Yahoo has been the victim of a massive hack attack. The internet company has revealed that more than 500 million accounts have been compromised.
This couldn’t have come at a worse time for the company since Yahoo is in the process of being bought by Verizon. Yahoo representatives say that the act was carried out by a state-sponsored entity and it managed to steal information on over 500 million email addresses along with passwords and birth dates.
What should you do?
Change your password like right now.
It has been revealed that hackers were able to pilfer personal information related to at least 500 million Yahoo accounts.
This makes this attack the worst in the internet giant’s history.
However, here is the real kicker. The attack took place in 2014 and not in 2016. The only reason why Yahoo has come out with a statement now is that it has taken the company about two years to fully discover the extent of the attack.
Hackers were able to gain access to actual names, email addresses, birth dates, phone numbers and some security questions along with answers as well said Yahoo in a recently released press release.
It was announced that hackers also got hold of encrypted passwords. Encrypted passwords are basically jumbled up passwords which cannot be understood by any other person than the person who has the right passcode. Of course, hackers were able to bypass that protection tool as well.
As mentioned before, Yahoo is currently trying to complete its sale deal with Verizon and there have been no comments about whether this news will affect the sale process.
Yahoo also said that the company was working closely with law enforcement agencies and identified the attackers as a state-sponsored actor. The company did not reveal the identity of the country that is supposedly behind this colossal breach.
Yahoo, in its attempt to secure suspected compromised accounts, has advised all users to change their password as soon as possible if they have not changed their current password since 2014.
Back in June Yahoo told CNET that the company had about 1 billion monthly active users across all of the company’s internet services. Yahoo current has businesses spread across finance, online shopping, and fantasy football.
The company also said that it had about 225 million active email account users who logged in to the email service every month.
The extent of the damage, because of the attack, is still unknown but this latest episode of hackers gaining entry to sensitive information of over 500 million accounts puts further question marks over the susceptibility of passwords and how widespread hacking has become in the modern world where everything is connected to the internet in one way or another.
This has prompted cyber security experts to recommend consumers to use different passwords for different accounts. In other words, in order to stay as safe as possible, users should have a unique password for each of their online accounts.
While this may be a helpful tip, other cybersecurity professionals think that more people should work and back alternative approaches to passwords. Security features such as fingerprints and retina scans (essentially biometrics) are being put forward as possible replacements to the increasingly vulnerable passwords.
Brett McDowell, who is the executive director of the FIDO Alliance (a company that deals with the security features of password alternatives), said in a statement that cyber criminals knew that consumers used the same passwords across different websites and applications.
He also said that because consumers did not choose different passwords for different accounts, the millions of leaked password credentials were very useful for them to perpetuate fraud.
He further added that people who were in charge of the big internet companies needed to take that ability away from criminals and the only way to do that was to stop relying on passwords altogether.
On the other hand, the company that is paying $4.83 billion to acquire Yahoo, Verizon, said that Verizon was only informed of the situation (the 500 million account hack event) within the last couple of days.
Verizon, which is a telecommunications company, said in a statement that the company had limited information and understanding of the impact.
Verizon followed that by saying that the Verizon itself would evaluate, as the investigation continued, through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities.
The industry is filled with rumors about how the massive breach could affect Yahoo and that the company might have to pay for with a lower buyout price in the Verizon deal.
However, B. Riley & Co. analyst Sameet Sinha, in an interview given to The Wall Street Journal said that the rupture caused by the hackers was unlikely to affect Yahoo’s deal with Verizon for the sale of its core businesses.
Moreover, Yahoo was also criticized by Mark Warner for not being able to discover the attack when it originally took place back in 2014.
Mark Warner who is a Virginia Senator and a member of the recently constituted Senate Cybersecurity Caucus, also said the while they had seen more and more data breaches in the private sector in recent years, many of them affected millions of consumers and that the seriousness of the breach at Yahoo was huge.
It was also revealed by Privacy Rights Clearinghouse, which is a nonprofit organization that deals with and records cybersecurity hacks, that the breach that took place on Yahoo services was actually the biggest breach in terms of scale that had ever been publicly acknowledged.
With that said, Yahoo has swiftly taken action to prevent any further damage because of the hack that took place in 2014 by revoking current security questions and answers.
Experts say that the real hazard is not from the stolen passwords themselves but from the hackers who could use those passwords on other websites.
Shuman Ghosemajumder, who was appointed as a product manager by Google for its click-fraud policy from 2003 to 2010 and is currently the CTO of Shape Security, said that they typically saw a 0.1 percent to 2 percent log-in success rate from credential stuffing attacks, meaning that a cybercriminal using 500 million passwords to attempt to take over accounts on another website would be able to take over tens of thousands of accounts on most other websites.
