Confirmed: A hacker accessed records of more than 500 million Yahoo accounts

yahoo 500 million accounts hacked on tablet
Following reports Thursday morning of a massive Yahoo security breach, the embattled internet giant confirmed the worst this afternoon: personal records associated with hundreds of millions of accounts had been compromised in one of the worst cybersecurity breaches this year. According to a statement on a Yahoo FAQ webpage, a “state-sponsored actor” scraped the names, email addresses, telephone numbers, dates of birth, and passwords associated with more than 500 million Yahoo accounts as recently as 2014.

Yahoo said there is no evidence the responsible party still had access to its network or internal services. Furthermore, it said not all accounts were compromised, and that some details, such as bank account numbers and credit card data, do not appear to have been targeted. But the company said that out of an abundance of caution, it had taken steps to inform affected users of the breach and invalidated unencrypted passwords and security questions. It also urged account holders who had not changed their passwords since 2014 to do so, and encouraged all Yahoo users to change their security questions and answers and review their accounts for “suspicious activity.”

Yahoo said that it was working with law enforcement and that an investigation of the breach was ongoing.

The Wall Street Journal, citing an unnamed source within the company, reported that Yahoo’s databases contained well north of one billion user accounts, and that passwords were protected with an encryption scheme — MD5 — that would have required the latest password-breaking techniques to compromise. In an FAQ published Thursday afternoon, Yahoo said that its hashing method, or one-way mathematical function responsible for obfuscating data, was chosen for its proven robustness against “password cracking” and reliability. “[It’s] a … mechanism that incorporates security features … including … multiple rounds of computation,” Yahoo said.

Rumors of massive security breach emerged as early as August when a hacker, identified by the username Peace, offered to sell 200 million Yahoo usernames and passwords for $1,900 in online forums. The suspected cybercriminal is widely believed to have engineered the sale of stolen data from high-profile networks like LinkedIn and Myspace — reportedly to the collective tune of between $50,000 and $60,000 — and has been implicated in hacks of European social networking site VK, Fling, Dropbox, Tumblr, OK.ru, Twitter, and Facebook.

At the time, a Yahoo representative said the company was aware of the incident and was “working to determine the facts.”

It is not the first time Yahoo suffered a large-scale security breach. In 2012, a group of unscrupulous programmers known as D33D Company managed to download 453,000 unencrypted usernames and passwords belonging to Yahoo Voices, a self-publishing service. Following the infiltration, Yahoo fixed the vulnerability that led to the breach, changed affected users’ passwords and dispatched notifications to companies with accounts that might have been compromised.

As of late, Yahoo has made strides in the area of security. Last year, as part of a separate effort to beef up the network’s broader security, the company deployed a service that automatically detects and notifies users when it suspects their account may have been targeted by a state-sponsored actor. It encouraged affected users to turn on Account Key, Yahoo’s passcode-free login service, activate two-step verification, to choose a strong, unique password. and to review recent activity in account settings.

Yahoo said that before Thursday’s breach, roughly 10,000 users had received an alert via the service.

It is unclear how Thursday’s disclosure will affect the $4.83-billion sale of Yahoo’s core assets to internet service provider and budding content mogul Verizon. “We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities,” a Verizon spokesperson said on Thursday.

As of publication, shares of Yahoo had fallen 0.3 percent to $44.02, while shares of Verizon had climbed one percent to $52.39.

The breach is yet another blemish on Yahoo President and CEO Marissa Mayer, who has struggled to turn the beleaguered Silicon Valley company around since its height in early 2000. Yahoo’s web properties, despite attracting more than 200 million U.S. monthly visitors in the past year, reported an 11 percent year-over-year decline in revenue during the company’s most recent earnings call. And Yahoo laid off 1,000 employees, or about 10 percent of its workforce, in the first quarter of 2016.

