Yahoo Says Information on at Least 500 Million User Accounts Is Stolen--3rd Update
September 22 2016 - 4:02PM
Dow Jones News
By Anne Steele and Robert McMillan
Yahoo Inc. on Thursday disclosed a massive security breach by a
"state-sponsored actor" affecting at least 500 million users, the
latest hurdle for the beaten-down internet company as it works
through the sale of its core business.
Yahoo said a copy of certain user account information --
including names, email addresses, telephone numbers, dates of
birth, hashed passwords and, in some cases, encrypted or
unencrypted security questions and answers -- was stolen from the
company's network in late 2014 by what it believes is a
state-sponsored actor.
Yahoo said it is notifying potentially affected users and has
taken steps to secure their accounts by invalidating unencrypted
security questions and answers so that they cannot be used to
access an account and asking potentially affected users to change
their passwords.
Yahoo recommended users who haven't changed their passwords
since 2014 do so. It also encouraged users change their password as
well as security questions and answers for any other accounts on
which they use the same or similar information used for their Yahoo
account.
The company, which is working with law enforcement, said the
continuing investigation indicates that stolen information didn't
include unprotected passwords, payment-card data or bank account
information.
With 500 million user accounts affected, this is the
largest-ever publicly disclosed data breach, according to Paul
Stephens, director of policy and advocacy with Privacy Rights
Clearing House, a not-for-profit group that compiles information on
data breaches.
No evidence has been found to suggest the state-sponsored actor
is currently in Yahoo's network, and Yahoo didn't name the country
it suspected was involved. In August, a hacker named "Peace"
appeared in online forums, offering to sell 200 million of the
company's usernames and passwords for about $1,900 in total. Peace
had previously sold data taken from breaches at Myspace and
LinkedIn Corp.
A Yahoo spokesman said at the time that the company was aware of
the claim and was "working to determine the facts."
In 2012, Yahoo had more than 1 billion user accounts in its
databases. User passwords were protected via a cryptographic
algorithm called MD5 which can be cracked using the latest
password-breaking techniques, said a source familiar with the
situation.
The company in 2012 dealt with a data breach that allowed a
hacker group to download 453,000 unencrypted usernames and
passwords.
Last year, Yahoo launched a program to detect and notify users
when it strongly suspects that a state-sponsored actor has targeted
an account. Not including the current investigation, roughly 10,000
users have been notified.
Verizon Communications Inc. in July agreed to buy Yahoo's Web
assets for $4.83 billion in cash, ending a drawn-out process of
trying to split the beleaguered internet company from its lucrative
stake in Alibaba Group Holding Ltd.
The price, which includes Yahoo's core internet business and
some real estate, capped a remarkable fall for the Silicon Valley
web pioneer that had a market capitalization of more than $125
billion at the height of the dot-com boom in early 2000.
Verizon on Thursday said it was notified of Yahoo's security
incident within the last two days but has "limited information and
understanding of the impact."
"We will evaluate as the investigation continues through the
lens of overall Verizon interests, including consumers, customers,
shareholders and related communities," Verizon said.
B. Riley & Co. analyst Sameet Sinha said the breach is
unlikely to affect terms of the Verizon deal.
"Data breaches have become part of doing business now," he said,
adding that LinkedIn still fetched a "nice" premium in June,
getting a $26.2 billion buyout deal from Microsoft Corp., following
the May disclosure that it had underestimated the broad impact of
its 2012 data breach.
Yahoo and Verizon will need to "provide extensive communications
and help to consumers to make sure passwords are changed quickly
and of course bolster their security," said Mr. Sinha.
Data breaches are on the rise in the U.S., affecting companies
from Target Corp. to Verizon Enterprise Solutions and putting
millions of users' information at risk. National nonprofit Identity
Theft Resource Center reported 687 breaches exposing roughly 28.8
million records through Tuesday this year. The Federal Bureau of
Investigation and cybersecurity experts say they are seeing a
notable increase in ransomware, but there appears to be no single
cause for the increase.
Shares of Yahoo fell 0.3% to $44.02 in afternoon trading, while
shares of Verizon added 1% to $52.39.
Write to Anne Steele at Anne.Steele@wsj.com and Robert McMillan
at Robert.Mcmillan@wsj.com
(END) Dow Jones Newswires
September 22, 2016 15:47 ET (19:47 GMT)
Copyright (c) 2016 Dow Jones & Company, Inc.
Altaba (NASDAQ:AABA)
Historical Stock Chart
From Mar 2024 to Apr 2024
Altaba (NASDAQ:AABA)
Historical Stock Chart
From Apr 2023 to Apr 2024