Yahoo has admitted that data from at least 500 million of its users was “stolen” during an attack in 2014, in what could be a “state sponsored” attack.
The company says it was only recently found as part of an internal investigation.
It said the hack may have been “state-sponsored” but “the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network”.
Yahoo said it was working “closely with law enforcement” over the breach.
The stolen data may have included names, email addresses, phone numbers, dates of birth, hashed passwords and, in some cases, security questions and answers.
It did not include unprotected passwords, payment card data or bank account information, the company said.
Previously, the biggest breach was thought to have been the MySpace hack, which was revealed earlier this year and affected 360 million users.
Users who might be affected by the Yahoo attack will be notified, asked to change their passwords and to use other ways of verifying their account.
It is not clear how the news will affect Yahoo’s plans to sell its email service and other core internet properties to Verizon Communications.
The $4.8bn (£3.7bn) deal was announced in July but Verizon has said it was only told of the data breach in the last two days.
In a statement, Verizon said: “We will evaluate as the investigation continues through the lens of overall Verizon interests … Until then, we are not in position to further comment.”
The deal is expected to close in the first quarter of next year, which may give them some room to renegotiate the purchase price or even to walk away.
Industry reaction
Legal impact on Verizon deal?
Mark Skilton, a Professor of Practice at Warwick Business School and an expert on cyber security, commeted on the Yahoo hack: “While it’s not a surprise to hear the magnitude of users that have been corporate hacked – after all the rise of the digital business means everyone is more or less online these days – what is shocking is the date, 2014, and the sense of resignation that some may have to the event. This is far too late for professional cyber security risk management and certainly from the organisational practices inside a company like Yahoo! that one would expect.
“The other factor is the legal impact for Yahoo! from the reputational impact and liability in losses for customers. This could yet be significant and a headache for Verizon in its planned imminent takeover of Yahoo!.
“The lateness of the attack discovery, a whole two years, and the indication that it was a government state sponsored attack suggests both a highly professional stealth attack or perhaps some failure in basic perimeter monitoring by Yahoo!’s internal security practice.
“Either way, serious questions on internal checking of data breaches must be addressed. There will be a significant internal review in Yahoo! and Verizon to develop a turnaround plan for this hack, but it also suggests a need for a stronger perhaps government and industry role needed to increase cyber protection in the light of the rise in more stealth attacks.
“The infamous Russian bank stealth attack had a similar slow burn attack from an undetected stealth attack that resulted in an estimated 1 billion euro loss from several banks.
“This Yahoo! situation is not that level of financial loss, but the impact and rise of huge cyber-attacks will need stronger cyber responses.”
Security questions exposed?
Joe Hancock, Cyber Security Lead at Mishcon de Reya, said: “This is a huge loss of 500 million records which has gone seemingly undetected for over eighteen months. 200 million records have been offered for sale since August, and may have come from a previous data breach. Attributing this breach to a state actor is unusual, as such a large data set would usually be targeted by criminals. Yahoo has moved quite slowly to confirm the breach and to put protective options in place, although the sheer scale of data lost is hard to comprehend.”
“The release is likely to increase the use of the stolen credentials for other online services, or where a similar password has been used. The fact that security questions and answers were lost is also concerning, as they are often common to many services – it’s hard to remember to change your mother’s maiden name or first pet. There are likely to be more historical breaches coming to light in this manner, although they may not be attached to such a large brand.”
“This comes at a difficult time for Yahoo, as it may affect its upcoming sale to Verizon. After the 2013 data breach at Target, legal claims ran to millions of dollars and continued for several years. In the case of TalkTalk, the share price fell by 11.5%, before recovering. Breaches like this hit a business’ balance sheet.”