Yahoo Says one Billion User Accounts Were Hacked – The Fresh York Times
Yahoo Says one Billion User Accounts Were Hacked
Will Donaldson, chief executive of the data security service nomx, said more problems with cloud data security were likely to surface.
By THE ASSOCIATED PRESS. Photo by Victor J. Blue/Bloomberg. Observe in Times Movie »
SAN FRANCISCO — Yahoo, already reeling from its September disclosure that five hundred million user accounts had been hacked in 2014, disclosed Wednesday that a different attack in two thousand thirteen compromised more than one billion accounts.
The two attacks are the largest known security breaches of one company’s computer network.
The freshly disclosed two thousand thirteen attack involved sensitive user information, including names, telephone numbers, dates of birth, encrypted passwords and unencrypted security questions that could be used to reset a password. Yahoo said it is forcing all of the affected users to switch their passwords and it is invalidating unencrypted security questions — steps that it declined to take in September.
It is unclear how many Yahoo users were affected by both attacks. The internet company has more than one billion active users, but it is not clear how many inactive accounts were hacked.
Yahoo said it discovered the larger hacking after analyzing data files, provided by law enforcement, that an unnamed third party had claimed contained Yahoo information.
Yahoo Says It Was Hacked. Here’s How to Protect Yourself.
Ordinary tips to go after if you think your private information online has been exposed to hackers.
Security has taken a back seat at Yahoo in latest years, compared to Silicon Valley competitors like Google and Facebook. Yahoo’s security team clashed with top executives, including the chief executive, Marissa Mayer, over the cost and customer inconvenience of proposed security measures.
And critics say the company was slow to adopt aggressive security measures, even after a breach of over 450,000 accounts in two thousand twelve and series of spam attacks — a mass mailing of unwanted messages — the following year.
“What’s most troubling is that this occurred so long ago, in August 2013, and no one spotted any indication of a breach occurring until law enforcement came forward,” said Jay Kaplan, the chief executive of Synack, a security company. “Yahoo has a long way to go to catch up to these threats.”
Yahoo has made a constant trickle of disclosures about the two thousand fourteen hacking, which it has been investigating with the help of federal authorities. The company said Wednesday that it now believes the attacker in that breach, which it says was sponsored by a government, found a way to forge credentials to log into some users’ accounts without a password.
Bob Lord, Yahoo’s chief information security officer, said in a statement that the state-sponsored actor in the two thousand fourteen attack had stolen Yahoo’s proprietary source code. Outside forensics experts working with Yahoo believe that the state-sponsored hackers used Yahoo’s code to access user accounts without their passwords by creating forged “cookies,” brief bits of text that a website can store on a user’s machine. By forging these cookies, attackers were able to impersonate valid users, gaining information and performing deeds on behalf of their victims. The company has not disclosed who it believes was behind the attack.
How Many Times Has Your Private Information Been Exposed to Hackers?
Find out which parts of your identity may have been stolen in major hacking attacks over the last three years.
In July, Yahoo agreed to sell its core businesses to Verizon Communications for $Four.8 billion. Verizon said in October that it might seek to renegotiate the terms of the transaction because of the hacking, which had not been disclosed to Verizon during the original deal talks.
After the latest disclosure Wednesday, a Verizon spokesman, Bob Varettoni, essentially repeated that position.
“As we’ve said all along, we will evaluate the situation as Yahoo proceeds its investigation,” he said. “We will review the influence of this fresh development before reaching any final conclusions.”