Yahoo warns of breach affecting a billion user accounts

December 15, 2016 // 10:25 a.m.

Tags: #bob-lord #breach #data-breach #flickr #information-security #insecurity #security #state-sponsored #tumblr #vulnerability #yahoo

Search and advertising company Yahoo has coughed to another data breach, and this one may go down in the books as the biggest in history: The company believes over one billion user accounts have been affected.

In a security announcement made late last night, Yahoo warned its users that it had discovered evidence pointing to a breach of its network way back in August 2013 which allowed the attacker to make off with personal data on more than one billion of its users. Said data may have included, Yahoo has admitted, full names; email addresses; telephone numbers; dates of birth; MD5-hashed passwords; and, for a subset of accounts, security questions and answers - the latter, embarrassingly, not always encrypted. No payment details or bank account details were included, the company has claimed.

The revelation came following the provision to Yahoo of databases claimed to be from its own servers by law enforcement personnel, who had retrieved them during an investigation into a security breach the company disclosed back in September. The company has admitted that the two breaches occurred at separate times; more concerning is the company's admission that 'we have not been able to identify the intrusion associated with this theft,' meaning there's no guarantee that the vulnerability exploited by the attacker is not still live and active.

During the same investigation, Yahoo discovered that a vulnerability existed allowing unauthorised third parties to forge Yahoo cookies and gain complete access to users' accounts without needing to know their passwords. This, the company has claimed, can be placed at the feet of the same 'state-sponsored actor' it previously blamed for September's breach announcement.

'We are notifying potentially affected users and have taken steps to secure their accounts, including requiring users to change their passwords. We have also invalidated unencrypted security questions and answers so that they cannot be used to access an account,' claimed Yahoo's chief information security officer Bob Lord in the breach announcement. 'With respect to the cookie forging activity, we invalidated the forged cookies and hardened our systems to secure them against similar attacks. We continuously enhance our safeguards and systems that detect and prevent unauthorised access to user accounts.'

With more than one billion accounts affected, this latest breach at Yahoo dwarfs the already impressive 500 million accounts hit in September's announcement.
Discuss this in the forums

QUICK COMMENT

SUBSCRIBE TO OUR NEWSLETTER

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU