We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what we believe is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.
That’s a big hack.
I’m amazed there’s still 500 million Yahoo accounts.
Was…
My first thought was: “does that company still exist?”
My initial thoughts as well, but then I figured most of those accounts were created back when Yahoo was popular – possibly all the way back to the days most people would think of Yahoo instead of Google when they wanted to do a web search – maybe even before GMail came into existence.
Probably not. Since that era, Yahoo has purged abandoned account names a couple of times. Any account that hadn’t been used in a while was erased, the name being made available to new users.
I didn’t imply the accounts were unused, just that they were created a long time ago when Yahoo was more of a household name for internet services. I know quite a few people who have long-running active Yahoo Mail accounts.
Edited 2016-09-23 22:48 UTC
gan17,
My wife had yahoo mail for regular use until yahoo locked the account saying it was compromised. Yahoo’s tech support refused to help her get back in, she lost everything. I think this was around 2014 when this breach is said to have occurred… coincidence?
Maybe the hackers would have been more helpful than yahoo tech support! Haha.
We also had a number of issues with our Yahoo mail accounts back in 2014. Although I never was locked out because of a “compromised” status, it occurred to my spouse a couple of times and it was a real pain to get things back in order after.
A couple of things surprises me:
– It took the Yahoo security team nearly two years to find that their user account sub-system had been breached?
– Why doing a campaign of changing passwords and security questions now and targeting only the holders of accounts which had been breached? Why not a general campaign and before the existence of the breach was disclosed?
– With at least 500 million accounts said to be breached – that’s probably means that it was the entire user base of Yahoo.
BT’s domestic broadband email service is outsourced to Yahoo..
https://signin1.bt.com/login/emailloginform
Got to be a not insignificant number of accounts there.
I think they handle it for AT&T, also.
At least, they did for SBC, which eventually became AT&T’s dsl service after being acquired.
I need Yahoo account for Flickr only.
Well, I use Yahoo for email and tracking stocks and I have to say it’s a little bit better than google, so not surprised many people continue to use their services.
I have been using Yahoo as my primary mail account for almost two decades and the only reason I am still using it is because I do not want to change the e-mail address.
Since Marissa Mayer is at the helm it has really gone from bad to worse. Technical competence seems to hit rock bottom there and when it comes to content creation, all she is has come up with is billion dollar acquisitions, only to run them into the ground soon afterwards.
Mine is my backup account, but admittedly, I like the interfaces better than google’s.
I’d bet I have an account in there. The ONLY reason I still have a Yahoo account is that I’m involved with a couple of niche communities that only exist on Yahoo Groups.
Fortunately, the password will be unique to Yahoo, and has been changed recently anyway. I’m a little more concerned about the news that security questions and answers may have been compromised. Since you have to pick from a canned list on so many sites, and since there are so many questions that don’t apply or that I don’t know the answer to (How would I remember my 2nd grade teacher’s name?) that whatever I had on Yahoo is also probably used as a security question on other sites.
Would be nice if you could decline to answer security questions. My passwords are now all highly secure and unique, but it seems like the mandatory security questions are a vulnerability. Maybe I’ll have to start answering them with unique random strings of garbage and just keep them in a password manager?
signals,
Indeed, I treat them like another password field. Answering this information truthfully is exactly how most of the celebrity accounts have been compromised.
This video of people giving their passwords freely to a camera crew is enlightening:
https://www.youtube.com/watch?v=opRMrEfAIiI
I’ll give you 3 guesses on who the “state” is referring to, in the words “state sponsored”.