It seems that Yahoo reputation collapses like a house of cards – apparently, previous Yahoo data breach that came to the surface on September 22, 2016, affected over 500 million accounts, but the company managed to beat its own record. According to an announcement from Yahoo, which was published on December 14, 2016, the company has identified an attack that reportedly has affected over 1 billion Yahoo accounts. The company states that the security breach took place in August 2013, and shockingly, Yahoo admits that it has not identified the perpetrators who hacked company’s servers yet. It appears that hackers managed to steal user data such as email addresses, names, telephone numbers, dates of birth, passwords (hashed) and also part of encrypted and unencrypted security questions and answers. The company believes that attackers were not able to steal payment card and bank account information, as such data is reportedly stored in a different system than the one that was hacked. However, access to individual’s email is valuable, because hackers can easily break into other victim’s accounts using password resend feature. The New York Times reports that stolen Yahoo data was put for sale on the dark web forums, and was sold to three cyber criminals already. Reportedly, each of them paid around $300,000 for a full copy of stolen information.
The company also announced that it is currently investigating a distinct security vulnerability that could allow intruders to get access to users’ accounts without even having their passwords. Yahoo states that it is concerned about the privacy of company’s proprietary code, which hackers may have accessed in the past. Such information could let attackers learn how to create forged cookies and log into users’ accounts easily. Currently, the company is continuously sending notifications to users that could be affected by this attack, and also has invalidated forged cookies.
Repetitive hacking attacks against Yahoo indicate that security is definitely not the strong side of this giant company. In July 2016 Verizon Communications Inc. agreed to acquire Yahoo for $4.8 billion; however, recent events has forced this company to reconsider this deal. Apparently, the company currently considers two options – killing the deal or negotiating with Yahoo for a lower price.
Users should not forget to take necessary actions to secure their accounts. The company has already sent out emails and warnings to all accounts that may have been affected by the cyber attack. The most important thing to do now is to change your password (it is advisable to use a different password for each account). Secondly, be aware that there are scammers out there who might try to deceive people by sending phishing emails acting like they’re from Yahoo and ask to “verify” your identity by entering valuable personal data. Be careful!