Hack Brief: Yahoo Breach Hits Half a Billion Users

After earlier reports of a cybercriminal hack that affected 200 million users, the real breach turns out to be far more serious.
Image may contain Building Plant Tree Architecture Office Building and Symbol
Lisa Werner/Getty

Editor's note: This story was updated at 4 p.m. to include new information after Yahoo's announcement of its data breach.

Over recent months, the ghosts of data breaches past have been returning to plague companies like MySpace, LinkedIn, Twitter, and Tumblr, as hackers put up for sale massive collections of user credentials stolen earlier in the decade. It seems the summer of ginormous data spills isn't over yet and just reached a new peak. Yahoo confirmed on Thursday afternoon the theft of personal information of half a billion of its users. The announcement comes at a very inconvenient moment: Just as the web giant is trying to sell itself to Verizon in a multi-billion dollar deal.

The Hack

Yahoo chief information security officer Bob Lord wrote in a statement on Yahoo’s Tumblr site that the company had been the victim of a hacker intrusion in late 2014 that accessed at least 500 million accounts and retrieved a bounty of information, including user names, email addresses, telephone numbers, dates of birth, security questions and answers, and passwords—albeit passwords protected by cryptographic hashing. “We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor,” Lord writes. “An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries.”

Earlier Thursday Recode reported that Yahoo was expected to confirm a data breach that affects hundreds of millions of users. The site referenced a collection of 200 million of Yahoo's user names, birthdates, email addresses and hashed passwords that’s been offered for sale on the dark web marketplace The Real Deal since at least August. In June, WIRED interviewed the hacker known as Peace or Peace of Mind, who's behind the data sale on Real Deal. Peace claimed to be a former member of a team of Russian cybercriminal hackers. He or she later sent WIRED a sample of the purported Yahoo data, but when WIRED sent test messages to the email addresses, half of them were invalid.

But Yahoo’s announcement suggests a different breach. The timing, scale and Yahoo’s claim of state involvement indicate it may be distinct from the one that surfaced data on the dark web and could also be significantly more serious.

Who's Affected

Despite the enormous number of people affected by this breach, the biggest victim may be Yahoo itself. Reports of the breach come just as the beleaguered company is trying to negotiate a deal to sell itself to Verizon for $4.8 billion. If the mega-breach negatively impacts its share price even temporarily, the dip could cost Yahoo and its shareholders a slice of the buyout price.

Yahoo says it’s reset the passwords of affected users and begun the process of notifying victims by email. It’s recommending that people whose data was compromised also change their security questions and set up Yahoo’s Account Key tool, which serves as an alternative to password logins. Yahoo’s announcement also notes that the company is working with law enforcement to investigate the breach.

How Serious is This?

The most serious problem for Yahoo users would be if the cryptographically hashed passwords exposed in the hack can be cracked and used. Yahoo stated that the "vast majority" of its passwords had been encrypted with the bcrypt hashing scheme, which is believed to be relatively tough for hackers to decipher. But details of Yahoo's hashing scheme and the fraction of leaked passwords that use it aren't clear. So even if you've changed your Yahoo password since 2014 or reset it in response to a message from the company today, be sure you also change it on any other account where you use the same password. (And for the millionth time: Don't reuse passwords.)

Yahoo has warned victims of the breach to be wary of "unsolicited communications that ask for your personal information or refer you to a web page asking for personal information." The leak provides a bounty of leads for both text-message and email-based phishing schemes that trick users into giving up more information.

But the most damaging aspect of the affair may yet turn out to be its timing: Yahoo's buyout deal is set to become a test case of whether a massive corporate sale can weather an equally massive hacking debacle.