Recently, it came to light that a data breach that Yahoo suffered a few years back may have affected a very large number of users. The number had been speculated to be in the hundreds of millions of Yahoo users. Naturally, it was assumed that Yahoo would be making a statement of some sort in the near future to acknowledge the breach’s scale and give some additional details. In a statement issued today, Yahoo came forward to not only acknowledge that a 2014 breach may have affected up to 500 million users, but to say that they believe that a “state-sponsored actor” was involved. Those terms were used very vaguely, with no specific “state” specified. This means that any number of elements could be implicated, and right now, Yahoo is “working closely with law enforcement” to figure out exactly who is responsible for the attack, the way it was perpetrated, and the reason for it.
The figure of 500 million possible affected users blows the original 200 million estimate from some sources out of the water, and given the timing, probably will not sit well with shareholders. In any case, Yahoo claims that they are being as diligent as possible in both investigating the breach and notifying affected users. According to Yahoo’s statement, Yahoo has not specifically commented on the previous reports which suggested that some 200 million Yahoo accounts made their way into the hands of a dark web back market extraordinaire and were sold.
Yahoo is invalidating unencrypted security questions for users who seem to have been affected, and are asking any users who have not changed their password since 2014 to do so. Yahoo is also pushing a tool called “Yahoo Account Key”, which is meant to replace the traditional password and provide a little bit of added security and reliability by having Yahoo’s backend at its core, instead of relying on user memory. According to Yahoo, attacks by state-sponsored entities are on the rise in the tech industry, and a program that they launched in 2014 to seek out and notify users whose details were taken by such elements, has thus far resulted in the issuance of 10,000 individual breach notices. Yahoo is cautioning users to be extra careful with account security by keeping a sharp eye out for things like phishing attempts and unsolicited email attachments.