Experts warn that information in old and inactive accounts could still be used to exploit former users
Officials from Yahoo announced on Thursday that information from at least 500 million user accounts was stolen in 2014. The information includes names, addresses and dates of birth. In some cases encrypted and unencrypted information like security questions and answers was also stolen. This ranks as one of the largest single data breaches in history.
Adding to the shock over the size of the attack is the belief that the attack was perpetrated by a state-sponsored network for hackers. Yahoo revealed this suspicion in its announcement but has yet to identify a specific culprit. The FBI is currently investigating the breach but has declined to offer comment.
The attack was first detected in August when a user identified as “Peace” attempted to sell information harvested from the accounts on the dark web – a secretive online marketplace for illicit and illegal materials.
Around 1 billion people currently use some sort of Yahoo property on a monthly basis. The company is contacting affected users and offering advice for securing their various accounts. Unencrypted security questions and answers will need to be changed, along with passwords that have not been reset since 2014. The largest number of affected users rely on Yahoo mail, but users of Yahoo Finance and Yahoo Fantasy Sports should also take precautions.
This data breach comes at an inopportune time for Yahoo. Reeling form multiple quarters of stagnant growth, the internet giant is currently in negotiations to sell its core business properties to Verizon Wireless. The sale is valued at $4.8 billion. Experts have warned that with Yahoo in a state of flux it may be difficult for officials within the company to take full responsibility for responding to the data breach.
The breach itself is not expected to derail the sale. But if a large number of users elect to cancel their Yahoo accounts over security concerns it could lower the sale price. By some estimates, the price could drop $100 million to $200 million.
Users with older and inactive Yahoo accounts may be unconcerned by the breach. Experts warn, however, that there could be wide ranging consequences. For instance, if the username and password used to login to a Yahoo Mail account are the same credentials used to login to other non-Yahoo accounts, hackers may have unrestricted access. This is a technique called credential stuffing, and it has become extremely common in recent years.
Once hackers have access to current accounts they begin assembling a profile of each user incorporating all available information. This profile is known as a “fullz”, and experts warn that profiles already exist for a large percentage of the US population. The data breach at Yahoo potentially exposes vast streams of data for cyber criminals to exploit.