What you need to know about Yahoo's massive data breach

At least 500 million accounts compromised

Yahoo data breach hack

Yahoo has confirmed a massive data breach that stole information from at least 500 million user accounts, leaving many to wonder who's behind the attack and what this means for their security.

Yahoo is alerting affected users and taking some steps to protect them, but there are also things you can do to try to keep your information secure.

We've gathered up everything you need to know about the Yahoo hack, plus advice on what you can do to protect yourself.

Who's the hacker?

The breach stems from a late 2014 hack by what Yahoo calls a state-sponsored actor. As our Darren Allan reported earlier, the attack was allegedly carried out by a hacker known as 'peace' (full name 'peace_of_mind').

Peace identified themselves to Wired as a former member of a team of Russian hackers who attacked a number of sites in 2012 and 2013 and sold stolen data on the dark web.

In August, peace claimed to be selling stolen login details for 200 Yahoo million accounts for around $2,000 (around £1,500, AU$2,700) a pop.

Yahoo data breach hack

Yahoo was aware of peace's claims at the time but did not issue a password reset. Today, the company said its current investigation hasn't turned up evidence that the state-sponsored actor is currently in Yahoo's network.

What information was stolen?

According to Yahoo, information connected to at least 500 million user accounts was stolen. That information may include:

  • Names
  • Email addresses
  • Telephone numbers
  • Dates of birth
  • Hashed passwords, the vast majority with bcrypt
  • In some cases, encrypted or unencrypted security questions and answers

Bcrypt is a password hashing mechanism that incorporates security features, such as salting and several rounds of computation, to provide advanced protection against password cracking, Yahoo explains in an FAQ about the breach.

Yahoo's investigation suggests stolen information doesn't include unprotected passwords, payment card data, or bank account information. The company notes payment card data and bank account information aren't stored on the system that was hacked.

What is Yahoo doing now?

Yahoo says it's alerting affected users via email. It made a point to note that its email will feature the company's purple "Y" Yahoo icon, and won't ask users to click on links, contain any attachments or request personal information. Emails that do are likely attempts to steal your information.

Yahoo advises affected users change their passwords and implement alternative means of account verification.

It also recommends all users change their passwords if they haven't done so since 2014.

Yahoo data breach hack

The company has also invalidated unenrypted security questions and answers, and says it's continuing to enhance its systems to detect and prevent unauthorized account access.

Finally, Yahoo's investigation is ongoing, and it's working with law enforcement on the case.

What steps can you take?

After changing your Yahoo Account password, one of the most proactive steps users can take is to change any passwords and security questions and answers for other accounts (Gmail, Outlook, your banking login information, etc.) where you may have used the same or similar credentials as the ones for your Yahoo Account.

You should also check over your other accounts for any suspicious activity.

If you receive any unsolicited communications asking for your personal information, or that want you to go to a web page that asks you to input that information, you should proceed with caution (or, better yet, just delete it completely).

Also avoid clicking on links or downloading attachments from suspicious emails as those might be an attempt to steal your personal information.

Lastly, while affected Yahoo Account information doesn't include unprotected passwords, contents of emails, payment card data, or bank account information, it pays to keep a close eye on your bank accounts and credit reports for anything suspicious.

You can always contact one of the three national credit reporting agencies for a credit report, and if you're really concerned, you can issue a security freeze on your credit file at each agency. That may cost you a fee, however.

Unfortunately, this won't be the last big breach we see. Even as companies and governments become more sophisticated about security, so do hackers about breaking it. So while Yahoo cleans up the mess, remember to stay vigilant and change all your passwords periodically.

Article continues below