Yahoo! has confirmed a major data breach of its systems, with the number of users affected standing at 500 million.
The breach, which reportedly happened back in 2014, has been branded as the largest publicly-disclosed data breach in history.
The company said in a statement, “The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.”
While there was no high-value information in the leak, such as credit card numbers, it did include security questions and answers created by users. This too could cause problems if used across multiple websites.
A former Yahoo employee has told Reuters that this data was, "deliberately left unencrypted, which allowed Yahoo! to catch fake accounts more easily because fake accounts tended to reuse questions and answers."
Gavin Millard, EMEA technical director, Tenable Network Security told SCMagazineUK.com, "One of the most concerning aspects of this breach is the fact that the security questions and answers were unencrypted. Most users would have used valid responses to questions like mothers maiden name, first car, and first pet, which could lead to further exploitation and account misuse."
Yahoo! recommended all users should change their passwords if they had not done so since 2014. On Thursday, security researcher Troy Hunt confirmed that Yahoo! had encouraged users to change their passwords but this was not forced.
No details have been released on how the breach was carried out, however sources close to tech website Recode are reporting that Yahoo! haven't specified the exact vulnerability to avoid interfering with a government investigation.
The BBC confirmed the FBI is investigating, and legal action is also expected.
According to Reuters, three unnamed US intelligence officials are saying they believed the attack was state-sponsored because of similarities to previous hacks linked to Russian intelligence agencies.
Speaking to Reuters, Yahoo! said, "The investigation has found no evidence that the state-sponsored actor is currently in Yahoo's network."
Nikki Parker, vice-president of Covata, told SC by email: "Yahoo! is likely to come under intense scrutiny from regulators, the media and public and rightly so. Corporations can't shy away from data breaches and they must hold their hands up and show that they are committed to resolving the problem."
The breach follows the news back in August that a hacker going by the name of Peace was allegedly selling details of 200 million Yahoo! users.
The stolen data was said to include birth-dates, usernames, passwords and in some cases, details about email backups.
At the time, the company said it was aware of the release of data, but did not explicitly deny the authenticity of the rumours.
Commenting on the US$4.8 billion sale of Yahoo! to Verizon, Kevin Cunningham, president and founder at SailPoint, told SC: “Mergers are complicated endeavours, and the scrutiny under which both companies will reside during the course of the transaction only increases the stress to keep what should be sensitive information protected. Verizon certainly took on a calculated level of risk in acquiring Yahoo!!, particularly because of its massive user base.
Cunningham concluded: "The question of whether this breach will affect the sale price depends on how extensively it performed due diligence on Yahoo!'s security controls. It's a perfect illustration of the fact that this due diligence should include not just network security controls, but also identity governance controls, because as we've seen with LinkedIn, Dropbox and countless others, breaches very often result from compromised employee credentials.”
The size of the breach has outpaced others this year such as MySpace (359 million), LinkedIn (164 million) and Adobe (152 million).
The same advice goes for all major breaches reported this year, change passwords which have gone unchanged as soon as possible, change them to something which is difficult to guess and if possible to use a password manager to avoid re-using them across multiple websites.
Reminding of the problems with passwords, Ed Macnair, CEO of security company CensorNet told SC: “Whilst details of this hack are still yet to be confirmed, just the fact it is a possibility underlines a point that the cyber-security industry has been shouting, somewhat hoarsely now, for many years. Passwords are broken as a consumer and business access method because they have a huge value for miscreants, and are therefore an inevitably stolen prize. The way companies secure access to the vast caches of information they hold, especially in today's cloud application driven world, are also increasingly obsolete. Hackers know this and are using it to run rings around security teams at some of the largest companies on earth."
Peter Galvin vice president of strategy at Thales e-Security, argues that businesses need to be rethinking their data protection strategies in order to stop customer data falling into the wrong hands. Galvin told SC: As data breaches of this scale continue to hit the headlines, it is critical that businesses change the way they think about data protection, and broaden their mind-set beyond the classic definition of what data is considered to be sensitive. It's never been more critical for businesses to extend robust encryption policies to cover all personally identifiable information of customers so that the data is rendered unreadable and worthless to those with malicious intent.”
David Gibson, VP of strategy and market development at Varonis told SC: “Hopefully Yahoo!! will force password resets for all its users, even ones that it believes have not been affected. Dropbox learned this lesson the hard way. Users should also reset passwords for other accounts that share the same password as their Yahoo! account and consider using a password manager going forward.”