Yahoo has been forced to confirm that a 2014 data breach which it originally thought had resulted in the personal details of over 200 million users being compromised was much worse than first thought; in fact 500 million accounts have been affected.
The hack, which is the largest publicly disclosed cyber-breach in history, has also raised serious concerns about why it has taken so long for the company to fess up.
The issue first emerged in August, when the company said it was taking “very seriously” a claim that user details had been put up for sale on the dark web. But then it all went quiet until yesterday (Thursday) when speculation emerged that the search giant would come clean about the breach, which actually occurred in late 2014.
The timing is hardly ideal, given that Yahoo is in the final stages of the $4.8bn ((£3.7bn) sale of its core business to Verizon, which was announced in July.
Bizarrely, Verizon said it had not been told until a couple of days ago and many observers believe the admission could well jeopardise the deal. While one expert described it as the “straw that broke the camel’s back”, another said: “Let’s hope the ink is dry on the contract.”
The hack, which includes names, passwords, email addresses, phone numbers and security questions, is believed to have been carried out by a state-sponsored hacking group, although this has yet to be confirmed. However, Yahoo insists that credit card and bank details were not included in the stolen data.
In a statement, the company said: “The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.”
It has started to notify users who may have been affected and says that anyone who has not changed their Yahoo passwords since 2014 should do so immediately. The company has also invalidated affected users’ security questions so that they can’t be used to access accounts.
The firm added: “Yahoo encourages users to review their online accounts for suspicious activity and to change their password and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account.”
Corey Williams, from identity management software company Centrify, told The Guardian: “Yahoo may very well be facing an existential crisis. Already besieged by business execution issues and enduring a fire sale to Verizon, this may be the straw that breaks the camel’s back.”
Personal data on 200m Yahoo users up for grabs
Three held at TalkTalk call centre for data theft
TalkTalk chief hits back: we’re just the punchball
Man jailed for 5 years for gold-fingered hack attack
Porn lovers are exposed as Brazzers site suffers leak
Business ‘not up to job of protecting consumer data’