Yahoo just announced that it was victim of a state-sponsored attack, and it is suspected that the hackers stole information of 500 million accounts.
The stolen information includes names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers. It is important to note that the leaked passwords were not in plain text, but hashed, making it harder for attackers to directly access to the stolen accounts. However, Yahoo doesn’t offer much information about the algorithm used to encrypt the passwords. The company mentions that the vast majority use bcrypt, but it doesn’t specify what about the rest of them.
Yahoo has taken action to minimise the impact of this leak, notifying potentially affected users by email and asking them to reset their passwords, as well as invalidating all the unencrypted security questions and answers, so they are no longer valid to access an account.
The company also encourages to its users to follow these security recommendations:
– Change passwords and security questions and answers for any other account where similar information was used.
– Review other accounts for any suspicious activity.
– Be specially careful with unsolicited communications that ask for personal information or refer to another web.
– Do not click on links or download any attachment from suspicious emails.
The attack was performed back in 2014, and the company has mentioned on its statement that it is believed that this is an state-sponsored attack, although it does not specify from which state or hack group. It is suspected that attackers might use the leaked information to perform phishing attacks to try to gain access to other accounts from the same users (making the rule of not reusing passwords vital to reduce the risk).
This news arrives in a very critical moment for Yahoo, since the internet company is in the middle of a process of acquisition by Verizon, and this revelation might have an impact on its final value.