Yahoo admitted Thursday that details of at least 500 million user accounts were compromised due to a massive data leak that transpired undetected in 2014.
The American tech company notified its users about the network breach after recently uncovering the extent of the leakage, which it claims was perpetrated by a state-sponsored actor.
An important message about Yahoo account security https://t.co/gu6qdp3KMW
— Yahoo Inc. (@YahooInc) September 22, 2016
“A recent investigation by Yahoo has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor,” Yahoo CISO Bob Lord said in a Tumblr post.
“Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter..”
According to Yahoo, compromised account information include users’ names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.
Yahoo mail data leakage
However, the search engine company clarified that the stolen information did not include users’ credit card or bank account details.
“The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information. Payment card data and bank account information are not stored in the system that the investigation has found to be affected,” it added.
But to be sure, users of Yahoo Mail as well as other Yahoo-owned sites like Flickr, Tumblr and fantasy football site Rivals.com, are advised to change their passwords and to adopt alternate means of account verification such as appointing a recovery email address or phone number.
Yahoo advises users to do the following:
1. Change Yahoo account passwords and security questions and answers here. While Yahoo claims that no Flickr, Tumbler or Rivals.com user data was stolen, it pays to change it all together. Yahoo bought Flickr for US$25 million (AU$32.5 million) in 2005, Rivals.com for US$100 million (AU$130 million) in 2007 and Tumblr for US$900 million (AU$1.2 billion) in 2014.
2. Consider using Yahoo’s Account Key, which lets users access their Yahoo accounts through a simple authentication tool instead of using passwords.
3. Place a security freeze on credit file. Although credit card and bank account details were not included in the data breach, you can opt for a security freeze to prevent spies to access your financial credentials.
4. Monitor your financial accounts for suspicious activities. Users are urged to review their account statements and credit reports. For assistance, users can contact their banks or consumer reporting agencies.
5. Refrain from clicking on links or downloading attachments from suspicious emails. Users are urged to remain cautious of unsolicited communications, especially if it requires personal credentials.
Earlier, cloud storage application Dropbox confirmed a similar data breach. Users of music-streaming service Spotify were forced to update their accounts following the news of the leakage. (Read: Dropbox confirms data breach, Spotify force resets users password)