(Bloomberg) -- Yahoo! Inc. said the personal information of at least 500 million users was stolen in an attack on its accounts in 2014, exposing half of its roughly 1 billion users ahead of Verizon Communications Inc.’s planned acquisition of the web portal’s assets.
The attacker was a “state-sponsored actor,” and stolen information may include names, e-mail addresses, phone numbers, dates of birth, encrypted passwords and possibly security questions and answers, Yahoo said Thursday in a statement. The continuing investigation doesn’t indicate the theft of payment data or bank account information, or unprotected passwords, the company said. Affected users are being notified and their accounts are being secured, it also said.
The disclosure of the data theft comes at a particularly sensitive time for Chief Executive Officer Marissa Mayer, as she navigates the company toward a planned $4.8 billion acquisition by Verizon, set to close by early next year. Mayer, who has dealt with difficulties and complaints about Yahoo’s e-mail service in the past, needs to keep users logging in to drive traffic and draw the advertising that fuels the company’s revenue growth, which has been sluggish under her leadership.
“Yahoo is working closely with law enforcement on this matter,” the company said in the statement. “Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry.”
|Dark web marketplace
The confirmation that accounts were compromised came almost two months after the company said it was investigating claims that a hacker was offering to sell user account details stolen in a data breach. The same hacker who previously sold data taken from LinkedIn and MySpace has posted information from 200 million Yahoo accounts on a dark web marketplace, Motherboard reported in early August. The stolen information being offered was most likely from 2012, Motherboard reported, citing the hacker, who uses the name Peace.
It’s worth noting, though, that many of the stolen accounts in a sample of data obtained by Motherboard were no longer in use and had been canceled. The sale of all of the data for just under $2,000 also suggested that the information was of little value, either because most of it was obsolete, made-up, or useless because the hackers had already attacked legitimate accounts and exhausted their need for the data.
|Underscores danger
While the breach is a blow to Yahoo in particular, more broadly it underscores the danger of large datasets spilling into the hacker underground and being used for criminal purposes for years without the breached companies knowing or with them only taking minimal action based on whatever data hackers tell them was taken.
LinkedIn said in May that it was investigating whether a breach of more than 6 million users’ passwords in 2012 was bigger than originally thought, following a hacker’s attempt to sell what was purported to be login codes for 117 million accounts. The company said that it appeared more data was taken in the initial compromise and that the company was just learning about the larger amount through the hacker’s posting.
Like many internet companies that have been breached, LinkedIn only reset passwords of everyone it believed was part of the breach at the earlier time, which amounted to 6.5 million users.
Copyright 2018 Bloomberg. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
