Stuart Breckenridge

Yahoo Confirms Security Breach of 1 Billion Accounts

Yahoo’s Chief Information Security Officer, Bob Lord, has announced in a Tumblr post that the data of over 1 billion Yahoo customers has been hacked:

As we previously disclosed in November, law enforcement provided us with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts.[…]

For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected.

Worryingly:

We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.

In that particular incident the security breach affected 500 million accounts.

While Yahoo are taking steps to invalidate forged cookies, invalidate unencrypted security questions, and forcing users to change their passwords, I am of the opinion that having an account with them is somewhat of a liability. As such, I’ve taken the decision to terminate my account and have it deleted. If you wish to do the same, simply log in to Yahoo and then visit edit.yahoo.com/config/delete_user and follow the instructions.


Supported by