Analysts blame a failure to capitalize on mobile — and ballooning investments. In the first quarter of 2016, Yahoo made $250 million in revenue from smartphone and tablet users; Facebook, in contrast, made $4.5 billion in the fourth quarter of 2015.  The company’s capital expenditures, driven by substantial investments such as streaming licenses for National Football League broadcasts and the purchase of shopping site Polyvore, climbed an average of 21 percent in 2015.

But Yahoo’s advertising business remains one of the web’s largest. This year, the company is expected to generate $2.83 billion in profit on a 1.5 percent share of the online market. Yahoo Japan, an Asian culture web portal that is the product of a joint venture between Yahoo and Japanese internet company SoftBank Group, has been appraised at nearly $9 billion. Yahoo’s other ventures, which include online publications like Yahoo Tech and Yahoo Finance, are worth an estimated $5 billion to $8 billion.


Happy Valentine’s Day! Coffee Meets Bagel dating app data may have been breached

Are you planning on using Coffee Meets Bagel to find love on Valentine's Day? If you've been using the app for a while, you'll probably want to change your password -- the company said a data breach may have taken place before May 2018.

Apple loses battle to use Intel modems in Germany in latest clash with Qualcomm

Apple is following the Federal Trade Commission's lead and has sued Qualcomm for a massive $1 billion in the U.S., $145 million in China, and also in the U.K., claiming the company charged onerous royalties for its patented tech.

500px reveals almost 15 million users are caught up in security breach

Almost 15 million members of portfolio website 500px have been caught up in a security breach. The hack occurred in 2018 but was only discovered last week. Users are being told to change their 500px password as soon as possible.

Use one of these password managers to help protect yourself online

The internet can be a scary place, especially if you don't have a proper password manager. This guide will show you the best password managers you can get right now, including both premium and free options.

Switch up your Reddit routine with these interesting, inspiring, and zany subs

So you've just joined the wonderful world of Reddit and want to explore it. With so many subreddits, however, navigating the "front page of the internet" can be daunting. Here are some of the best subreddits to get you started.

YouTube beats Apple, Netflix as the most trusted brand by millennials

The popular video sharing website YouTube climbed up in an annual Mblm study, moving up from third place in 2018 and coming ahead of both Apple and Netflix in final 2019 rankings. 

Is the 5G spectrum harmful to our health? Experts say, 'Don't freak out'

There's plenty of consumer anxiety about radiofrequency (RF) radiation, specifically around millimeter waves (mmWave) used on 5G networks, but is it based in reality? We asked the FDA to give us its official view on the subject.

Russia will ‘unplug’ from the internet as part of a cyber-defense test

Authorities across Russia are planning on unplugging the country from the global internet as part of a test of its cyber defenses. The disconnection will briefly keep all internet traffic inside the country.

These are the coolest games you can play on your Google Chrome browser right now

Not only is Google Chrome a fantastic web browser, it's also a versatile gaming platform that you can access from just about anywhere. Here are a few of our favorite titles for the platform.

Gmail adds lots of new functionality to its right-click menu

Right-click on an email in Gmail and the list of actions is pretty limited. That's about to change, though, as Google has just announced it's expanding the list of options to make its email client that little bit more useful.

Tired of paying a monthly fee for Word? The best Microsoft Office alternatives

Looking for a competent word processor that isn't Microsoft Word? Thankfully, the best alternatives to Microsoft Office offer robust features, expansive compatibility, and an all-too-familiar aesthetic. Here are our favorites.

File Transfer Protocol explained: What FTP is and what it does

FTP stands for "File Transfer Protocol," and it's used to transfer files online. Most internet users don't need it, but web developers use it constantly. Here's what FTP is, how it works, and how you can get started using it.

Make a GIF of your favorite YouTube video with these great tools

Making a GIF from a YouTube video is easier today than ever, but choosing the right tool for the job isn't always so simple. In this guide, we'll teach you how to make a GIF from a YouTube video with our two favorite online tools.

Lose the key for your favorite software? These handy tools can find it for you

Missing product keys getting you down? We've chosen some of the best software license and product key finders in existence, so you can locate and document your precious keys on your Windows or MacOS machine.