matter.”
Certain details differ from the previous claim by Peace—those 200 million credentials were linked to an earlier breach, from 2012. Peace also has never been seen as a state-sponsored bad actor. For now, whether this 500-million cache is from an additional incident unrelated to Peace’s claims is unknown.
Security experts, who have been waiting all day to hear the company’s confirmation (some would say confession) were quick to pounce on what they perceive to be the company’s irresponsibility.
“One of the more egregious errors in this disclosure was the fact that date of birth (DOB) information was exposed,” Todd Feinman, founder of Spirion, said via email. “Companies like Yahoo have an obligation to their customers to protect their privacy and classify personally identifiable information. DOBs are a perfect example of data that should be classified and protected so that, in the event of a data breach, personally identifiable information (PII) is not exposed.”
DOB can be used in conjunction with other data to steal an identity or compromise the victim in other ways. It is sometimes used as secondary validation, and Feinman said “should be classified as confidential and kept encrypted just like social security numbers and health record numbers.”
Jason Hart, the CTO of Data Protection at Gemalto, noted that the month+ that it has taken Yahoo to fess up is also an issue.
“While it is worrying that Yahoo has been breached, what’s more concerning is that it has taken over a month to confirm, especially when consumers’ personal information is at risk,” he said. “The good news is the sensitive data that is now for sale, such as user names, email addresses and dates of birth, is encrypted— but these records could be easily decrypted if the company did not implement properly managed encryption keys. What’s more, Yahoo certainly could have done more to prevent the breach in the first place by implementing two-factor authentication internally, which can protect employees from a spear-phishing attack.”