Support NeoGAF

[Armadilo]

Article

Yahoo confirmed Thursday that a massive security breach impacted 500 million users, and said it believes a "state-sponsored actor" is behind the hack, which took place in 2014.

"Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo's network. Yahoo is working closely with law enforcement on this matter," said Bob Lord, Yahoo's chief information security officer, in a statement on Thursday afternoon.

The stolen account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and in some cases, according to Lord, encrypted or unencrypted security questions and answers.

The company is urging users to change their Yahoo password, and also to update their password and security questions if the same ones were used on any other accounts.

The hack first came to light last month. At the time, a company spokesman neither confirmed nor denied the alleged hack, telling NBC News in a statement, "We are aware of a claim. We are committed to protecting the security of our users' information and we take any such claim very seriously."

It was announced in July Verizon had reached an agreement to purchase Yahoo for $4.83 billion. The deal is still in process.

A Verizon spokesman told NBC News the company was notified of the incident "within the last two days."

"We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact," the spokesman said. "We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment."

 

[nadozza]

The company should not be urging users to update passwords, they should be forcing password changes at this point.

 

[Armadilo]

People don't use yahoo that often anymore but back in 2014, I think it was popular enough that people used it back then

 

[foppy79]

This isn't the first time this has happened to yahoo, no?

Either way taking 2 years to realize you were hacked is pretty bad.

 

[SuperBanana]

Kind of terrifying these huge breaches are done by governments these days. Almost wish it woukd go back to kids doing it for a laugh.

 

[Byakuya769]

Hilldawg.abuela@yahoo.com wasn't even at the state department then.

 

[jay]

Is this all completely legal? Not saying anything for two years?

 

[SourBear]

It was announced in July Verizon had reached an agreement to purchase Yahoo for $4.83 billion. The deal is still in process.

A Verizon spokesman told NBC News the company was notified of the incident "within the last two days."

So the breach happened back in 2014 and we are just hearing about this now? My bet is Yahoo was covering it up, got discovered during due diligence triggered by the Verizon purchase, and Verizon is forcing Yahoo to disclose the news.

Fuck Yahoo.

 

[Phreaker]

The company should not be urging users to update passwords, they should be forcing password changes at this point.

They also should have not waited two years, what a POS company.

 

[hipbabboom]

$4.8 billion... hmmm.

How much did MS offer to buy Yahoo for a couple of years ago for again?

EDIT: Oh god! $44.6 billion?!!

Spoiler

MS won!

 

[Slayer-33]

$4.8 billion... hmmm.

How much did MS offer to buy Yahoo for a couple of years ago for again?

EDIT: Oh god! $44.6 billion?!!

Spoiler

MS won!

Can I have one tenth of a billion?

 

[Pai Pai Master]

Um

2 years ago?

 

[Wagram]

Make sure to enable 2 step folks. I would change the password as well to be safe.

 

[kgtrep]

Does anyone know if this is the largest breach (in terms of number of accounts) that has occurred?

 

[KarmaCow]

Not forcing password changes is one thing but surely there are some guidelines or even regulations about not even publicly addressing this for two years right?

 

[ClosingADoor]

Should force password resets after things like this. And having the password hashed, but unencrypted security questions... How?

$4.8 billion... hmmm.

How much did MS offer to buy Yahoo for a couple of years ago for again?

EDIT: Oh god! $44.6 billion?!!

Spoiler

MS won!

To be fair, this buyout does not include their stake in Alibaba which is the majority if Yahoo's worth at the moment.

 

[Capella]

Does anyone know if this is the largest breach (in terms of number of accounts) that has occurred?

I think so as it's larger than the Myspace hack.

Not forcing password changes is one thing but surely there are some guidelines or even regulations about not even publicly addressing this for two years right?

Article says they found out about it last month but the statement they are quoting was related to a sale of data from 2012 which was never confirmed to real. Looks like they found something much worse when they looked into it...

 

[hipbabboom]

Um

2 years ago?

Give or take 6 years .

To be fair, this buyout does not include their stake in Alibaba which is the majority if Yahoo's worth at the moment.

Didn't know that.

 

[Palette Swap]

Not forcing password changes is one thing but surely there are some guidelines or even regulations about not even publicly addressing this for two years right?

Yeah, beyond being unethically opaque, this sounds litigious as hell.

 

[Ryzaki009]

The fact that they waited this long to tell people is ridiculous. This should be illegal.

