If you have ever created a Yahoo account, odds are good that some of your data was stolen by as-yet-unidentified hackers. New statements from Yahoo confirm that in 2013, information from as many as one-billion users was hijacked from the company's network.
It's still not clear if hackers were able to recover user passwords, but the personal information that was stolen would be useful to anyone attempting to bypass typical login security measures.
This is the fourth major security issue that has rocked Yahoo since it announced in July, 2016, that it was in talks to merge with U.S. wireless carrier Verizon. First it announced in September that data from 500 million user accounts was stolen, in what it described as a state-sponsored attack carried out in 2014.
Then in October, former Yahoo security personnel claimed in competing news reports that U.S. spying agencies had installed e-mail scanning software on the company's systems, with or without Yahoo's assistance. In November, the company confirmed that the 2014 hack also resulted in the ability to "forge" Yahoo's secure cookies (the pieces of software that allow a site to "remember"your password so you don't have to login when you return) allowing access to user accounts without actually having the password.
In the November statement Yahoo filed with the U.S. Securities and Exchange Commission it said that the 2014 hack that affected 500-million users resulted in the looting of: "user account information taken included names,e-mail addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers."
Yahoo's Chief Information Security Officer Bob Lord released a statement Wednesday that confirmed similar data was taken in 2013, a year earlier than the previously discussed hack.
As previous large-scale hacks have shown, the security breach is unlikely to be limited to Yahoo accounts. There are many ways stolen data like this can be used to affect user accounts on other networks: e-mail addresses could be targeted for spear-fishing attacks (a form or social engineering attack where hackers try to fool you into clicking on a link that downloads malware onto your device); the encrypted but apparently not hashed security questions and answers (some were not encrypted at all) could be used to attempt password resets; and finally the passwords could potentially be unecrypted.
While Yahoo seems confident that the encryption system it uses on stored passwords will render the stolen data useless to the hackers, there's reason to believe that won't always be true.
Earlier this year and some four years after an initial hack of Linkedin in 2012 -- during which the company suspected some 60 million accounts were compromised -- a list of a further 112 million passwords and associated e-mail accounts were released. LinkedIn had been encrypting these credentials using a system called SHA-1, but was not adding a more secure method of encryption known as salting (the injection of seemingly random numbers into the already encrypted files): the result, those passwords were eventually descrambled and released.
In 2012, LinkedIn did not make all users reset their passwords, only a much smaller subset it was sure had been hacked. But many Internet users use the same or similar passwords on multiple services, and the LinkedIn example shows many do not change all their passwords even if they hear about a particular service being hacked, leaving them vulnerable for years down the road.
Yahoo said it did not believe payment information was taken in the hack, and its passwords were stored using the bcrypt protocol (which both hashes and salts encrypted data) but security researchers have shown that system is not unbreakable, it just takes cracking systems a lot of time.
The website HaveIbeenPwned.com is a valuable resource for users in this age of megahacks. It was created by Troy Hunt who has collected leaked records of almost two-billion Internet accounts that have been potentially breached (or "pwned" in Internet parlance). Users can input their e-mail to see if it has been connected to a hacked service -- for example, if they have one of the 359 million Myspace accounts that were hacked in2008, or the 68 million or so hacked from Tumblr in 2013. Ironically, Yahoo bought Tumblr in 2013, but the image-blogging startup had a separate and weaker password encryption system than the one we now know was stolen from Yahoo around the same time.
But Hunt's site can't check if your Yahoo account has been breached, because he hasn't gotten his hands on the records yet and Yahoo has no duty to provide a list of every e-mail account it suspects might have been stolen. The company is sending out security notices, but all users should immediately reset their Yahoo passwords, and assume that any use of a similar password is unsafe and should change.
In that November SEC statement the company hinted that this news was coming: "Separately, on November 7, 2016, law enforcement authorities began sharing certain data that they indicated was provided by a hacker who claimed the information was Yahoo user account data."
While Lord can now confirm this was true, and at a massive scale, worryingly he wrote Wednesday: "We have not been able to identify the intrusion associated with this theft." So while Yahoo believes the 2013 and 2014 incidents were unrelated, it can't be sure. The company has also not yet reported back on what company insiders knew about the hacks in 2014 and what they did about them.
Whether this billion-account hack hurts Yahoo's valuation or affects its deal with Verizon remains to be seen, though there are already almost two-dozen class-action lawsuits in the works representing angry users and the costs associated with the investigation have already reached at least $1-million.