Yahoo hack: What you need to know about the biggest data breach in history
15 December 2016 • 11:52am
Yahoo has admitted that it was hit with the world's largest ever cyber attack involving a breach of customer data. The historic hack, which occurred in 2013, could have resulted in the company losing the personal details and passwords of one billion accounts, it admitted.
Here's everything you need to know about the latest and most extensive attack.
Yahoo received a bundle of data back in November that they were told had been taken in a hack. External computer forensics experts analysed the information and this week confirmed that it is likely to be customer data associated with one billion accounts that was stolen in August 2013.
The information taken could have included names, email addresses, telephone numbers, dates of birth and hashed passwords, which are scrambled and harder to read than plain text ones. In some cases security questions and answers were also taken, a number of which were unencrypted meaning they can be easily read. The stolen information didn't include payment or bank account details, which are stored in a separate system.
Wasn't Yahoo already hacked?
Yahoo revealed earlier this year that it had lost the details of at least half a billion users, including eight million from the UK, in what it described as a "state-sponsored" attack that occurred in 2014.
It was alerted to the breach when information of 200 million of its customers' accounts appeared for sale online. The seller used the moniker "Peace", which was also connected to the sale of data stolen from MySpace and LinkedIn.
The most recent attack is thought to have been a separate incident a year earlier. Although Yahoo has given no indication of who the perpetrators of the latest attack are, it said it doesn't believe them to be the same "state-sponsored" actors behind the earlier breach.
As is announced the 2013 hack, Yahoo also said the "state-sponsored" attackers appeared to have accessed further accounts by forging its cookies, which track visitors to a website and allowed them to login without passwords. The company is notifying any customers affected by this incident.
Am I at risk?
Given that there are only around 3 billion users on the internet, the hack affects a significant number of people (although it should be noted the attack affected 1 billion accounts not people). If you set up an account with Yahoo, which has 850 million active monthly users, before August 2013 then you could have had information stolen in the breach.
Although no financial information was taken, account holders could now be at risk of being targeted by fraudsters looking for financial details or more identifying information. If stolen password and email combinations are re-used on other websites, hackers could used them to log into other websites, while email addresses may be targeted with phishing attacks.
What should I do about it?
Yahoo said it will notify users that are affected, and prompt them to secure their accounts with measures such as changing their passwords. Those who had unencrypted security questions taken will find these are now invalid and will be told to add new ones to their accounts. Yahoo has also blocked the cookie forging hack from working.
HOW TO | Pick a password
The company recommends that users change their passwords and security questions for accounts other than their Yahoo one where they're repeated or similar. It is advisable to never use the same password more than once, and to use a password manager such as LastPass or Yahoo Account Key to prevent yourself from forgetting them.
The best way to protect against fraud online is to use strong and unique passwords, be extra suspicious when receiving unsolicited messages, and to never click on links or open attachments in messages that could be fake.
Don't be a scam victim
Is Yahoo at fault?
It is not clear who is behind the theft and it appears to be separate from previous incidents, but the responsibility of protecting customer data rests with companies.
Britain's data protection watchdog said it is in talks with Yahoo about the hack.
"This latest report of another significant data loss at Yahoo gives us further cause for concern," said Simon Entwisle, deputy information commissioner. "We are talking to Yahoo again today and we are in touch with the relevant international authorities to ensure the data protection interests of UK customers are considered.
"The scale of this attack is unprecedented and it is not yet known how many UK users are affected. We would urge all Yahoo users who have not changed their passwords recently to consider doing so now."
He added that the European and US authorities are responsible for investigating Yahoo.
After TalkTalk was fined a record £400,000 for failing on the "basic principles of cyber security", Elizabeth Denham, the information commissioner, said: "Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action."Given the number of attacks Yahoo has suffered it could face a penalty.
Jeremiah Grossman, former information security officer at Yahoo, told Wired the details indicated "there's confusion, there's frustration, and there's not a lot of support for the security team" at the company.
Yahoo is working with law enforcement and has taken steps to secure users' accounts since discovering the breaches.
What does this mean for Yahoo's sale to Verizon?
The hack comes as Yahoo is in the midst of $4.8 billion negotiations to sell to Verizon. Following the previous revelation the US telecoms giant said the cost of the sale could be renegotiated, and given the size of the latest data breach, the price of the deal could again be on the table.
A Yahoo spokesman said: "We are confident in Yahoo’s value and we continue to work towards integration with Verizon," but Verizon said it was evaluating the situation.