Yahoo confirmed on Thursday that account information for more than 500 million Yahoo users was stolen in a 2014 data breach of epic proportions.
The information may have included names, email addresses, telephone numbers, birth dates, encrypted passwords, and security questions and answers, the company said in a Tumblr post. Yahoo said it is notifying users who may have been affected and asking them to “promptly” change their passwords, among other steps to protect themselves.
That’s sound advice: Changing passwords as soon as you’re aware of a breach is always advisable. Yahoo users should immediately change not only their Yahoo passwords, if they haven’t already done so in the past year or two, but their passwords on any other site where they used the same credentials they were using on Yahoo in 2014. They should also be on guard for spam emails that could include malware, scams, or phishing attempts.
The urgency feels a bit awkward, however, coming from a company that apparently required almost two years to discover, confirm, and notify its users of the breach. Reports of the hack first surfaced on Aug. 1, when a hacker known as Peace began publicly selling alleged Yahoo user credentials online. (Peace told Vice’s Motherboard blog he or she had been trading them privately for some time before that.) Yahoo said at the time that it was “aware of the claim” and its security team was “working to determine the facts.”
That means users’ credentials were out in the open for nearly two months before Yahoo confirmed the breach and notified them. Verizon, which is in the process of acquiring the long-troubled internet giant for $4.8 billion, said in a statement Thurdsay that it was only notified of the issue by Yahoo “within the last two days.”
Yahoo said in its Tumblr post that it believes the information was stolen by “a state-sponsored actor” but it did not get more specific. In a June interview with Wired, Peace identified himself or herself a former member of a team of Russian hackers who had breached and sold credentials from several major online services between 2012 and 2013.
How bad is the news for those whose information was stolen? It’s not great, but it also doesn’t necessarily mean someone’s out there running up charges on your credit card.
Peace told Wired in June that the information from the breaches—which presumably included the Yahoo hack, although that had not been disclosed yet—was being used primarily “for spamming,” i.e., sending spam to the people whose information was stolen. But since such info can often be passed around widely among criminal hackers, it’s always possible it could be used for more nefarious purposes. The good news is that Yahoo says the passwords were hashed, meaning that they’re useless unless someone can decrypt them. Yahoo adds that its ongoing investigation suggests the breach “did not include unprotected passwords, payment card data, or bank account information,” and that there’s no evidence the hackers still have access to Yahoo’s system.
The company’s full post is here.