Foreign hackers, suspected to be agents of a hostile foreign government, have stolen sensitive information from at least 500 million Yahoo accounts, the company announced Thursday.
It was the biggest cyber theft in history — and it took YEARS before the company disclosed the breach.
What should users do?
“First and foremost, you’ll want to change your password immediately. All Yahoo account holders should also change their security questions and answers,” CNN Money advises. “If your account is one Yahoo suspects was compromised, you’ll be prompted to enter a new password as soon as you log on. If you used the same password on other accounts, change those, too.
The startling security breakdown certainly magnifies the tech company’s preexisting problems – specifically, that it is losing users, traffic and the advertising revenue that follows both, to rivals such as Google and Facebook.
Some snarky online commentators quipped that the hack would have been far more devastating if people actually still used the company’s services. While there’s some truth to that observation, millions around the world still rely on Yahoo mail and other services, and are now potentially at risk of identity theft or worse.
And if these people give up on Yahoo as a result, the consequences for the company itself – now scheduled to become part of Verizon as soon as its $4.8 billion deal closes – could also be dire. “Yahoo may very well be facing an existential crisis,” said Corey Williams, senior director of products and marketing at the computer security firm Centrify.
Yahoo was already facing a steep decline in email traffic, despite CEO Marissa Mayer’s efforts to upgrade the service in order to foster more user loyalty. In July, 161 million people worldwide used Yahoo email on personal computers, a 30 percent decline from the same time in 2014, when the breach first occurred. That’s according to the latest data from the research firm comScore. By contrast, Google’s rival Gmail service saw desktop users rise 9 percent to nearly 429 million over the same period.
The email breach raises questions about Yahoo’s ability to maintain secure and effective services, particularly since it’s been laying off staff and trimming expenses to counter a steep drop in revenue over the past eight years.
At the time of the break-in, Yahoo’s security team was led by Alex Stamos, a respected industry executive who left last year to take a similar job at Facebook.
Yahoo didn’t explain what took so long to uncover a heist that it blamed on a “state-sponsored actor” – parlance for a hacker working on behalf of a foreign government.
The Sunnyvale, California, company declined to explain how it reached its conclusions about the attack for security reasons, but said it is working with the FBI and other law enforcement. Yahoo began investigating a possible breach in July, around the time the tech site Motherboard reported that a hacker who uses the name “Peace” was trying to sell account information belonging to 200 million Yahoo users.
Yahoo didn’t find evidence of that reported hack, but additional digging later uncovered a far larger, allegedly state-sponsored attack.
“We take these types of breaches very seriously and will determine how this occurred and who is responsible,” the FBI said in a Thursday statement.
The Yahoo theft represents the most accounts ever stolen from a single email provider, according to computer security analyst Avivah Litan with the technology research firm Gartner Inc.
“It’s a shocking number,” Litan said. “This is a pretty big deal that is probably going to cost them tens of millions of dollars. Regulators and lawyers are going to have a field day with this one.”
Yahoo says it has more than 1 billion monthly users, although it hasn’t disclosed how many of those people have email accounts.
The data stolen from Yahoo includes users’ names, email addresses, telephone numbers, birth dates, scrambled passwords, and the security questions – and answers – used to verify an accountholder’s identity. The company said the attacker didn’t get any information about its users’ bank accounts or credit and debit cards.
Security experts say the Yahoo theft could hurt the affected users if their personal information is mined to break into other online services or used for identity theft. All affected users will be notified about the theft and advised how to protect themselves, according to the company.
Yahoo also is recommending that all users change their passwords if they haven’t done so since 2014. If the same password is used to access other sites, it should be changed too, as should any security questions similar to those used on Yahoo.
News of the security lapse could cause some people to have second thoughts about relying on Yahoo’s services, raising a prickly issue for the company as it tries to sell its digital operations to Verizon.
That deal, announced two months ago, isn’t supposed to close until early next year. That leaves Verizon with wiggle room to renegotiate the purchase price or even back out if it believes the security breach will harm Yahoo’s business. That could happen if users shun Yahoo or file lawsuits because they’re incensed by the theft of their personal information.
Verizon said it still doesn’t know enough about the Yahoo break-in to assess the potential consequences. “We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities,” the company said in a statement.
At the very least, Verizon is going to need more time to assess what it will be getting into if it proceeds with its plans to take over Yahoo, said Scott Vernick, an attorney specializing in data security for the law firm Fox Rothschild.
“This is going to slow things down. There is going to be a lot of blood, sweat and tears shed on this” Vernick said. “A buyer needs to understand the cybersecurity strengths and weaknesses of its target these days.”
The Associated Press contributed to this article.
This hack is un acceptable. To have trust in a co. As large as yahoo for security an then loose your identity to who knows who should be a federal offense.
Yahoo has become the email of choice for spammers. Anything coming from yahoo.com goes straight into my Junk Folder, so far nothing I want has appeared in my junk folder.
Would have dumped them before today had I known they were getting ready to jump in bed with that sorry-ass Verizon company.
I will bet any think you want to that Obama knows something about this. He probably paid somebody to do it! This was going to get “his footin the door” at the UN for them to get control of Internet !
If someone had their account hacked in 2014 I find it hard to believe they have discovered it before now. It may be that someone stole access to a lot of inactive accounts full of junk mail. I have several Yahoo accounts and have not used them for years. They were used to access their forums and contained no information of value. The joke may end up being on the hacker.
When i found out about this hack, i was pissed. Why did they wait so long to reveal this to the public ? All of my MAIL: is through Yahoo, and i know that they have been having technical problems, but waiting for so long to notify the public is unacceptable.