Yahoo! has admitted to a 2014 hack that left data of 500 million users exposed and compromised.
The company blamed an unnamed nation for the hack. Based on an ongoing investigation, Yahoo! believes that the information associated with 500 million user accounts was stolen. However, the investigation has found no evidence that the state-sponsored actor still has access to Yahoo’s network. Yahoo! is working closely with law enforcement on this matter.
In fact, the FBI sent Forbes the following statement: “The FBI is aware of the intrusion and investigating the matter. We take these types of security breaches very seriously and we will determine how this occurred and who is responsible. We will continue to work with the private sector and will share that information. This way, they can safeguard their systems against the actions of persistent cyber criminals.”
The hack of Yahoo, still one of the internet’s busiest sites with one billion monthly users, also has far-reaching implications for both consumers and one of America’s largest companies, Verizon Communications, which is in the process of acquiring Yahoo for $4.8 billion. “Cybersecurity can absolutely affect a valuation, and these are important questions that investors need to be asking,” said Jacob Olcott, vice president of BitSight Technologies, a security company.
Yahoo! Mail is one of the oldest free email services, and many users have built their digital identities around it, from their bank accounts to photo albums and even medical information. Hints of the epic breach came in summer when a dark web dealer called Peace offered 200 million usernames and passwords of Yahoo users on a Tor-based market called The Real Deal, as reported by Vice Motherboard. Rumours then emerged Yahoo was ready to admit the breach, but it’s now confirmed the hack was even bigger than first indicated.
Confirmation from Yahoo!
“We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with B crypt). In some cases, encrypted or unencrypted security questions and answers” may have also been compromised said Bob Lord, chief information security officer at Yahoo.
It should be noted that B crypt is a very strong hashing algorithm — such hashing uses maths to turn plain text into nonsense. When the algorithm is hard to crack, it is harder to uncover the original password.
This isn’t the first time Yahoo has suffered a significant and embarrassing breach, but it is the biggest. In 2012, more than 400,000 passwords were stolen after Yahoo Voice was attacked. Two years is an unusually long time to identify a hacking incident, but both hacks took two years to uncover. According to the Ponemon Institute, the average time it takes organizations to identify such an attack is 191 days. The average time to contain a breach is 58 days after discovery.
Security experts say the breach could bring about class-action lawsuits, in addition to other costs. A report by Ponemon found that the costs to remediate a data breach is $221 per stolen record. Added up, that would top Yahoo’s $4.8 billion sale price. It will be interesting to see what happens with its sale to Verizon.