According to a report by Re/Code, Yahoo is expected to soon announce a massive data breach of its service. Sources familiar with the matter claim that the hack exposed several hundred million user accounts, although they were unspecific about the extent of the incursion. They did however say that “it is widespread and serious”, and that government investigations and legal actions related to the breach are quite likely.
Yahoo CEO Marissa Mayer
Yahoo hinted earlier this year that it is investigating a data breach in which hackers claimed to have access to 200 million user accounts and one was selling them online. “It’s as bad as that”, noted one source. “Worse, really”. It is also being speculated that Yahoo’s announcement may also have larger implications for the $4.8 billion sale of its core business to Verizon.
Sources say that compromised data included user names, easily decrypted passwords and personal information like birth dates and other email addresses.
The scale of the liability could bring untold headaches to the new owners. Shareholders are likely to worry that it could lead to an adjustment in the price of the transaction. Representatives of Verizon and Yahoo started meeting recently to review the Yahoo business, so that the acquisition would run smoothly once complete.
But there’s nothing smooth about this hack, said sources, which became known in August when an infamous cybercriminal named “Peace” claimed on a website that he was selling credentials of 200 million Yahoo users from 2012 on the dark web for just over $1,800. At the time, Yahoo said it was “aware of the claim,” but the company declined to say if it was legitimate and said that it was investigating the information.
Yahoo is yet to issue a call for a password reset to users, although sources say it may have to do it now.
Update: Yahoo has just confirmed the hack in an official press release on Tumblr:
We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.
Read more at this link.