Yahoo comes clean on huge data breach


Update 11:45am PT: Yahoo has confirmed a massive data breach affecting at least 500 million accounts.

"We have confirmed that a copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor," Yahoo says in a release.

Stolen information may include names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions or answers, the company says.

So far, Yahoo hasn't turned up evidence that unprotected passwords, payment card data, or bank account information were stolen.

Yahoo is contacting affected users and asking them to change their passwords. It's also invalidating unencrypted security questions and answers and recommending that users who haven't updated their passwords since 2014 do so. Yahoo recommends changing the password and security questions and answers for any other accounts that may have shared the same or similar information.

Original story below...

Apparently Yahoo is about to confirm that it was hit by a huge data breach which involved the spillage of account details pertaining to several hundred million users.

You may recall the incident being reported back at the start of August, with allegations that a hacker known as 'peace' (or his full name 'peace_of_mind') had penetrated Yahoo security and made off with the login details of 200 million accounts, which were subsequently sold on the dark web for just shy of $2,000 (around £1,500, AU$2,700) a pop.

At the time, Yahoo said it was investigating the matter, and according to inside sources who spoke to Recode, the internet giant is about to officially confirm the breach, and presumably the exact extent of the intrusion – which the tipsters said was 'widespread and serious'.

One source the tech site spoke to hinted that it may actually be "worse, really" than the picture of 200 million details spilled which we've already had painted.

Delayed reset

This is obviously embarrassing for Yahoo because at the start of last month when all this emerged, the company didn't implement any kind of precautionary password reset for users. This may have to happen now when the breach is officially declared, and obviously the long delay in doing so doesn't look good for Yahoo.

The incident is also a fly in the ointment of the current deal whereby Verizon is purchasing the core internet business of Yahoo for $4.8 billion (around £3.7 billion, AU$6.4 billion), following Verizon's purchase of AOL last year.

The concern is if Yahoo gets a battering from regulators and investigators looking into this breach, there will not only be damage to the company's reputation but also some potentially major fiscal penalties to face, which could then affect the Verizon deal.

All in all, the timing couldn't be worse for Yahoo. Not that there is ever a good time for an event like this to happen – and of course it's the users who've had their details leaked who are the real victims.

It'll definitely be interesting to see Yahoo's full explanation of the affair, and reasoning behind exactly why it's taken so long to come clean over it.

Naturally, big internet firms are the target of many attacks, and this isn't the first time Yahoo has been hit. Back in 2014, for example, Yahoo Mail was compromised by hackers, triggering a password reset for affected users.

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).