[UPDATE] Yahoo Suffers Biggest Data Breach In History
15th December 2016
It seems that 2016 has been the year of the hack, with many businesses publicly disclosing data breaches and cyber security experts urging the public to take precautionary measures when giving personal details online. Earlier this year Yahoo admitted that their systems suffered a data breach in 2014 which resulted in 500 million user accounts being stolen. However, just yesterday they discovered another hack saying data from more than 1bn accounts was compromised in 2013. This has now been crowned as the biggest data breach in history.
DID YOU MISS? THE RISE OF BIOMETRIC BANKING
Yahoo confirmed that this particular cyber-attack is separate from the breach later in 2014. In a statement by Bob Lord, chief information security officer at Yahoo he said: “we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts.” They believe that the hackers were working on behalf of a government, Lord added: “We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.”
Forensic experts are investigating this huge data breach and have managed to uncover “forged cookies” which may have allowed intruders to gain access to users’ accounts without using a password. This is bad news for Yahoo account holders as intruders may have stolen all their data including “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”
Yahoo is identifying accounts that have been affected notifying the account holder and prompting them to change their password. In terms of cyber security, Yahoo has invalidated compromised security questions that may have been stolen as well as deleting the forged cookies and strengthened their security system so a data breach like this may never happen again.
Yahoo Suffers Enormous Hack - 23rd September 2016
We’re not even in December yet, but 2016 already appears to be a contender for the year of the hack. Earlier this month, IQ InfoSec reported on a huge hack on Dropbox that saw the personal information of 68 million people leaked online. However, Yahoo has just announced that it has been hit too, but the scale of it blows the Dropbox hack out of the water. The company revealed that, back in 2014, 500 million user accounts may have been hacked - making it one of the biggest breaches in history.
"The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers”, the company revealed in a statement. Yahoo claim that the hack was the work of state-sponsored cyber criminals and, although yet to be confirmed, this could have huge implications across the world.
Thankfully, it appears that no passwords or bank account information were stolen in the hack, with Yahoo stating; "the ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information”. Whilst this will come as a relief to Yahoo users everywhere, there still exists a potential problem down the line for users; the hackers managed to get their hands on the security question information used as a fallback for account access if a password is forgotten.
On the surface, this does not pose an imminent danger, but the potential access a hacker could gain from knowing your mother's maiden name, for example, is extremely significant. All it would take is for you to use the same security question from Yahoo on an online banking service and a hacker could potentially have access to all of your bank account information and even direct access to your money.
The huge breach comes at an extremely bad time for Yahoo, which is nearing completion of a deal seeing it sell its core business to Verizon for $4.8bn. As you’d expect, this news will be extremely troubling for the new owners and shareholders alike. For the users, the advice from the company itself to concerned customers is "to review their online accounts for suspicious activity and to change their password and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account".