Yahoo released an important message about Yahoo User Security on the official company blog a moment ago confirming that information on at least 500 million Yahoo accounts was stolen in late 2014.
The company believes that a state-sponsored actor is behind the attack. According to the blog post, names, email addresses, telephone numbers, birth dates, hashed passwords, and in some cases encrypted or unencrypted security questions and answers were stolen.
Yahoo states that there is no evidence currently that unprotected passwords, payment card data, bank account information or other financial information were among the stolen data.
Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.
Yahoo plans to inform affected users starting doing. The message that the company plans to send out may differ from region to region. You can check the U.S. message here (PDF document).
The email includes information on what happened, what information was involved, what Yahoo is doing, and what individual users can do about it.
Yahoo will ask users that are affected to change their passwords and add alternate means of account verification to the account. The company has invalidated any unencrypted security questions and answers, and recommends that users who have not changed their Yahoo passwords since 2014 to do so immediately.
To change the Yahoo password, do the following:
Load the Yahoo Account page.
Click Account Security, and then on change password.
Enter and confirm your new password.
Click on continue, and then on continue again to complete the process.
Yahoo asks users furthermore to change account passwords and security questions/answers for any other account that has been associated with the Yahoo account, or where the same email address and password were used.
Yahoo users should expect to get spam communications and emails that may be personalized.
One option to strengthen the security of the Yahoo account is to use Yahoo Account Key. This is an authentication tool that is integrated into the Yahoo application for Android and iOS, and available for set up from a web browser as well.
Additional information about Yahoo Account Access are available here.
It is rather frightening that information about year-old hacks that dumped millions of user account information come to light years later only, if at all.
It is clear that anyone with access to the data had years to exploit the information and decrypt passwords. While it makes sense for Yahoo to inform users now that they need to change passwords on Yahoo and on third-party sites if username and password was shared, it may very well be too late for a lot of accounts.