You'll be hearing a lot about this in the next couple of days, that's for sure. On its investor relations page, Yahoo just announced that it suffered a major data breach back in 2014. As a matter of fact, if these statements are true, this would be the biggest data breach of all time.
At least 500 million user account credentials were stolen, including names, email addresses, telephone numbers, birthdays, even hashed passwords and some "encrypted or unencrypted security questions and answers." According to the same report, no banking data or credit card info was stolen. The worst part is that Yahoo believes this to be a state-sponsored attack. It has started notifying 'potentially affected users', and is advising everyone to change their passwords.
John Peterson, vice president & general manager of Comodo Enterprise has warned users to stay vigilant, keep strong passwords and change them frequently.
"End users can help protect themselves by staying on top of their own password hygiene. They should use strong passwords - a combination of uppercase, lowercase and special characters - and make them longer than they’d like them to be. Also, everyone should be aware of what’s going on. If an organization that you interact with reports a breach, don’t wait to update your password. Do it immediately.”
"Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry,” Yahoo said in a statement.
“Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account. Since the inception of Yahoo's program in December 2015, independent of the recent investigation, approximately 10,000 users have received such a notice.”
Intercede's CEO, Richard Parris, says there's nothing surprising about the breach.
“Given the numerous high profile data breaches already revealed this year, are we really surprised by the news from Yahoo? The real problem is not in the hack itself but in service providers like Yahoo relying on a fundamentally insecure, username and password based, user authentication. If a hack does happen, those details, and other identifying information, can be exposed and they are invariably used to access other services and defraud consumers.
In my view, we are fast reaching the point at which the industry will have to be compelled to take action. If the first duty of any government is to protect the public, establishing and protecting identity in a digital world ought to be high on the list of priorities. Solutions are available and it’s surely time we locked the stable door with secure authentication and identity management the digital horse has bolted.”
Image Credit: Ken Wolter / Shutterstock