Internet service provider Yahoo acknowledged on Thursday that the account information of at least 500 million users was hacked and stolen in late 2014. According to a press release posted on Yahoo’s investor relations page, the information theft “may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”
Hashing refers to server-level conversion of passwords into strings of unreadable characters that are difficult to convert back into their original form. Bcrypt is a specific password hashing method that is used in Linux-based on other open source computing environments.
The Yahoo announcement, written by Chief Information Security Officer Bob Lord, also said the company’s investigation shows that the copied data does not include unprotected passwords or users’ bank account information or payment card data. The statement went on, “the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network.”
Although Yahoo’s assertion that the breach was the work of a state-sponsored hacker has been repeated widely in news reports, no facts have been presented to substantiate the claim. The only additional information that has been reported is that Yahoo is working “closely with law enforcement” in their investigation. This follows the pattern set when Democratic Party mail servers were hacked and material delivered to WikiLeaks. This was subsequently blamed on Russian intelligence by unnamed FBI sources without any evidence ever being presented.
Meanwhile, the announcement that the hack took place two or more years ago also places a number of question marks over the Yahoo revelation. While large-scale hacking of user information has been on the increase and has become more sophisticated in recent years, it defies logic that no one at Yahoo—the company is a pioneer of the World Wide Web technology—knew that their security had been breached until 24 months after the event occurred.
It should not be ruled out that the timing of the hacking report is related to the pending purchase of Yahoo by Verizon for nearly $5 billion. The mega-merger was announced on July 25 following more than a decade of stagnation at Yahoo since the collapse of the dot-com bubble on Wall Street in 2001. As the stock market value of Yahoo has been sliding in the wake of the hacking announcement, the Verizon deal will most certainly be impacted. According to Verizon officials, they only found out about the Yahoo security issue two days before the public announcement.
The massive Yahoo data breach is the biggest ever, eclipsing those of LinkedIn in 2012 and MySpace last May, in which 164 million and 359 million accounts were hacked, respectively. Cyber security experts are saying that the impact of the Yahoo attack will be felt for years to come as the information that was stolen contains a “treasure of secrets” that can be used to gain access to other online accounts of those affected.
For example, illegal access to an individual’s email account can be used as a “stepping stone” to gain entry into other sensitive information through commonly used username and password resetting methods. The same kind of access can be gained with answers to online security questions such as “What is your mother’s maiden name?” and “What is the make and model of your first car?”
The Yahoo press announcement included a list of steps the company is now taking to secure customer data along with steps users need to take to protect their accounts and other private information. The Yahoo announcement also contains a link to a public security page where FAQs are being published about the issue.