Sunnyvale, California — The American multinational technology company Yahoo Inc. announced on December 14, 2016, that a 2013 hack attack has compromised more than 1 billion Yahoo user accounts.
Founded in 1994 and headquartered in Sunnyvale, California, Yahoo is best known for its Yahoo! Mail email services, its search engine Yahoo!, and related offerings, including Yahoo! News, Yahoo! Finance, Yahoo! Answers, etc. One of America’s most popular web companies, Yahoo offers the highest-read news and media website, with over 7 billion views per month, making it the world’s fifth most visited site.
In September 2016 the company disclosed that that 500 million user accounts were hacked in 2014, and so this most recent announcement represents a further blow to the company’s image. Together, the two attacks represent the world’s largest known security breaches of a single company’s computer network.
Here are the 5 Fast Facts you should know:
1The Attack Compromised Sensitive User Information
According to the New York Times, “The newly disclosed 2013 attack involved sensitive user information, including . . . encrypted passwords and unencrypted security questions that could be used to reset a password”.
Yahoo’s chief information security officer, Bob Lord, admits, “The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords,…and, in some cases, encrypted or unencrypted security questions and answers”.
In the aftermath of the attack’s discovery, Yahoo Inc. has mandated that all of its affected users must change their passwords. The company is also invalidating all current unencrypted security questions.
2No One Knows Exactly How Many Users Are Really Affected
As one of America’s most popular websites and search engines, Yahoo has millions of users of its offerings, including its Web portal, search engine, and online mapping, video sharing, fantasy sports, and social media services. So far, no one knows exactly how many Yahoo users may be affected by the two attacks.
A worst-case scenario, however, is that more 1 billion accounts were affected, because the company has more than 1 billion active users. The most recent hacking attack was discovered as Yahoo analyzed data files provided by law enforcement — these files were probably related to the previously announced attack.
3Yahoo Has Been Slow to Implement Security Measures
The New York Times accuses, “Security has taken a back seat at Yahoo in recent years, compared to Silicon Valley competitors like Google and Facebook”. This may have been because Yahoo’s security team has not infrequently quarreled with the company’s top executives, including chief executive Marissa Mayer, over the costs as well as the customer inconvenience attached to security measures the team has suggested.
Moreover, Yahoo has been was slow to put in place aggressive security controls — even after the company suffered a hack of nearly a half million user accounts in 2012, not to mention a spam attack of unwanted messages sent to users in 2013. As Jay Kaplan, chief executive of the computer and online security company Synack, puts it, “What’s most troubling is that this occurred so long ago, in August 2013, and no one saw any indication of a breach occurring until law enforcement came forward”. Kaplan adds, “Yahoo has a long way to go to catch up to these threats”.
4Yahoo Has Been Even Slower to Disclose Security Problems
Yahoo has made what New York Times writers Vindu Goel and Nicole Perlroth call “a steady trickle of disclosures” about the 2014 hacking. The company has said the attacker in the earlier security breach was sponsored by a foreign government. Yahoo has not disclosed who it believes was behind the attack, assuming it suspects a particular government. Yahoo is investigating the attacks with help from American “authorities” — presumably the FBI and/or the CIA.
Yahoo security officer Bob Lord said in a statement released after the 2014 attack that a “state-sponsored actor” had hacked into the company’s “proprietary source code”. Outside experts who are investigating the attack are of the opinion that once the hackers had the source code, they were able to use it to access Yahoo user’s accounts without passwords through the creation of forged “cookies”. Cookies are the brief pieces of text that websites typically store on the user’s device. By forging cookies, the foreign attackers impersonated Yahoo users. In so doing they gained information about the users and were able to perform actions on their behalf.
5What Should You Do If You’re a Yahoo User?
Security experts are advising Yahoo users to do the following:
- Assume you were hacked.
- Change your Yahoo password.
- Change your passwords for other sites, especially those that have sensitive data such as financial, health, or credit-card information. This is particularly important if you provided that site with a Yahoo email address when you created your account.
- Never use the same password, or even a similar one, at multiple sites.
- Consider using a password managing app, such as 1Password or LastPass.
- If you create your own passwords, be sure they are long and complex. They should not be based on actual words or names, and they should include letters, numbers, and special characters such as hashtags or question marks.
- Use the strongest passwords at the sites that contain your most sensitive information. Do not reuse these passwords at other sites.
- Be suspicious of everything you receive online. Hackers may be trying to fool you into divulging more information.
Web security expert Jeremiah Grossman, founder of White Hat Security, is a proponent of random passwords, and he uses random ones himself. “I select them quite literally by banging on the keyboard a few times like a monkey”, he says.