You are using an older browser version. Please use a supported version for the best MSN experience.

Yahoo confirms at least 500 million accounts breached

USA TODAY logo USA TODAY 9/22/2016 Kim Hjelmgaard and Elizabeth Weise

UP NEXT
UP NEXT
SAN FRANCISCO — Information from at least 500 million Yahoo accounts was stolen from the company in 2014, and the company said Thursday it believes that a state-sponsored actor was behind the hack.

The information may have included names, email addresses, telephone numbers, dates of birth, and, in some cases, encrypted or unencrypted security questions and answers, Yahoo said. 

Claims surfaced in early August that a hacker using the name "Peace" was trying to sell the usernames, passwords and dates of birth of Yahoo account users on the dark web — a black market of thousands of secret websites.

Even in an internet-dependent population accustomed to the regular occurrence of massive data breaches, the size of this one -- the largest ever in terms of user accounts -- is attention-grabbing for its size. And the possibility that another country could be behind the attack adds to the shock factor.

The FBI said it was aware of the matter. "The compromise of public and private sector systems is something we take very seriously," the agency said in an emailed statement. The agency said it will "continue to investigate and hold accountable those who pose a threat in cyberspace."

Reset passwords

Yahoo recommends that users who haven’t changed their passwords since 2014 do so. The company said it was notifying potentially affected users and taking steps to secure their accounts. That included invalidating unencrypted security questions and answers and asking users to change their passwords.

Verizon sale in progress

The announcement comes as Yahoo looks to complete its $4.8. billion sale of its core Internet business to media giant Verizon Communications, which said it was notified of the Yahoo breach "within the last two days."

"We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact," Verizon said.

Given the unsettled nature of Yahoo's ownership just now, “regulators should be concerned with who will take responsibility for the response to this compromise. It can be easy for the ‘right thing to do’ to slip through the cracks in a multi-billion dollar transition," said Tim Erlin, senior director of IT security and risk strategy at Tripwire, a computer security firm.

The breach doesn't threaten Verizon's acquisition of Yahoo, says SunTrust Robinson Humphreys internet equity analyst Robert Peck. But the investigation will likely lead to findings that perhaps 5% of users have left Yahoo and that could yield a lower price for Verizon.

Should the result be that Yahoo has 5 million to 10 million fewer users than when the transaction was announced in July, "this could affect the Verizon purchase price from around $100 million to $200 million," Peck said. "We don’t think it’s a dealmaker. If anything it’s a small adjustment to the total price."

Yahoo Chief Executive Officer Marissa Mayer has pledged to stay on with the company through the close of the merger, which is being overseen by Verizon's Marni Walden and AOL CEO Tim Armstrong. Yahoo shares (YHOO) were flat Thursday. Verizon (VZ) shares were up 1% at $52.39.

Since the security breach is so massive, users' Internet accounts beyond Yahoo could be affected.

As is typical with these large hacks, experts recommend account holders should also change passwords and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account.

In addition, avoid clicking on links or downloading attachments from suspicious emails that claim to be updates from Yahoo about the breach. Hackers often use news of big breaches to conduct "phishing" campaigns. Yahoo users should be cautious of unsolicited communications that ask for personal information,Yahoo said.

Finally, all users should review their online accounts for suspicious activity

Credential stuffing

Most consumers might not think there’s much in their Yahoo account that would be of use to hackers, which typically might only include their email and Yahoo password. However, that pair of information offers multiple uses for ingenious hackers bent on extracting the maximum value from information, say experts.

First, the password. According to a Gartner survey, 50% of users reuse their passwords across multiple platforms. So armed with an email address and Yahoo password, hackers might be able to gain access to multiple accounts.

The technique is called “credential stuffing” and it’s become epidemic over the last year and a half, said Avivah Litan, a vice president and analyst at Gartner Research.

“The bad guys get lists of user IDs and password and then test them, they run through them at all the sites they want to attack to see where they work,” she says.

Once hackers gain access to other accounts, they are able to assemble dossiers on individuals. These are called “fullz” and include as much information as the hacking group has about a person, assembled from multiple sources over time. Typically they contain the person’s name, Social Security number, birth date, address, birthday, account numbers and other data.

"There are fullz available probably for most of the U.S. population,” said Litan.

The attackers don’t only use that information to go after bank accounts and credit cards, but also less obvious and harder to track information that is still worth money on the black market.

That can include loyalty points at hotel chains and airlines, avatars and points from online games, even stored value in coffee cards. Once accessed, all of these can be siphoned off, bundled and then resold.

“They’ve gone low, slow and distributed. You used to be able to see these attacks coming through really quickly after a breach,” said Litan. Instead organized crime groups take their time, harvesting points and value.

“It’s very lucrative,” said Litan.

Contributing: Kevin Johnson in Washington and Mike Snider in McLean, Va.


AdChoices
AdChoices

More From USA TODAY

image beaconimage beaconimage beacon