Yahoo has confirmed the discovery of a major data breach which has seen the personal details of around 500 million users leaked to persons unknown, in what it claims was a 'state-sponsored' attack.
Acquired by Verizon earlier this year, Yahoo is one of the grandfathers of the modern internet and runs a variety of services ranging from its minority-share search portal to social networking Tumblr and photo-sharing service Flickr. Its most recent announcement, however, is most unwelcome: the discovery of an attack in 2014 which leaked the personal information of 500 million of its users, including usernames, email addresses, telephone numbers, security questions and answers, and hashed passwords.
'A recent investigation by Yahoo has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor,
' Yahoo's chief information security officer Bob Lord explained
in a statement on the breach. 'The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.
To protect its users following the discovery, Yahoo has begun contacting them via email, is requesting password changes on next login, has invalidated any security questions that were stored unencrypted, and is pushing its Yahoo Account Key second-factor verification system in place of passwords. Lord has further claimed that the investigation has shown no evidence that the attacker is still present within Yahoo's system, suggesting a dump-and-run attack which resulted in a copy of the user database rather than anything more long-lasting.
More details on the attack are available on Yahoo's official notification page