Yahoo announced Thursday that the account information for at least 500 million users was stolen by hackers two years ago, in the biggest known intrusion of one company’s computer network.
In a statement, Yahoo said user information – including names, email addresses, telephone numbers, birth dates, passwords and, in some cases security questions – was compromised in 2014 by what it believed was a “state-sponsored actor.” It did not name the country involved.
The company said that it was working with law enforcement officials and that it was invalidating existing security questions and asking users to change their passwords. Yahoo also encouraged people to review other online accounts for suspicious activity, change passwords and security questions on those accounts, and watch out for suspicious emails.
Verizon Communications is moving forward with a $4.8 billion acquisition of Yahoo, which was announced in July. It is unclear what effect, if any, the breach will have on Yahoo’s sale price.
In a statement Thursday, a Verizon spokesman, Bob Varettoni, said the company learned of the breach of Yahoo’s systems only two days ago and had “limited information and understanding of the impact.”
Yahoo said it learned of the data breach this summer after hackers posted to underground forums and online marketplaces what they claimed was stolen Yahoo data. A Yahoo team investigated the data and was unable to confirm that the stolen data had originated from a breach at Yahoo. But in investigating the security of its systems, the company discovered that there was another breach, by what it believes was a state-sponsored actor, that dated back to 2014.
Security experts say the breach could have major consequences.
“The stolen Yahoo data is critical because it not only leads to a single system but to users’ connections to their banks, social media profiles, other financial services and users’ friends and family,” said Alex Holden, the founder of Hold Security, which has been tracking the flow of stolen Yahoo credentials on the underground web. “This is one of the biggest breaches of people’s privacy and very far-reaching.”
A potential breach of Yahoo’s systems was first reported by the tech news site Recode early Thursday.
The first public sign of a breach appeared in June, when a Russian hacker who goes by the user name “Tessa88” started mentioning, in underground web forums, a new trove of stolen Yahoo data, Holden said. In July, Tessa88 supplied a sample of the stolen collection for authentication by other people who share information on the so-called underground web.
The sample contained valid Yahoo user accounts, but it was unclear whether the data was from a breach of a third-party service or Yahoo itself, and it was not clear whether it came from a recent Yahoo breach or a previous breach in 2012, when the internet service acknowledged that more than 450,000 user accounts were compromised.
Then, in August, a second hacker who goes by the alias “Peace of Mind,” began offering a large collection of stolen Yahoo credentials – including user names, easily cracked passwords, birth dates, ZIP codes and email addresses – on a site called TheRealDeal, where hackers can buy and sell stolen data, Holden said.
TheRealDeal uses Tor, the anonymity software, and bitcoin, the digital currency, to hide the identities of buyers, sellers and administrators, trading attack methods and stolen data.
After looking into that data, Yahoo did not find evidence that the stolen credentials came from its own systems. But it did find evidence of a far more serious breach of its systems, dating back two years.
Such state-sponsored attacks on U.S. technology companies, Yahoo said in a statement, are becoming routine. “Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry,” it said.
Even so, two years is an unusually long time to identify a hacking incident. According to the Ponemon Institute, which tracks data breaches, the average time it takes organizations to identify such an attack is 191 days, and the average time to contain a breach is 58 days after discovery.
Security experts say the breach could bring about class-action lawsuits, in addition to other costs. An annual report by the Ponemon Institute in July found that the costs to remediate a data breach is $221 per stolen record. Added up, that would top Yahoo’s $4.8 billion sale price.