James Thew - Fotolia
Yahoo officially acknowledged it was the victim of one of the largest data breaches in history, in which data from at least 500 million user accounts was stolen.
The Yahoo breach originally took place in late 2014, but it wasn't confirmed until a "recent investigation." No timetable was given, but Flashpoint confirmed it recently found 200 million Yahoo accounts for sale on the deep web.
"On Aug. 2, 2016, Flashpoint became aware of an advertisement posted on TheRealDeal Marketplace by actor 'peace_of_mind' (otherwise known as 'peace') for the sale of some 200 million Yahoo account credentials," Vitali Kremez, cybercrime intelligence senior analyst at New York-based Flashpoint, told SearchSecurity via email. "Peace_of_mind is the same actor whom Flashpoint previously reported as selling leaked Myspace and LinkedIn account credentials in May 2016. This actor, who is also a co-founder of TheRealDeal Marketplace, is considered highly credible, based on past activity and feedback from customers."
Various news outlets have reported the sale of the Yahoo accounts on the deep web first prompted Yahoo to investigate a potential megabreach in the first place. The Yahoo breach follows other high-profile data breaches at companies, such as LinkedIn and Dropbox, that have exposed user emails and information.
Keatron Evans, senior security researcher and principal of Blink Digital Security LLC, based in Chicago, said Yahoo needs to provide more details about the attack.
"What I want to know is when Yahoo discovered this attack. If it happened in 2014, and the company has known about it for the past two years, then why has it taken so long to reveal the extent of the breach?" Evans said. "This slow response could become a PR nightmare that damages the company's reputation, and it goes to show how difficult it can be to determine the root cause of an attack that happened months or even years in the past without the right training and tools."
In a statement, Yahoo said it believes the attack was state-sponsored, though no specific nation was named. Yahoo also attempted to reassure users that their most valuable data had not been compromised.
"The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers," Yahoo wrote. "The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected."
J. Paul Haynes, CEO of eSentire Inc., based in Cambridge, Ont., said it was good to see Yahoo not jumping to conclusions with attribution.
"The timing of this breach is curious, given Yahoo's pending sale; however, it's a bit premature to place blame with a state-sponsored attacker," Haynes said. "Attribution is a slippery slope and nearly impossible without a complete case file, which [neither] Yahoo nor the investigators have at this point."
Complicating matters further, Verizon is in the process of purchasing Yahoo for $4.8 billion. The deal is still under regulatory review. A Verizon spokesperson said the company only learned of the megabreach at Yahoo this past Tuesday, but said Verizon only has "limited information and understanding of the impact" of the breach.
Adam Levin, chairman and founder of IDT911 LLC, based in Scottsdale, Ariz., said data breaches should be considered a new certainty in life, along with death and taxes.
"All users of Yahoo email must immediately change not only their Yahoo user IDs and passwords, but also any duplicate login information used to access other accounts," Levin said. "As we live in an environment where breaches have become the third certainty in life, it is essential that consumers protect themselves by using long and strong passwords, which are never shared across their universe of social, financial, retail and email accounts, and updated routinely; enable two-factor authentication; and are always on guard against phishing attacks."
Yahoo suggested users review their online accounts for any suspicious activity, change account details, avoid clicking suspicious links and using the Yahoo Account Key two-factor authentication tool.
Brett McDowell, executive director of the FIDO Alliance, based in Wakefield, Mass., said this should be a warning to everyone that strong passwords alone may not be enough.
"Cybercriminals know that consumers use the same passwords across websites and applications, which is why these millions of leaked password credentials are so useful for perpetuating fraud. We need to take that ability away from criminals, and the only way to do that is to stop relying on passwords altogether," McDowell said. "The frequency and severity of these data breaches is only getting worse year over year, and this trend will continue until our industry ends its dependency on password security and adopts unphishable, strong authentication."
Vishal Gupta, CEO of Seclore, based in India, said the fallout from this attack could be devastating. "This nation now has access to 500 million phone numbers. With talk of Russian attempts to influence the election, it isn't difficult to imagine how access to the contact information, and personal details, of that many potential votes could be used maliciously," Gupta said. "Unless organizations take stricter security measures and apply data-centric security solutions, hackers will always come up with inventive ways to leverage sensitive information for malicious purposes."
Learn more about the merits of encrypting and hashing passwords
Find out how to build strong passwords and prevent data breaches
Get info on best practices for conducting information security assessments