Yahoo hack raises cyber attack fears

Yahoo's Singapore office in Anson Road. The US Internet firm learnt of the data breach in July this year but did not say why it informed the public of the hacking only on Thursday. The incident involves stolen data from at least 500 million user acco
Yahoo's Singapore office in Anson Road. The US Internet firm learnt of the data breach in July this year but did not say why it informed the public of the hacking only on Thursday. The incident involves stolen data from at least 500 million user accounts, beginning in 2014.ST PHOTO: DESMOND WEE

'State-sponsored' hackers stole data from 500 million users in massive breach: US firm

Internet firm Yahoo has revealed that "state-sponsored" hackers had stolen data from at least 500 million user accounts, in what is now the largest data breach in history.

Though immediate concerns centre on how the breach, which began in 2014, will impact the US$4.8 billion (S$6.5 billion) buyout of Yahoo by telecommunications giant Verizon, it is also raising concerns about such cyber attacks against US entities.

Yahoo's announcement on Thursday came on the same day that hackers uploaded a cache of e-mail messages from a Democratic Party operative which contained detailed schedules of US Vice-President Joe Biden, First Lady Michelle Obama and party presidential nominee Hillary Clinton.

The hackers even claimed to have a copy of Mrs Obama's passport, though the authenticity of the image has not been verified.

The e-mail messages were stolen from the Gmail account of party operative Ian Mellul and uploaded to DCLeaks.com - the same place where stolen e-mail from former US secretary of state Colin Powell had surfaced last week.

All of this comes at a time when there is growing suspicion that hackers sponsored by the Russian government are attempting to interfere with the US presidential election.

  • What to do if you have a Yahoo account

  • Yahoo is encouraging its users to take the following precautions in the light of the data breach:

    • Change your password, security questions and answers. If you used the same information in other accounts, change those too.

    • Review your accounts for suspicious activity.

    • Be cautious of any unsolicited communications that ask for your personal information or refer you to a Web page asking for such information.

    • Avoid clicking on links or downloading attachments from suspicious e-mails.

    • Turn on Yahoo's two-factor authentication tool, Yahoo Account Key, which will eliminate the need to key in a password. It will send a confirmation to your mobile phone each time you try to access your account.

On Thursday, top Democrats in Congress - Senate Intelligence Committee vice-chairman Dianne Feinstein and ranking House Intelligence Committee member Adam Schiff - issued a statement saying they were convinced Moscow is making a "serious and concerted effort" to influence the election.

"At the least, this effort is intended to sow doubt about the security of our election and may well be intended to influence the outcomes of the election - we can see no other rationale for the behaviour of the Russians," they said, adding that the orders could have come only from the very senior levels of the Russian government.

Russians have been suspected of recent cyber attacks on the Democratic National Committee.

Yahoo did not say which country was responsible for the breach. But a person familiar with the matter said Yahoo learnt of the incident in July this year, the same month it announced its deal with Verizon.

In a statement, Verizon said it was notified of the incident earlier this week. "We will evaluate as the investigation continues," it said.

According to tech news website Recode - which first reported the breach - signs of the hack emerged last month. A notorious hacker, who goes by the name "Peace", claimed he was selling information on 200 million Yahoo users for just over US$1,800 on the dark Web.

Yahoo did not say why it informed the public of the hacking only on Thursday, but such investigations usually take weeks or longer. Its chief information security officer Bob Lord said the information stolen included names, e-mail addresses, telephone numbers, dates of birth, passwords and security questions.

But it said it did not believe any bank account information had been compromised.

The company is urging users who might be affected to change passwords and to be wary of unsolicited e-mail asking for information.

Mr Lord added that Yahoo is working with law enforcement on the matter.

US lawmakers have criticised the firm for not disclosing the breach earlier. Senator Mark Warner, who used to work in the technology sector, said: "While its scale puts it among the largest on record, I am perhaps most troubled by news that this breach occurred in 2014, and yet the public is only learning details of it today."

A version of this article appeared in the print edition of The Straits Times on September 24, 2016, with the headline 'Yahoo hack raises cyber attack fears'. Print Edition | Subscribe