Yahoo corporate headquarters

Yahoo data breach affects at least 500m users

Pro
(Image: Yahoo)

23 September 2016

A massive breach at Yahoo compromised account details from at least 500 million users, and the company is blaming the attack on state-sponsored hackers.

Names, email addresses, telephone numbers, and hashed passwords may have been stolen as part of the hack, which occurred in late 2014, Yahoo said.

The company reported the breach on Thursday, after a stolen database from the company went on sale on the black market last month.

However, the hacker behind the sale claimed that the stolen database involved only 200 million users and was likely obtained in 2012.

It is unclear if Thursday’s breach is connected. But Yahoo has been notifying affected users and asking them to change their passwords.

“We are recommending that all users who haven’t changed their passwords since 2014 do so,” the company said in a statement. It’s also asking that users review any suspicious activity related to their accounts.

The vast majority of the stolen passwords were hashed with the security tool bcrypt, making them more difficult to crack, Yahoo said. But some security questions and answers from the accounts may have also been taken.

However, Yahoo’s investigation suggests that no payment card data or banking details were stolen in the breach, the company added. Yahoo has found no evidence showing that the hackers are still inside its network.

Yahoo has published an FAQ for affected users. The company is also working with law enforcement to investigate the incident.

Discovery
It was a hacker’s attempt to sell user data he claimed was stolen from Yahoo actually led the company to uncover a far more severe breach.

The information comes even as security experts have been questioning why Yahoo took so long to warn the public when it was known that a hacker was claiming to be selling the data online around early August.

The hacker, named peace_of_mind, was found selling the alleged Yahoo log-in credentials to over 200 million accounts on a black market website that offers illegal goods. The hacker provided a sample of the data that appeared to be real. However, Yahoo investigated the sale and found no evidence that it was legitimate, the source said.

Following the investigation, a broader probe was launched to review Yahoo’s systems, uncovering evidence that the company had actually been hacked in late 2014.

Vitali Kremez, a cybercrime analyst at security firm Flashpoint, also said that the two incidents probably were not connected. What the hacker peace_of_mind was selling was different from the Yahoo breach. For one, the data he put up for sale allegedly came from 2012, not 2014.

Peace_of_mind also only advertised that he stole logins to over 200 million accounts, far less than the 500 million number, Kremez added.

Political motivation
Thursday’s breach might also be politically motivated. Yahoo is blaming the breach on an unnamed “state-sponsored actor.” Although it’s still unclear how the hack was pulled off, the stolen data includes names, email addresses, telephone numbers and hashed passwords.

Peace_of_mind was contacted over instant messenger on Thursday and the hacker appeared to deny that his sale was bogus.

“I can say is the 200 million database wasn’t the entire database,” he said, declining to elaborate. He also denied that a state-sponsored hacker was involved.

Chatter about the sale of a stolen Yahoo database has been circulating over the black market for some time, said Alex Holden, Chief Information Security Officer of security firm Hold Security.

Hackers have been claiming that the database contains between 200 million to over 500 million accounts. Holden’s company has even pretended to be a potential buyer in order to learn more about it.

But despite the 19 bitcoin price tag (about €10,200) the hackers kept offering excuses to stall the purchase. It was as if they were reluctant to hand it over, he said.

“It was unclear if this was really being sold, or what happened to it,” Holden added. However, the hackers have been giving different dates for when the data was stolen, claiming 2012 to 2015 and even this year.

 

IDG News Service

Read More:


Back to Top ↑

TechCentral.ie