Skip to main content

Confirmed: A hacker accessed records of more than 500 million Yahoo accounts

yahoo 500 million accounts hacked on tablet
Image used with permission by copyright holder
Following reports Thursday morning of a massive Yahoo security breach, the embattled internet giant confirmed the worst this afternoon: personal records associated with hundreds of millions of accounts had been compromised in one of the worst cybersecurity breaches this year. According to a statement on a Yahoo FAQ webpage, a “state-sponsored actor” scraped the names, email addresses, telephone numbers, dates of birth, and passwords associated with more than 500 million Yahoo accounts as recently as 2014.

Yahoo said there is no evidence the responsible party still had access to its network or internal services. Furthermore, it said not all accounts were compromised, and that some details, such as bank account numbers and credit card data, do not appear to have been targeted. But the company said that out of an abundance of caution, it had taken steps to inform affected users of the breach and invalidated unencrypted passwords and security questions. It also urged account holders who had not changed their passwords since 2014 to do so, and encouraged all Yahoo users to change their security questions and answers and review their accounts for “suspicious activity.”

Yahoo said that it was working with law enforcement and that an investigation of the breach was ongoing.

The Wall Street Journal, citing an unnamed source within the company, reported that Yahoo’s databases contained well north of one billion user accounts, and that passwords were protected with an encryption scheme — MD5 — that would have required the latest password-breaking techniques to compromise. In an FAQ published Thursday afternoon, Yahoo said that its hashing method, or one-way mathematical function responsible for obfuscating data, was chosen for its proven robustness against “password cracking” and reliability. “[It’s] a … mechanism that incorporates security features … including … multiple rounds of computation,” Yahoo said.

Rumors of massive security breach emerged as early as August when a hacker, identified by the username Peace, offered to sell 200 million Yahoo usernames and passwords for $1,900 in online forums. The suspected cybercriminal is widely believed to have engineered the sale of stolen data from high-profile networks like LinkedIn and Myspace — reportedly to the collective tune of between $50,000 and $60,000 — and has been implicated in hacks of European social networking site VK, Fling, Dropbox, Tumblr, OK.ru, Twitter, and Facebook.

At the time, a Yahoo representative said the company was aware of the incident and was “working to determine the facts.”

It is not the first time Yahoo suffered a large-scale security breach. In 2012, a group of unscrupulous programmers known as D33D Company managed to download 453,000 unencrypted usernames and passwords belonging to Yahoo Voices, a self-publishing service. Following the infiltration, Yahoo fixed the vulnerability that led to the breach, changed affected users’ passwords and dispatched notifications to companies with accounts that might have been compromised.

As of late, Yahoo has made strides in the area of security. Last year, as part of a separate effort to beef up the network’s broader security, the company deployed a service that automatically detects and notifies users when it suspects their account may have been targeted by a state-sponsored actor. It encouraged affected users to turn on Account Key, Yahoo’s passcode-free login service, activate two-step verification, to choose a strong, unique password. and to review recent activity in account settings.

Yahoo said that before Thursday’s breach, roughly 10,000 users had received an alert via the service.

It is unclear how Thursday’s disclosure will affect the $4.83-billion sale of Yahoo’s core assets to internet service provider and budding content mogul Verizon. “We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities,” a Verizon spokesperson said on Thursday.

As of publication, shares of Yahoo had fallen 0.3 percent to $44.02, while shares of Verizon had climbed one percent to $52.39.

The breach is yet another blemish on Yahoo President and CEO Marissa Mayer, who has struggled to turn the beleaguered Silicon Valley company around since its height in early 2000. Yahoo’s web properties, despite attracting more than 200 million U.S. monthly visitors in the past year, reported an 11 percent year-over-year decline in revenue during the company’s most recent earnings call. And Yahoo laid off 1,000 employees, or about 10 percent of its workforce, in the first quarter of 2016.

Analysts blame a failure to capitalize on mobile — and ballooning investments. In the first quarter of 2016, Yahoo made $250 million in revenue from smartphone and tablet users; Facebook, in contrast, made $4.5 billion in the fourth quarter of 2015.  The company’s capital expenditures, driven by substantial investments such as streaming licenses for National Football League broadcasts and the purchase of shopping site Polyvore, climbed an average of 21 percent in 2015.

But Yahoo’s advertising business remains one of the web’s largest. This year, the company is expected to generate $2.83 billion in profit on a 1.5 percent share of the online market. Yahoo Japan, an Asian culture web portal that is the product of a joint venture between Yahoo and Japanese internet company SoftBank Group, has been appraised at nearly $9 billion. Yahoo’s other ventures, which include online publications like Yahoo Tech and Yahoo Finance, are worth an estimated $5 billion to $8 billion.

Kyle Wiggers
Former Digital Trends Contributor
Kyle Wiggers is a writer, Web designer, and podcaster with an acute interest in all things tech. When not reviewing gadgets…
NFL: Multiple teams’ social media accounts targeted by hackers
The NFL's Daniel Sorensen tries to tackle Darren Waller

“Everything is hackable,” a message posted to the social media accounts of multiple NFL teams said on Sunday. And yes, it was written by hackers.

The NFL’s social media feeds, along with those belonging to teams such as the Chicago Bears, Dallas Cowboys, New York Giants, and Philadelphia Eagles, were all temporarily taken over by a hacking group purporting to be OurMine, which has been behind similar kinds of activity in recent years.

Read more
How to download a video from Facebook
An elderly person holding a phone.

Facebook is a great place for sharing photos, videos, and other media with friends and family. But what if you’d like to download a video to store offline? This means you’d be able to watch the clip on your PC or mobile device, without needing to be connected to the internet. Fortunately, there’s a way to download Facebook videos to your everyday gadgets, although it’s not as straightforward a process as it could be.

Read more
How to delete your Gmail account (and what you need to know)
The top corner of Gmail on a laptop screen.

Is it time to part ways with your Gmail account? Whether you’re moving onto greener email pastures, or you want to start fresh with a new Gmail address, deleting your old Gmail account is something anyone can do. Of course, we’re not just going to bid you farewell without a guide all our own. If you need to delete your Gmail account, we hope these step-by-step instructions will make the process even easier.

Read more