Shuman’s view is also corroborated by the incident that involved Facebook co-founder Mark Zuckerberg where Zuckerberg’s Twitter account was hacked by cyber criminals who used similar techniques to acquire Mark’s password.
The hackers used the data from LinkedIn’s hack which comprised more than 100 million accounts.
According to Alertsec, which is a research firm, Yahoo will need several months at the very least to regain lost user trust.
Alertsec, which also provides encryption software for devices such as laptop, PC, and Mac, recently finished a research study which indicated that about 97 percent of the Americans lost faith in tech companies, such as Yahoo, after they learned about data hack events.
Ebba Blitz, who is the CEO at the company, said that when a company had allowed their customers’ data to fall into the hands of criminals, their resulting lack of trust was difficult to repair for the most part.
And this isn’t even the first time Yahoo has gone through such an ordeal as the company’s security systems were also “breached” on August 1 of this year when a hacker by the name of “peace” claimed to have hacked into 200 million Yahoo usernames and passwords from a breach that took place in 2012.
The hacker further continued his journey and tried to sell those usernames and passwords on the deep web. He also tried similar arrangements with MySpace and LinkedIn user accounts.
Sources who are familiar with the matter said that Peace’s pronouncements essentially persuaded Yahoo to launch an internal investigation into the company.
However, the internal investigation was unable to find any evidence that validated the hacker’s claims.
With that said, what Yahoo’s internal investigation found was even more frightening. The internal investigation found traces of a state-sponsored cyber attack that had resulted in over 500 million user accounts being compromised. That attack, as mentioned before, took place in 2014.
Jeremiah Grossman, who is a former Yahoo information security officer and currently is the chief of security strategy at SentinelOne, recently said that it was difficult for companies like Yahoo to protect its vast computer network against cybercriminal because there were so many ways a hacker could enter their systems.
He further added that it was unsurprising when breaches took place at a company like Yahoo.
But Yahoo’s 500 million user hack case is not the only event which suggests that user passwords are about as useful as a graverobber in a crematorium .
As mentioned before, back in May, another hacker had carved into more than 272 million accounts and had stolen the accounts’ credentials.
But instead of making money from it, he decided to trade those accounts to a cybersecurity company in exchange for adoration and approval.
The hacker hacked Russia’s largest email service, Mail.Ru and was able to gain access to a large number of passwords and usernames.
Just for clarity’s sake, the fact that the hacker was able to gain passwords and usernames of many email accounts does not mean that there was a large-scale breach of the email services themselves.
With that said, it couldn’t be denied that a large amount of data was transferred to the hacker’s stockpile.
Cyber security experts even then said that passwords were not the safest form of protection that was available to the consumers. Yahoo’s case just further illustrated that point.
Back then when this happened, cyber security professionals warned that hackers who tried to trade their hacked data for money or fame were not uncommon and basically the whole fiasco showed how vulnerable passwords were rather than the skill of the hacker.
The chief information officer at Hold Security Alex Holden, who is also a researcher and has done extensive work in the field of Eastern European hacking, said that the cybersecurity company was contacted by the hacker and the hacker then offered the hacked cache to the company for a mere $11.
After the initial offer was made, further negotiations changed the deal and the hacker gave up the information for plaudits and a hacking forum with a members-only area.
Holden, back then, said that the hacker didn’t value his data.
And just like Yahoo now, Mail.Ru back then said that the company was analyzing their data to determine the number of passwords there were connected to their relevant email accounts.
Mail.Ru also said in a statement that they had enough information to warn all the users whose data might have been affected.
Mail.Ru further added that Mail.Ru email service had worked hard to continuously improve the company’s security system.
To some, it seems baffling that Yahoo didn’t improve its own security system since when the breach happened to Mail.Ru, Yahoo said in a released statement that they had seen the reports and the company teams were reaching out to Hold Security to obtain the list of accounts.
Microsoft had this to say about the major Mail.Ru hack and the minor Gmail, Yahoo and Microsoft hack,
“Unfortunately, there are places on the Internet where leaked and stolen credentials are posted, and when we come across these, or someone sends them to us, we act to protect customers.”
A representative of Microsoft further added, “Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access to their account.”
Yahoo didn’t learn the lesson from Mail.Ru hack (and other hacks) and hence one could make the case that Yahoo paid for it by getting over 500 million of its accounts hacked.
But then again, the actual breach happened in 2014, so that raises further questions about why did it take Yahoo more than two years to announce the news.