Yahoo has blamed state sponsored hackers for stealing information of at least 500 million user accounts, reports the Wall Street Journal. The breach, which was carried out in 2014, and includes data like names, email addresses, dates of birth, telephone numbers and encrypted passwords of Yahoo customers.
More importantly, the company also mentions that encrypted and unencrypted responses to security questions and answers were also leaked, which can help hackers obtain common data such as pet names etc. of users, to hack their other accounts. The scale of this hack is the largest yet by number of users compromised, although not quite revelatory as say the Office of Personnel Management (US) hack, which compromised the data of 32 million current and former federal employees, including potential military enlistees.
Note that Yahoo has invalidated all the encrypted security questions and answers that were leaked, so they can’t be used to access a Yahoo account, but given that users tend to re use such information on other services, it puts them at risk. The company also does not provide any information about how the hack was carried out.
Verizon deal in trouble?
Interestingly, the revelation by Yahoo comes around the time it’s finalizing its $4.8 billion acquisition by Verizon. According to a Fortune report, Verizon could claim a material breach for something like this data hack, by arguing that the event has caused irreparable harm to Yahoo in terms of customer trust and usage, and back off from the deal.
Yahoo also likely knew about the hack – in August, Motherboard reported a hacker advertising 200 million Yahoo accounts on the dark web, which Yahoo said it was aware of, but neither confirmed nor denied the legitimacy of the data. It’s not clear if these 200 million users were a part of the same hack revealing 500 million users’ data. At the time, the hacker had reported that the data was from “2012 most likely”.
Notable claims of state sponsored hacking:
– In December last year, Twitter warned some of its users that they may be targets of state-sponsored attacks and that hackers were trying to obtain sensitive data from their accounts.
– In October the same year, Facebook also warned users of state-sponsored attacks, mentioning that it would notify users if it believed accounts were targeted or compromised by an attacker suspected of working on behalf of a nation-state.
– Google had given a similar warning to users that there might be state-sponsored hackers compromising accounts way back in 2012.
– The most famous state-sponsored hack is likely the Stuxnet bot from 2010, which wrecked physical destruction on equipment that computers controlled at Iran’s nuclear power plant, stalling the country’s nuclear program.