Yesterday Yahoo announced that in late 2014, a security breach on their network resulted in some 500 million user accounts being compromised. Yet the company just now reported it. The hack, which the company believes was state sponsored, compromised accounts and user data including names, birthdays, email addresses, passwords, security questions, and telephone numbers but, thankfully, did not include payment or bank data.
Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.
Security breaches in companies happen and far to often than they should. It is a constant cat-and-mouse game between companies and blackhats, especially those blackhats who are working for governments around the world. My issues is that it took Yahoo two years to tell users and even then, it wasn’t in big bold letters. It was a frickin’ Tumblr post. Really?
I fully appreciate that these types of investigations take time and I’m willing to give a few days or even a week or two for companies to formally announce such breaches. Two years however is far
beyond excessive and Yahoo should be ashamed for not letting their customer base know of this breach earlier.
As for the company, here are the things they have done to resolve the problem:
- We are notifying potentially affected users. The content of the email Yahoo is sending to those users will be available at https://yahoo.com/security-notice-content beginning at 11:30 am (PDT).
- We are asking potentially affected users to promptly change their passwords and adopt alternate means of account verification.
- We invalidated unencrypted security questions and answers so they cannot be used to access an account.
- We are recommending that all users who haven’t changed their passwords since 2014 do so.
- We continue to enhance our systems that detect and prevent unauthorized access to user accounts.
- We are working closely with law enforcement on this matter.
If you are a customer, you need to do the following:
- Change your password and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.
- Review your accounts for suspicious activity.
- Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
- Avoid clicking on links or downloading attachments from suspicious emails.
Additionally, users are encouraged to use the Yahoo Account Key which is a two-factor authentication method.