Post by: Lisa Vaas | SOPHOS Naked Security | Published on: 09/23/2016
Yahoo last night confirmed earlier reports that information pertaining to the unprecedented number of “at least” half a billion user accounts was stolen in a 2014 breach.
That may include names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with the password-hashing function bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.
Yahoo says the breach didn’t include unprotected passwords, payment card data, or bank account information. The company says it doesn’t store payment card data or bank account information in its system.
It’s blaming an unspecified “state-sponsored actor.” The FBI has confirmed that it’s investigating the attack.
Three unnamed US intelligence officials told Reuters that they believed the attack was state-sponsored because of its resemblance to previous hacks traced to Russian intelligence agencies or hackers acting under their command.
News of a possible major attack on Yahoo first emerged in August, when Peace – the infamous dark-web purveyor of humongous data sets that date back years – was trying to sell information on 200 million Yahoo accounts.
For some reason, Yahoo didn’t call for a mandatory reset password when news of the attack first broke last month.
Somebody familiar with the matter told Reuters that the August report turned out to be false, though Yahoo’s investigation did in fact uncover the separate 2014 theft.
The company said in a statement at the time that it was “committed to protecting the security of our users’ information and we take any such claim very seriously. Our security team is working to determine the facts.”
Those facts: Peace is the same name – he or she goes by peace_of_mind in the dark markets, or simply “Peace” – of the person who’s gone online recently to sell data sets from years-old breaches at Tumblr, LinkedIn and MySpace.
The Yahoo haul dwarves them all, according to Troy Hunt, who maintains the data breach awareness portal Have I Been Pwned.
What to do?
Change your password.
Yes. If you haven’t changed it since 2014, do it now.
And change that password on any other sites you use. Make sure each online account has a different password, and make them all strong.
Also, it’s a good time to change your security questions. If you’re one of the half a billion users who’s been affected by the breach, you won’t have a choice about that, since Yahoo’s gone and invalidated your security questions for your safety.
Want to learn ways to secure your network? Click here!
Reference Article: https://nakedsecurity.sophos.com/2016/09/23/change-your-password-yahoo-confirms-data-breach-of-500-million-accounts/