Yahoo has confirmed the mother of all data breaches — 500 million user accounts compromised back in late 2014 — and is laying blame on a “state-sponsored actor.”
The stolen data may have included names, email addresses, phone numbers, birthdays, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers, Yahoo said in a press release Thursday. The company said it is notifying users who may have been affected.
Yahoo is encouraging all users to change their passwords, security questions and security answers for their Yahoo accounts and any other accounts for which they may have used the same information.
The confirmed hack has massive business implications, as the $4.8 billion sale of Yahoo’s core internet business to technology giant Verizon is still pending. The new owners would be taking on massive liability, which could change the terms of the transaction.
“It doesn’t appear Yahoo had hard enough defenses, and with a merger you have to worry about even more sensitive information being vulnerable,” Susan Grant, director of consumer protection and privacy at the Consumer Federation of America, told CBS News. “When there’s more information that can be potentially there for the taking, it raises concerns about the adequacy of the security.”
In August, the tech website Motherboard reported that a hacker going by the moniker “Peace” was selling account information, including usernames, birthdays and scrambled passwords, for 200 million Yahoo users.
Yahoo did not confirm the breach or advise users to change their passwords until Thursday, nearly two months after that report.
Grant accused the company of dragging its feet in meeting its obligation to protect consumers.
“Consumers should be not be reading in the news something Yahoo hasn’t told them,” Grant said. “They should be hearing this from Yahoo, not only that we had this problem – but also about what to do,” she said.
Yahoo is subject to various laws in effect in 48 states that require companies to inform customers within specific periods of time if their data has been hacked. The company did not disclose when exactly the hack took place beyond “late 2014.”
Yahoo said it is working closely with law enforcement to investigate the hack. In a statement, the FBI confirmed it is investigating the breach.
“We take these types of breaches very seriously and will determine how this occurred and who is responsible. We will continue to work with the private sector and share information so they can safeguard their systems against the actions of persistent cyber criminals,” the agency said.
In its statement confirming the hack, Yahoo seemed to be anticipating criticism, saying that an “increasingly connected world” goes hand in hand with “increasingly sophisticated threats.”
“Industry, government and users are constantly in the crosshairs of adversaries,” the company said.