Yahoo says it was hacked; ‘state-sponsored actor’ stole 500 million accounts



The Internet giant Yahoo confirmed on Thursday that a “state-sponsored actors” have stolen 500 million user accounts from their servers in a breach that took place in late 2014.

The stolen data includes names, emails, phone numbers, dates of birth, passwords and security questions with corresponding answers.

“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” Yahoo said in a statement.

Yahoo is asking users to change security questions and password and keep an eye on any unusual or suspicious activity on their account.

The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data or bank account information.

Financial data was not stored in the affected parts of the system.

Earlier today, Yahoo said it would address the issue of a data breach that took place a couple of years ago and the impression was that the company would be acknowledging the 2012 breach.

It was revealed on 1st August 2016 that data from 200 million Yahoo users was being sold on the darknet. However, it now turns out the breach was massive.

In fact, it looks to be one of the largest data breaches the world has ever seen.

The hacker Peace_of_Mind is currently selling 200 million Yahoo accounts on the dark web and we may soon see that 500 million accounts also comes up for sale.

Peace_of_mind is the same person who previously sold legitimate data from high-profile databases such as those of LinkedInMySpaceFling,and

The confirmation of the breach came at the wrong time.

On July 25, 2016, Verizon Communications Inc agreed to purchase Yahoo!’s operating business for $4.83 billion.

At this moment in time, Yahoo is working with law enforcement authorities and are urging users to consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether.

This is a bad news for both Yahoo and Verizon, one can only hope the damage will not be as much as expected.

Tony Gauda, CEO of San Antonio, TX-based security company ThinAir said the stolen data is not only damaging for Yahoo but also for the users as cyber criminals can now conduct large scale spear phishing and Cyber espionage campaigns.

He said: “The breach at Yahoo couldn’t come at a worse time for the company.

According to their estimates, the attack affected at least 500 million users, which isn’t great news when you’re being assessed for acquisition.

But the damage won’t just affect Yahoo’s eventual sale price.

Attackers made away with 500 million telephone numbers, emails, birthdates and even security questions and answers.

In terms of data, this is enough ammunition to conduct highly targeted spear phishing campaigns for years to come.

Consumers are naturally wary of unsolicited calls, but when the caller knows your date of birth, and possibly the name of your first pet, the success of this form of scam increases dramatically.

All in all, this breach underscores just how valuable data is.

Whether it’s a telephone number, an email address or credit card information, organizations need to do a better job of deploying security solutions that can assure data remains secure regardless of whether it has been exfiltrated from the network.”

According to Vishal Gupta, CEO of Seclore, a Mumbai-based security software company, Yahoo’s data breach is devastating and especially when US presidential elections are just two months away.

He said: “The fact that the Yahoo breach is being tied to state-sponsored actors is extremely alarming. With the potential to be the largest breach in history (at 500 million users were affected), the fallout from this attack could be devastating. For example, this nation now has access to 500 million phone numbers.

With talk of Russian attempts to influence the election, it isn’t difficult to imagine how access to the contact information and personal details, of that many potential votes, could be used maliciously.

Imagine getting a call from a presidential campaign, except the information being shared by the caller isn’t factual, and is actually intended to sway you towards a different candidate.

We haven’t seen this sort of activity yet, but it’s within the realm of possibility. Unless organizations take stricter security measures and apply data-centric security solutions, hackers will always come up with inventive ways to leverage sensitive information for malicious purposes.”


Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.