Yahoo confirms data breach involving 500 million accounts: 5 things to do for Yahoo Mail, Flickr, Tumblr users

By on
Yahoo mail data breach flickr tumblr
A Yahoo logo is pictured in front of a building in Rolle, 30 km (19 miles) east of Geneva, December 12, 2012. Reuters/Denis Balibouse

Yahoo admitted Thursday that details of at least 500 million user accounts were compromised due to a massive data leak that transpired undetected in 2014.

The American tech company notified its users about the network breach after recently uncovering the extent of the leakage, which it claims was perpetrated by a state-sponsored actor.

“A recent investigation by Yahoo has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor,” Yahoo CISO Bob Lord said in a Tumblr post.

“Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter..”

According to Yahoo, compromised account information include users’ names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.  

Yahoo mail data leakage

However, the search engine company clarified that the stolen information did not include users’ credit card or bank account details.

“The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information. Payment card data and bank account information are not stored in the system that the investigation has found to be affected,” it added.

But to be sure, users of Yahoo Mail as well as other Yahoo-owned sites like Flickr, Tumblr and fantasy football site Rivals.com, are advised to change their passwords and to adopt alternate means of account verification such as appointing a recovery email address or phone number.

Yahoo advises users to do the following:

1. Change Yahoo account passwords and security questions and answers here. While Yahoo claims that no Flickr, Tumbler or Rivals.com user data was stolen, it pays to change it all together. Yahoo bought Flickr for US$25 million (AU$32.5 million) in 2005, Rivals.com for US$100 million (AU$130 million) in 2007 and Tumblr for US$900 million (AU$1.2 billion) in 2014.

2. Consider using Yahoo’s Account Key, which lets users access their Yahoo accounts through a simple authentication tool instead of using passwords.

3. Place a security freeze on credit file. Although credit card and bank account details were not included in the data breach, you can opt for a security freeze to prevent spies to access your financial credentials.

4.  Monitor your financial accounts for suspicious activities. Users are urged to review their account statements and credit reports. For assistance, users can contact their banks or consumer reporting agencies.

5. Refrain from clicking on links or downloading attachments from suspicious emails. Users are urged to remain cautious of unsolicited communications, especially if it requires personal credentials.

Earlier, cloud storage application Dropbox confirmed a similar data breach. Users of music-streaming service Spotify were forced to update their accounts following the news of the leakage. (Read: Dropbox confirms data breach, Spotify force resets users password)