Yahoo mail logo on a smartphone display

One billion Yahoo accounts hacked in latest cyber attack

Image credit: Reuters

The data from one billion Yahoo user accounts has been stolen by hackers in what has been described as the largest cyber-security breach in history.

Yahoo admitted the data theft on Wednesday, but said the breach actually occurred in August 2013.

In September 2016, the Internet company disclosed that a 2014 breach had compromised the data of 500 million user accounts.

The previously disclosed hack, which Yahoo blamed on ‘government-funded’ hackers, led Verizon Communications, which is currently in talks to acquire Yahoo’s internet business for $4.83bn, to reopen the deal.

“We will review the impact of this new development before reaching any final conclusions,” Verizon said in a statement following the latest revelations.

Yahoo told Reuters it believes the incident would not affect the negotiations.

After the September incident, Yahoo only recommended that users should update their passwords. Now, following this latest breach, the company has made the password reset mandatory.

The company also said on Wednesday that it believes the hackers responsible for the breach announced in September had also accessed the company’s proprietary code to learn how to forge ‘cookies’ that would allow them to access an account without a password.

“Yahoo badly screwed up,” said Bruce Schneier, a cryptologist and widely respected security experts. “They weren’t taking security seriously and that’s now very clear. I would have trouble trusting Yahoo going forward.”

Yahoo hinted that it doesn’t expect the two hacks to be connected. The stolen data reportedly involves names, email addresses, telephone numbers, dates of birth, hashed password and encrypted and unencrypted security questions and answers.

Payment-card data and bank account information were not stored in the affected system, Yahoo said.

Yahoo reportedly discovered the breach while reviewing information provided to the company by law enforcement. The struggling internet firm has solicited the help of cyber-security firm FireEye to carry out the investigation.

“Embarrassingly, Yahoo has broken its own record and reported the largest data breach in history – and at this stage, it seems that things probably can’t get any worse for the company,” said Nigel Hawthorn, chief European spokesperson at cloud access security broker Skyhigh Networks.

“Our surprise at the scale of the breach in September will no doubt turn to horror at the level of negligence the company has shown when it comes to protecting the sensitive data that it holds. Sure, today’s hackers will penetrate a network if they are really determined to, but having the ability to access and steal data over and over again without detection is simply unacceptable.”

Experts have warned that Yahoo customers who reuse their password with multiple services are now at high risk of having other accounts breached as well.

“These days, many online services support multi-factor authentication and these should be set up and used wherever possible because between this, Tesco Bank and TalkTalk, it’s become painfully clear that hackers are clever, persistent and seriously upping their game,” Hawthorn said.

Warwick Business School’s Professor John Colley said that Yahoo is now worth less than the $4.8bn originally offered by Verizon.

“They originally demanded a $1bn price concession for the later Russian hack of 500,000 accounts. This ‘new’ hack appears more damaging still. Aborting the deal may be the best option for Verizon, as many shareholders have doubts about their social media strategy,” Colley said.

“As for Yahoo!, if this deal fails then they are ‘damaged goods’ and others may no longer be queuing up to buy. If that should be the case, then - like the unwanted Twitter - they will have no option but to savagely cut costs.”

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them