By Patrick May, The Mercury News
SAN JOSE, Calif. — Yahoo has been struck by a massive hack affecting at least 500 million of its users’ accounts, the company said Thursday.
A “state-sponsored actor” was responsible for the huge theft of user data, which occurred in 2014, Yahoo said in a blog post.
“The account information may have included names, email addresses, telephone numbers, dates of birth … passwords … and, in some cases, encrypted or unencrypted security questions and answers,” the company said, adding that the stolen passwords, when taken, were “hashed,” meaning converted into randomized characters, and that the “vast majority” were heavily encrypted.
“Passwords that have been hashed can’t be converted into the original plain text password,” Yahoo said, adding that the “bcrypt” heavy encryption on the bulk of the passwords provides “advanced protection against password cracking.”
The fact that the data was stolen in 2014 and that there appear to have been no reports of ill outcomes for Yahoo users mitigates the effects of the breach, said Pivotal Research analyst Brian Wieser. “Most consumers who might’ve been impacted would presumably already have been impacted to some degree,” Wieser said. “It would be different if all the data, email addresses and passwords had been sucked out today.
“Obviously, it’s negative, but is it manageable? Probably. Is it going to cause users to stop using Yahoo? Probably not, at least not any more than they have already. It’s probably not a big deal, but we’ll have to see.”
However, the stolen data that wasn’t encrypted, such as birth dates, phone numbers and email addresses, could put users at risk of attacks by criminals who could contact them by email, phone or text and pose as representatives of banks, or even the Internal Revenue Service, said Adam Levin, chair of identity-protection firm IDT911. The attackers could then use the personal data they have to persuade a person to give them additional information that would enable theft from bank accounts or fraudulent credit card use, Levin said.
Troubled Yahoo put itself up for sale in February and in July announced Verizon would buy its Internet business for $4.83 billion, with the sale to be finalized in the first quarter of next year.
Earlier on Thursday, Recode reported that an investigation by federal authorities into the data breach was imminent and that legal action tied to the attack was probable.
The latest news comes after word this summer that the Silicon Valley-based tech giant was looking into a data breach in which the attackers boasted of gaining access to 200 million accounts and claimed that they were putting the data up for sale online.
Among the worries triggered by such a huge attack is shareholder angst, should investors sour on the deal with Verizon given the impact of the breach.
As Recode points out, while the Verizon deal is currently in play there remain numerous regulatory hurdles for both sides to overcome before a sale can go through.
At the time of the summer attack, Yahoo said it was “aware of the claim,” but the company declined to say if it was bogus or not. Yahoo said back then that it was investigating the matter but it declined to issue a password reset to users. Now, said Recode’s sources, Yahoo might have to issue such a call, though they said it could well be too little too late.
———
©2016 The Mercury News (San Jose, Calif.) Distributed by Tribune Content Agency, LLC.
