Yahoo has announced that it was the victim of a "state-sponsored" hack.
The hack, which actually occurred two years ago and is thought to be the largest internet theft on record, has resulted in the personal data and account data of at least half a billion users being stolen from its networks. While we already knew Yahoo was investigating a potential breach in August, this separate breach and the sheer number of accounts affected by it is new information, and so is the revelation that it was "state-sponsored".
The timing of this confirmation is interesting, because Yahoo is currently trying to sell most of its internet operations to the telecommunications giant Verizon, in a $4.8 billion deal first announced in July. Verizon said it was notified of the breach two days ago. Here's everything you need to know about the state-sponsored hack, including whether your account was affected.
Yahoo hack: What happened and when?
Yahoo said Thursday an investigation confirmed that information associated with 500 million user accounts was stolen from the company in late 2014 in a "state-sponsored" hack, and that users should take steps to protect themselves.
Yahoo hack: Which state hacked Yahoo?
Yahoo did not confirm which nation state it believes orchestrated the hack, though it found no evidence that the state-sponsored actor is currently in its network. The FBI announced it is aware of the hack and is investigating.
In a statement, the FBI said, "The compromise of public- and private-sector systems is something we take very seriously, and the FBI will continue to investigate and hold accountable those who pose a threat in cyberspace."
Yahoo hack: Which Yahoo properties were affected?
Yahoo has 1 billion users around the globe. About 250 million use Yahoo Mail, while Flicker has 113 million, and several hundred million use Tumblr. About 81 million use Yahoo Finance, and tens of millions use Yahoo Fantasy Sports. Yahoo specifically said no Tumblr accounts were affected, but some Flickr accounts were, and in some cases, user’s Flickr and Yahoo IDs are linked, so it is now reaching out to those users.
Yahoo did not say where the affected users are located around the world, and it's unclear which Yahoo properties were breached. Yahoo is encouraging users to review their Yahoo accounts for suspicious activity and to change their password and security questions and answers. It is also recommending users do this for any other accounts - like Facebook - that use the same information.
Yahoo hack: What exactly was stolen?
Yahoo said personal and account information “like names, email addresses, telephone numbers, dates of birth, [encrypted] passwords... and, in some cases, encrypted or unencrypted security questions and answers” were breached in the hack. It appears banking information is safe.
Yahoo hack: Were you affected?
Yahoo is sending an email notice to users it believes may have been affected, and more information is available on its website. Still, Yahoo is asking potentially affected users to immediately change their password and security questions.
Yahoo hack: What should you do now?
- Check your email. Yahoo is notifying potentially affected users by email, so check to see if you received one of those notices.
- Review your account activity. Yahoo offers a Recent activity feature that shows the the times/locations of each sign-in to your account, which can help you determine if there's been unauthorized access. Here’s how to use it.
- Change your information. Immediately change your Yahoo account password as well as your Yahoo account security questions and answers - even if you don't think your data was stolen. Here's how to do it.
- Enable two-factor authentication. Two-factor requires you to have your smartphone handy when you log in to your Yahoo account, because it will send you a code via SMS, which you need to enter along with your password when trying to gain access to your Yahoo account. That means a hacker will need more than just your password to get access, too. Here’s how to do it.
- Alternatively, use Yahoo’s Account Key. This feature basically replaces written passwords with a smartphone app. It’s like an alternative to two-factor authentication. Here’s how to do it.
Want to know more?
Breaking and related news is available from Pocket-lint's Yahoo hub.