Yahoo officially revealed Thursday that the personal details of more than 500 million account holders were compromised as the result of a security breach being blamed by the company on government-hired hackers.
A copy of user data was “stolen” from the tech company’s network in late 2014, but the cyber smash-and-grab went unnoticed until during the course of a recent investigation, Yahoo said in a statement Thursday.
Those pilfered records contained user names, email address, phone numbers, birth dates and password information pertaining to at least a half-billion account holders with one of the web’s best-known and continuously successful entities.
Yahoo said the majority of passwords compromised in the attack were protected by industry-standard encryption, but is nonetheless urging users to update their log-in credentials and watch for suspicious activity in the wake of what’s already being described as one of the biggest data breaches in the history of the internet.
The hack was likely carried out by a state-sponsored actor, Yahoo said, but failed to elaborate beyond saying the perpetrator had been purged from its network.
Amid the “state-sponsored” label being blamed in most major breaches recently, one of Yahoo’s former security professionals said he has no reason to doubt the company’s claim that a foreign government was behind the attack.
“Where you’re up against state sponsored adversaries, like Yahoo stated, you must expect they’ll eventually break in no matter what you do,” said Jeremiah Grossman, the founder of WhiteHat Security and a former information security officer at Yahoo.
“When anyone, and I do mean anyone, is attacked by a state-sponsored adversary, you’ve got to expect they’ll break in eventually,” Mr. Grossman told The Washington Times on Thursday. “That said, it’s also entirely possible for cyber criminals to break into systems including Yahoo’s as many are highly motivated, organized and skilled. Of course, other groups more classifiable as hacktivists or freelancers are also capable of the act — they just have to find and exploit one flaw to win.”
“With systems and attack surfaces the size of Yahoo’s, security gaps will exist,” he added.
Reports of a possible data breach affecting Yahoo’s customers first surfaced in August when Vice’s Motherboard revealed that 200 million alleged user credentials were being sold on the dark web for the equivalent of around $1,860. Yahoo said it was aware of the claim then, but declined at the time to either confirm or deny it had been hacked.
Murmurings swelled again early Thursday when Recode, a tech website, said it expected Yahoo would soon announce that hundreds of millions of user data had been compromised. The company’s official confirmation came around 12 hours later.
Sen. Mark Warner, Virginia Democrat and cofounder of the bipartisan Senate Cybersecurity Caucus, chided Yahoo in a statement Thursday for taking nearly two years to discover the security breach.
SEE ALSO: Anthony Weiner investigated by federal prosecutors in sexting charge
“The seriousness of this breach at Yahoo is huge,” said Mr. Warner. “While its scale puts it among the largest on record, I am perhaps most troubled by news that this breach occurred in 2014, and yet the public is only learning details of it today.”
Gemalto, an Amsterdam-based cybersecurity company, said in a report published earlier this week that data breaches have increased 15 percent in the first half of 2016 compared with the latter half of last year, and amounted to roughly 3 million records being compromised each day.
The more than 500 million accounts affected in the breach represent roughly half of the 1 billion users Yahoo boasted across its various platforms and services as of 2012. It’s free email service, launched in 1997, had around 280 million active users as of 2015, The Guardian reported then.
Verizon Communications announced in July that it planned to purchase Yahoo in a multibillion-dollar acquisition slated to take place in 2017. In a statement Thursday, Verizon said it only learned of the data breach earlier this week.
“Within the last two days, we were notified of Yahoo’s security incident. We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact. We will evaluate as the investigation continues through the lens of overall Verizon interests … until then, we are not in a position to further comment,” the telecom titan said.
Valued at more than $120 billion near the end of the 20th century, Yahoo is expected to be purchased for roughly 4 percent of that amount — $4.8 billion — if and when the acquisition occurs. Yahoo’s stock was up a fraction of a percentage when the markets closed Thursday in spite of the security breach.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.