Yahoo! Inc. (Nasdaq: YHOO) has stated that over 500 million of their users have been hacked and their personal information has been stolen. The crime involved 2012 to 2014 accounts. Yahoo! did not notice the crime until 2016. It is believed a state-sponsored actor is behind the massive hack.
The situation was announced Thursday in a statement where Yahoo! said the stolen information might include encrypted passwords, unencrypted security questions and answers, phone numbers, dates of birth, names, and email addresses.
According to the company, the investigation does not show evidence of theft of payment card data or information related to bank accounts, nor unprotected passwords. Yahoo! is notifying all possible victims to change their passwords and security questions while the company secures the accounts. There is no evidence the attacker is still on the network, Yahoo! Says.
The critical situation comes before Verizon Communication Inc. acquisition of Yahoo! Inc., which is planned to be done earlier next year.
The investigation started because of a report in July that said a hacker was claiming he had hundred of millions of stolen Yahoo! accounts for sale on the black market. According to a person familiar with the case, who asked for anonymity, investigators fail to find evidence to confirm what the report stated.
Still, Yahoo! began a deeper, separated investigation that found the information of more than 500 million Yahoo! users have been stolen. Two other people close to the company said the investigation suspects a nation state conducted the attack, although Yahoo! has not revealed why. Russia is in the loop because recent attacks have been accounted to the communist country.
The company confirmed the accounts were indeed hacked two months after they started their separate investigation. Yahoo! found evidence of someone on the internet trying to sell the information he had stolen from Yahoo! users. The internaut thief posted information from 200 million accounts on a dark web marketplace, offering to sell the information. Motherboard reported in early August the information being sold at the black market was from 2012.
What is most concerning is that the investigation discovered the hacker is the same one that hacked LinkedIn and MySpace. He or she goes under the name of Peace.
The dangers of stolen online information
The information that was hacked from Yahoo! is very useful for criminals to used them as fake identities and then commit illegal actions, said Avivah Litan from the analyst group Gartner. Litan added identity impersonification has become a global criminal epidemic and said there are no simple solutions to attacked these type of crimes.
The sale of all data found on the dark web was being sold for $200 thousand, which could mean the information was fake or made up, or it could be real but obsolete. Another reason for the low price could be that hackers had already attacked legitimate accounts and already used the material they needed. Motherboard confirmed most of the stolen data sold on the black market was no longer in use, or the accounts had been canceled.
As a precaution, Yahoo! is telling their users to change their passwords and answers to security questions. The company is also requesting its clients to check their accounts to see if there is any suspicious activity. Another recommendation for Yahoo! users is not to click links or download attachments from suspicious emails.
Looking for someone to blame
“Online intrusion and thefts by state-sponsored actors have become increasingly common across the technology industry,” Yahoo! said in a statement it is working with law enforcement on the matter.
This is not the first time other states are blamed for similar attacks and according to Bloomberg, saying that the hack was launched by a foreign government is the ultimate resource for embarrassed corporate executives.
The disclosure of the massive hack is more than bad news for Yahoo! Chief Executive Officer Marissa Mayer, not only because Verizon is about to buy the company but because this is not the first time Yahoo! experiences a hard time during her leadership.
Mayer has been dealing with several difficulties including complaints about Yahoo’s email service. And now that Verizon Communication Inc. plans to buy the company for $4.8 billion, Yahoo’s CEO needs to keep users logging in to maintain traffic. Without the constant traffic, Yahoo is at risk because all of its revenue comes from advertising. Without traffic, there are no views, and without people to see the advertisement, there is no profit.
Yahoo! Notified Verizon of the situation within the last two days, said Verizon in an email. The company that is trying to buy Yahoo! Inc. stated that they understand an investigation is currently going and clarify they still have limited information and understanding of the impact.
Verizon’s statement via email also said they would evaluate the matter as the investigation continues to see if the results will benefit Verizon interests, including their customers, consumers, shareholders and related communities.