At least a half billion Yahoo user accounts have been compromised, the internet giant said Thursday, in what is likely the largest breach by cyber criminals in U.S. history.
The Yahoo breach, disclosed Thursday but dating to late 2014, is believed to be the work of a “state-sponsored actor,” Yahoo said. It’s also the latest hit to a beleaguered company that was once a darling of Silicon Valley.
The scope of the breach could be quite large in the Southeast, and in Georgia in particular. Yahoo took over management of email for many customers with bellsouth.net addresses years ago, after AT&T acquired Atlanta-based Bellsouth.
A Yahoo spokeswoman declined to comment on the breach beyond a company statement.
Yahoo said it is working with law enforcement to investigate the breach.
Paul Stephens, director of policy and advocacy at Privacy Rights Clearinghouse, told The Atlanta Journal-Constitution the breach of at least 500 million accounts ranks as the largest his organization has seen.
The stolen data includes users’ names, email addresses, telephone numbers, birth dates, hashed passwords, and the security questions — and answers — used to verify an account-holder’s identity.
Many consumers who transact with numerous merchants, email systems and other secure websites, use common user names and password combinations. It’s mainly out of convenience to jog foggy memories, but it can leave people vulnerable to security lapses.
Yahoo and security experts recommend that users change their passwords if they haven’t done so since 2014.
Stephens said consumers will also want to change any common passwords and security questions and answers they use on Yahoo and across other sites, as criminals may now have the wherewithal to hack sensitive data stored elsewhere.
“Any time something like an email account has been breached it is very, very troubling,” Stephens said. “We don’t realize how much information resides on the server of Yahoo [or other email providers].”
Sunnyvale, Calif.-based Yahoo said its investigation so far hasn’t found any evidence that information about users’ bank accounts or credit and debit cards were swiped. It said it has “no evidence” that the attacker is still in Yahoo’s network.
Last month, the tech site Motherboard reported that a hacker who uses the name “Peace” boasted that he had account information belonging to 200 million Yahoo users and was trying to sell the data on the web.
Word of the breach is not surprising given the hacker chatter surrounding the company, said Alex Heid, chief research officer at SecurityScorecard, real-time cybersecurity rating and risk monitoring platform. There have been numerous underground conversations surrounding the tech giant since late June, he said.
Stephens said it’s now clear “the information has been out there for quite some time.”
“It’s impossible to know what uses might have been made of this information to date,” he said.
Most consumers might not think there’s much in their Yahoo account that would be of use to hackers, which typically might only include only their email and Yahoo password. However that simple duo offers multiple users for ingenious hackers bent on extracting the maximum value from information, say experts.
According to a Gartner survey, 50 percent of users reuse their passwords across multiple platforms. Armed with an email address and Yahoo password, hackers might be able to gain access to multiple accounts.
Once hackers gain access to other accounts, they are able to assemble dossiers and include more information from multiple sources over time.
The attackers don’t only use that information to go after bank accounts and credit cards, but also less obvious and harder to track information that is still worth money on the black market, such as loyalty points, avatars and points from online games and stored value in coffee cards. Once accessed, all of these can be siphoned off, bundled and then resold.
News of the breach comes as Yahoo seeks to complete its $4.8. billion sale of its core Internet business to Verizon Communications.
Given the unsettled nature of Yahoo’s ownership, “regulators should be concerned with who will take responsibility for the response to this compromise. It can be easy for the ‘right thing to do’ to slip through the cracks in a multi-billion dollar transition,” said Tim Erlin, senior director of IT security and risk strategy at Tripwire, a computer security firm.
Yahoo CEO Marissa Meyer stands to earn as much as $44 million if she leaves the company as part of that deal.
The Associated Press contributed to this report.
Steps Yahoo account holders should take:
1. Change your Yahoo password
2. Change your security questions
3. Watch your credit report for unauthorized activity