WASHINGTON (BLOOMBERG) - Yahoo's data theft - involving about half the company's 1 billion users - is no joke. Yahoo on Thursday confirmed the breach was far bigger than first thought, and the FBI has confirmed it is investigating the attack, said the BBC.
This incident sets a new bar for massive leaks of account information.
The break-in, which Yahoo attributed to a state-sponsored actor, presents a serious problem for users, because the data the hackers got isn't just a partial look at people's profiles. The cyber-thieves stole account details including user names, scrambled passwords, birth dates, security questions and other personal information, but apparently not payment card and other financial data.
Hackers may have accessed millions of Yahoo accounts for years undetected. Security expert Troy Hunt believes the data might have been out there for about two years, according to the BBC. However, Hunt believes users should not be overly concerned as the political motivations of the hackers might mean they are looking for specific individuals. While Yahoo stressed that the passwords were encrypted, the re-use of passwords across the internet and thriving sale of hacked databases on the black market means that hackers may easily connect the dots for many other accounts.
Here's what to do if you're one of the unlucky Yahoo users whose account was compromised:
Yahoo says it is alerting affected users and asking them to change their passwords, especially if they had not done so since 2014. Even if you're not notified, you should do this anyway. The reason: Companies generally only report information that they can prove was taken from them. And it's trivial for hackers to cover their tracks. So even if digital forensics investigators strongly suspect or believe that certain data was accessed or taken, if it's not verified, it may never be reported.
This is a good opportunity for Yahoo users to turn on log-in verification, which will implement a text-message alert or phone call when someone tries to access your account from an unrecognised computer. This is a wonderful feature that all major internet companies now offer.
Now is also a good time for users to try novel authentication services such as Yahoo's Account Key, which links the Yahoo mobile app to your phone to prevent anyone from logging in without having access to that device. Tech companies are increasingly rolling out useful authentication services that reside on smartphones and add extra layers of log-in security - Google has Google Authenticator, and there's another app from Duo Security called Duo Mobile, both of which generate one-time log-in codes that exist only on your phone and the company's servers.
Top 10 previous breaches
MySpace accounts - 359m
LinkedIn accounts - 164m
Adobe accounts - 152m
Badoo accounts - 112m
VK accounts - 93m
Dropbox accounts - 68m
tumblr accounts - 65m
iMesh accounts - 49m
Fling accounts - 40m
Last.fm accounts - 37m
Questions remain still. Why did Yahoo not know it had been attacked until a journalist told them? Why did it take so long for them to confirm the hack and its scale? Why did it take them so long to tell users and prompt them to protect themselves?
Verizon, which has agreed to buy Yahoo, told the BBC it had learned of the hack "within the last two days" and said it had "limited information".
The company added: "We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities.
"Until then, we are not in position to further comment."
Yahoo said in a statement: "Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry."
Questions are also being asked about the length of time it took Yahoo to fully acknowledge the breach.
"It is really worrying that a breach from 2014 can have gone undetected for so long," said Prof Alan Woodward from the University of Surrey to the BBC.
"It is also surprising the public statement took so long to appear.
"I would have thought most companies had learned by now that early disclosure is better, even if you have to revise and update as you learn more.
"I can understand a few days delay to confirm the breach is genuine as fake data dumps are increasingly common, but six weeks seems rather too long."