Yahoo confirms it lost 500m account details in “state-sponsored” attack
Yahoo has confirmed it has been hit by what might be the biggest data breach in history with details of more than 500 million accounts stolen.
According to the company, the breach took place in late 2014, and was done by “a state-sponsored actor” – a phrase used to refer to security services or military operations. Yahoo gave no indication of which state might have committed the hack.
The hack comes at an awkward time for Yahoo, which is selling much of its business – including customer data – to Verizon as part of a $4.8 billion deal.In August, a hacker named “Peace” offered millions of purported user accounts from Yahoo for sale. Nikki Parker, vice president at security firm Covata, criticised Yahoo’s security measures. “In this case, last month, the hacker claimed that the data was hashed with an MD5 algorithm, coding that simply isn’t robust enough to secure data,” Parker said in a statement. “You’d hope that Yahoo would’ve since thought about adopting more advanced encryption technology that secures data in individual pieces rather than in large sets, as well as empowering it to rigorously control access.”
Although the company claimed it had only recently discovered the leak, Parker claimed that Yahoo’s slow response was “surprising,” adding: “It should have encouraged customers to change their passwords and now, potentially, more than 200 million people are at risk and have been for some time.”
CensorNet’s CEO Ed Macnair said the usual advice applies. “Change your username and passwords across sites and with business accounts,” he said in a statement.
“Not only is personal data at risk here, but people often use such logins at work. That is always a huge issue for companies. Everyone should stay vigilant to suspicious activity and, it would be advisable to get some new passwords ready – just in case.”