The world's population stands at just over 7.3 billion people - just 3.2 billion of these have connections to the internet. Given a rise of "historic mega breaches" in 2016, it's likely that most people online have had their data compromised in one way or another.
Yahoo has increased that likelihood with the disclosure of the biggest data breach of all time. In 2013, the company has now said, more than 1,000,000,000 of the accounts registered with it had data stolen.
The hack is also completely separate (Yahoo says "distinct") from the 500 million accounts it revealed were compromised earlier this year. The smaller data breach happened in 2014 and the subsequent investigation led to the discovery of the newest incident.
The latest data breach doesn't include payment or credit card details, Yahoo says. But within the nabbed details is highly personal information that could be used to force access to other online accounts.
"For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers," Yahoo said in a statement pushed out to its investors. Unencrypted passwords were not included it says.
In response to the findings – Yahoo said it has used forensic experts – it is notifying all customers who were affected and has "taken steps to secure their accounts". Security questions that weren't encrypted have been disabled, it says.
Since Yahoo made the details of the data breach public, the information has reportedly started to surface on the dark web. According to Bloomberg, the whole data base was made available for buyers from a "hacking collective based in Eastern Europe".
Cybersecurity expert Andrew Komarov, chief intelligence officer at InfoArmo, said three people paid around $300,000 (£240,0000) for a complete copy of the data base. Komarov said two of these were known spammers. He continued to say his firm purchased a copy of the details earlier this year and told government and law enforcement agencies around the world – Yahoo has been unable to verify these claims.
"The difference of Yahoo hack between any other hack is in that it may really destroy your privacy, and potentially have already destroyed it several years ago without your knowledge," Komarov told Bloomberg.
The customer details weren't the only part of the hack, however. In the past, forged cookies were used to access Yahoo accounts and it appears the cookies were created with Yahoo's own code. "Based on the ongoing investigation, we believe an unauthorised third party accessed our proprietary code to learn how to forge cookies," Bob Lord, Yahoo's chief information security officer said in a blog post.
"The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used."
Yahoo customers affected by the incident are advised to change their passwords, review accounts, and to "consider" using Yahoo's authentication tool to remove the need for passwords.
While Yahoo blamed the previous cyberattack on a third-party working for a government, it has not said who it believes was responsible for the latest incident, although its investigation is still ongoing.
The announcement of the data breach comes at a time when Yahoo is being purchased by US telecoms firm Verizon. In July, the two firms agreed a £3.6bn takeover deal that is due to be completed next year. Verizon has been incredibly quiet on both the Yahoo hacks, although reports have claimed the firm has asked for a large discount on the sale price.
The 2014 hack saw the names, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions (both encrypted and not) being taken. UK customers of Sky and BT email services which are powered by Yahoo were told to update their passwords.
Other large data breaches revealed this year include 117m LinkedIn users, 85m Dailymotion accounts, and 339m Adult Friend Finder accounts.
Yahoo
Russian spies charged with 2014 Yahoo hack
Yahoo
Comments
Post a Comment