 

[Unknown Soldier]

Oh so now the new tactic is to blame "state-sponsored actors" when you get hacked this bad?

Good thing I haven't used Yahoo since like 2001 or something.

 

[dc89]

It's a disgrace it's took this long for them to tell people.

 

[ClosingADoor]

Didn't know that.

Going by the stock market, I think Yahoo's value is actually valued below zero. Their assets in shares of Yahoo Japan (separate company) and Alibaba are more then the total worth of Yahoo.

 

[Jigorath]

Kept it quiet for two years?

This company is trash.

 

[jax]

Kept it quiet for two years?

This company is trash.

To be fair, they could have posted it 2 years ago and no one would have noticed, since its Yahoo.

 

[Kayhan]

Why we still got Yahoo?

 

[RoboGeorgeForeman]

Good thing I only use my Yahoo account for Fantasy Football.

 

[Lime]

They already give information willingly to the NSA, so it doesn't really make a difference I guess

 

[ramparter]

So all yahoo accounta were hacked? I should probably check mine (havent used for a decade)

 

[mrklaw]

this also affect flickr? I honestly can't remember my yahoo account details. Little point changing them but I think my important accounts are all unique and 2FA where possible

edit: Seems I had 2FA on yahoo.com already - needed a text message confirmation code when I logged in. Changed password anyway just in case

 

[kgtrep]

I think so as it's larger than the Myspace hack.

All right, thanks!

 

[The Technomancer]

oh no

my yahoo account

 

[Prodigal Son]

Hilldawg.abuela@yahoo.com wasn't even at the state department then.

Briefly entertaining the thought that this would her real email address is making me laugh way too much.

 

[FStop7]

gg marissa

 

[Beefy]

Verizon seem pissed!

Also as I said on the other thread. I hope Sky Yahoo accounts haven't been hacked.

 

[jorma]

Kind of terrifying these huge breaches are done by governments these days. Almost wish it woukd go back to kids doing it for a laugh.

There is literally nothing that indicates it was "state sponsored" beyond yahoos "belief", and that belief is likely grounded in the idea that people won't shit on Yahoo as much if there's a "foreign government" to blame. But that's just what i think of course.

 

[Baron von Loathsome]

I was forced to change my main account's password when Verizon switched from Yahoo to AOL.

I'll change other one, though.

EDIT: It looks like I changed that one back in May, so I'm good.

Nonetheless, waiting so long to tell the users is not a cool move.

 

[Visualante2]

Soon there will be a gap in the market for a memorable question manager. Ensuring you use unique answers to every memorable question.

 

[Unknown Soldier]

There is literally nothing that indicates it was "state sponsored" beyond yahoos "belief", and that belief is likely grounded in the idea that people won't shit on Yahoo as much if there's a "foreign government" to blame. But that's just what i think of course.

Yeah, the excuse is bullshit. Yahoo must think we are all stupid and that a "state-sponsored actor" would be selling the hacked info for $2000 on the darkweb. They were probably hacked by a 13-year old Russian kid and they're trying to cover up how bad their security was right now.

 

[RexNovis]

I wonder how many of these are JP accounts. For whatever reason yahoo is the go to web search here in Japan. So I'd wager a lot of the existing yahoo accounts are JP ones since I've never seen anyone outside of Japan use yahoo.

 

[Garrett Hawke]

Does this affect tumblr?

 

[Capella]

Does this affect tumblr?

I don't think so but tumblr was hacked a year before Yahoo was.

 

[Visualante2]

Does this affect tumblr?

Yahoo didn't acquire Tumblr until 2016. I would hope not.

 

[Armadilo]

You guys would agree that the best thing out of yahoo was the question and answers thing

 

[Garrett Hawke]

Yahoo didn't acquire Tumblr until 2016. I would hope not.

Thanks!

I don't think so but tumblr was hacked a year before Yahoo was.

Yeah, I changed shit after that hack and I have 2FA on that anyway. Thanks!

 

[GAMEPROFF]

I am sorry for all 50 persons with an active account

 

[Baron von Loathsome]

I am sorry for all 50 persons with an active account

I accept your apology.

 

[StopMakingSense]

Yahoo didn't acquire Tumblr until 2016. I would hope not.

? it was bought in 2013.

 

[GAMEPROFF]

I accept your apology.

Now I feel bad :/

 

[FunkyDealer]

I am sorry for all 50 persons with an active account

Thankfully I've probably changed my password twice since then, and enabled two-step verification. But what the fuck Yahoo!?