Businesses have been warned to up their security after tech giant Yahoo revealed it was subject to the second largest data breach ever reported.
Over 500 million accounts were compromised in the data breach, which happened in 2014, and the company is currently taking action to protect affected users.
Yahoo alerted users to the breach in a statement and recommended users update passwords and security questions.
As the full details of the breach are still emerging, here are four things to know.
1. Yahoo says it was performed by a “state-sponsored actor”
The breach occurred during 2014, and potential details first surfaced in August via a hacker known as “Peace”, who at the time claimed there were 200 million users’ credentials available. The hacker was attempting to sell them on data marketplace “The Real Deal”, reported Vice, but it is not confirmed whether that breach is linked to this one.
Yahoo has since revealed it believes the hacker to be a “state-sponsored actor,” and the company is “working closely with law enforcement on this matter”. It has advised worried users it believes the hacker does not still have access to the company’s servers.
Michael McKinnon, cyber security expert at Sense of Security, told SmartCompany cyber terrorism attacks are becoming more common.
“These big companies with millions of users, they have and always will be a target for these sorts of threats,” McKinnon says.
“It’s another example of big company that has let us all down, and this just gives attackers extra leverage.”
2. Security questions were revealed
Yahoo has stated the data breached includes “names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt)”.
However, a number of unencrypted security questions were released with the data, which is worrying news for all users affected. Security questions are used as a way of identifying users for password recovery, often featuring topics like the name of a first pet, or your mother’s maiden name.
McKinnon says Yahoo users should definitely be concerned, as there is a “huge commonality” with security questions across different websites.
“Websites always ask the same questions, and these are things that are a part of your core online identity,” McKinnon says.
“They’re very difficult to change, and once they’re known it’s high value for hackers.”
With the data included in the breach, it would be easy for a hacker to breach other accounts that use the same emails via password recovery systems. Yahoo has said it is taking steps to protect users with leaked security questions, saying it is “invalidating unencrypted security questions and answers so they cannot be used to access an account”.
This is only a solution for Yahoo accounts, and for other accounts McKinnon says the best thing to do is to change your passwords and activate two-factor authentication. Two-factor authentication is offered by many major services, which requires confirmation from a mobile phone or separate email address before changes to a user’s account is made.
Customers who use Yahoo’s banking services should not be worried, as the company has stated “the ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information”.
Stolen passwords are also unlikely to be hacked, due to the bcrypt hashing encryption method used by the company.
A “hashed” password is indicative of the hashing method used for password encryption, as companies almost never store passwords in plain text. Hashing involves scrambling the password, which can only be unscrambled with a specific key.
A bycrypt method of hashing is “much more complex” says McKinnon, requiring significant computing power to crack.
3. It’s unclear if it will affect the Verizon deal
Yahoo has been in negotiations with US telecommunications giant Verizon over a massive $US4.8 billion US ($5 billion) deal, which was confirmed in July this year.
The data breach could mean bad news for the deal, but the the anti-breach conditions for the purchase suggest Verizon would not be able to back out, reports Fortune.
Grounds on which the deal could be called off would be if the breach has caused damage to customer trust and usage for Yahoo, or if Yahoo knew about the breach while going ahead with the deal.
As the earliest reports of the breach occurred in August, weeks after the merger was agreed on, this seems unlikely. Verizon has said it will “evaluate as the investigation continues through the lens of overall Verizon interests”.
— Bob Varettoni (@bvar) September 22, 2016
4. It’s one of the largest security breaches ever
With more than 500 million accounts compromised, it is likely this security breach is one of the largest ever seen. McKinnon says a Russian data breach in 2014 allegedly contained over 1 billion passwords, but it “wasn’t taken very seriously”.
“I certainly think this is one of the largest ever,” McKinnon says.
In 2013, Adobe revealed 150 million users’ data was breached, up from 38 million, which it initially claimed.
Earlier this year, social media site MySpace revealed 427 million users’ data was hacked, which were dumped online for anyone to access.
It is a timely reminder for users to update their passwords, and make them secure.
SmartCompany asked Yahoo how many Australian accounts were affected by the breach and was provided with this statement:
“We recently disclosed a theft of Yahoo user account information by what’s believed to be a state-sponsored actor. For those user accounts potentially at risk, we are notifying them and prompting them to take remedial action.
“We’re committed to keeping our users secure, both by continuously striving to stay ahead of ever-evolving online threats and to keep our users and platforms secure. More information on our ongoing investigation and our efforts to secure our users will soon be available at https://yahoo.com/security-update.”