South San Francisco, CA September 22, 2016
We are writing to inform you about a data security issue that may involve your Yahoo account information.
A copy of certain user account information was stolen from our systems in late 2014 by what we believe is a state-sponsored actor. We are closely coordinating with law enforcement on this matter and working diligently to protect you.
What Information Was Involved?
The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. Not all of these data elements may have been present for your account. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation found to be affected.
What We Are Doing
We are taking action to protect our users:
We are asking potentially affected users to promptly change their passwords and adopt alternate means of account verification.
We invalidated unencrypted security questions and answers so they cannot be used to access an account.
We are recommending that all users who haven’t changed their passwords since 2014 do so.
We continue to enhance our systems that detect and prevent unauthorized access to user accounts.
We are working closely with law enforcement on this matter.
Our investigation into this matter continues.
What You Can Do
We encourage you to follow these security recommendations:
Change your password and security questions for any other accounts on which you used the same or similar information used for your Yahoo account.
Review your accounts for suspicious activity.
Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
Avoid clicking on links or downloading attachments from suspicious emails.
Additionally, please consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether.
Protecting your information is important to us and we work continuously to strengthen our defenses against the threats targeting our industry.
Chief Information Security Officer
CNN Money Published the following today:
Yahoo (YHOO, Tech30) confirmed on Thursday data “associated with at least 500 million user accounts” have been stolen in what may be one of the largest cybersecurity breaches ever.
The company said it believes a “state-sponsored actor” was behind the data breach, meaning an individual acting on behalf of a government. The breach is said to have occurred in late 2014.
“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” Yahoo said in a statement.
Yahoo urges users to change their password and security questions and to review their accounts for suspicious activity.
The silver lining for users — if there is one — is that sensitive financial data like bank account numbers and credit card data are not believed to be included in the stolen information, according to Yahoo.
Yahoo is working with law enforcement to learn more about the breach.
“The FBI is aware of the intrusion and investigating the matter,” an FBI spokesperson said. “We take these types of breaches very seriously and will determine how this occurred and who is responsible. We will continue to work with the private sector and share information so they can safeguard their systems against the actions of persistent cyber criminals.”
A large-scale data breach was first rumored in August when a hacker who goes by the name of “Peace” claimed to be selling data from 200 million Yahoo users online. The same hacker has previously claimed to sell stolen accounts from LinkedIn (LNKD, Tech30) and MySpace.
Yahoo originally said it was “aware of a claim” and was investigating the situation. Nearly two months later, it turns out the situation is even worse.
“This is massive,” said cybersecurity expert Per Thorsheim on the scale of the hack. “It will cause ripples online for years to come.”
Re/code first reported Yahoo would confirm the data breach.
The data breach comes at a sensitive time for Yahoo.
Verizon (VZ, Tech30) agreed to buy Yahoo’s core properties for $4.83 billion in late July, just days before the hack was first reported. The deal is expected to close in the first quarter of 2017.
Verizon says it only learned of the breach this week.
“Within the last two days, we were notified of Yahoo’s security incident,” a spokesperson for Verizon said in a statement provided to CNNMoney.
We understand Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact.”
The mega-breach could create a headache for both companies, including damaging press, scrutiny from regulators and a user exodus, just as they’re working to close the deal and figure out the future of Yahoo.
— Sara Ashley O’Brien contributed to this report.
CNNMoney (New York)
First published September 22, 2016: 10:38 AM ET