JUST when we thought Yahoo could sink no lower, came the news last week of a massive data breach in which personal information was stolen from at least 500 million user accounts in 2014. As if the staggeringly huge number of people compromised wasn’t bad enough, it took Yahoo two years to detect the breach and to report it to its users.
In a “Notice of Data Breach” sent to Yahoo users, the company said the account information stolen may have included names, e-mail addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.
“The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected,” Yahoo said.
If you are a Yahoo account holder, you need to move swiftly.
“We are asking potentially affected users to promptly change their passwords and adopt alternate means of account verification,” the company said. “We are recommending that all users who haven’t changed their passwords since 2014 do so.”
The company also encouraged all Yahoo users to follow these security recommendations:
1) Change your password and security questions and answers for any other accounts on which you use the same or similar credentials as the ones used for your Yahoo account. This means that if you have similarly named accounts in, say, on Google, you’d better change your password and security questions and answers on those accounts as well, to prevent hackers from using the information they stole from Yahoo to break into your non-Yahoo accounts.
2) Review your accounts for suspicious activity.
3) Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
4) Avoid clicking on links or downloading attachments from suspicious e-mails. In fact, there could be an uptick in phishing e-mails that capitalize on the concern caused by Yahoo’s data breach. “The e-mail from Yahoo about this issue does not ask you to click on any links or contain attachments and does not request your personal information,” the company said on it security notice. “If an e-mail you receive about this issue prompts you to click on a link, download an attachment, or asks you for information, the e-mail was not sent by Yahoo and may be an attempt to steal your personal information.”
Additionally, the company suggested that users consider using Yahoo’s Account Key, an authentication tool that eliminates the need to use a password altogether by asking you to approve access on your smart phone.
A separate FAQ on the data breach said those who hacked into Yahoo’s system were state-sponsored, but it did not specify which government as involved. Security experts, however, suspect that Russian hackers were behind the largest known breach of user accounts.
Symantec, in its 2016 Internet Security Threat Report, said that more users were affected in this one incident than all of last year.
Since the breach was announced, two lawsuits have been filed against Yahoo, both in California, alleging that it was negligent in securing users’ personal information. One of the complaints alleges that Yahoo took an “unusually long period of time” uncovering the breach, and in the two years since it was hacked and disclosed, people were at risk of identity theft.
News of the breach comes at a crucial time for the ailing internet pioneer, which agreed in July to sell its core business to telecommunications giant Verizon for $4.8 billion—much lower than the $45 billion that Microsoft was willing to pay for it in 2008.
While Yahoo said it learned about the breach in July, Verizon said it learned of the incident only “within the last two days” and would not say if it would push through with the purchase.
While analysts don’t expect the breach to scuttle the sale, Verizon—which will now have to take into account the damages Yahoo might have to pay to affected users as a result of lawsuits–could use it as leverage to lower its purchase price for Yahoo.
If Yahoo has to pay $10 per user in reparations, says Chris Bulger of the Boston-based financial consulting company Bulger Partners, this would come to $5 billion–more than the $4.8 billion Verizon was willing to pay—before the breach was announced. Chin Wong
Column archives at: http://www.chinwong.com