Yahoo confirms 500 million user accounts have been breached
Note: This article was first published on September 23, 2016.
Have a Yahoo account? You should definitely change your password now (at the very least, and I’ll tell you why), as the company has just confirmed that information from 500 million accounts (half a billion!) were stolen in late 2014 by what it believes to be a state-sponsored hacking operation. This is the biggest account breach to hit a single company, far bigger than the MySpace hack that affected 360 million users.
(Also worth noting: In 2012, comScore pegged the number of Yahoo Mail users to be at 298 million. With today's revelation, does this mean the majority (all?) of Yahoo's user accounts were compromised?)
Bob Lord, Yahoo’s Chief Information Security Officer:
The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.
In addition to enhancing its systems to detect for suspicious access, Yahoo - which is currently in the midst of being acquired by Verizon - is now notifying potentially affected users about the breach, and asking them to change their passwords and adopt other means of account verification. It has also invalidated unencrypted security questions and answers so they can’t be used to access an account. Sure, Yahoo did mention that the "vast majority" of the stolen passwords are hashed using bcrypt, but that’s really scant consolation, because even only 20% of the 500 million aren’t - that is, they use weaker hashes - it would mean that easily 100 million plaintext passwords (after converting) are now in the hands of hackers.
And while Yahoo is also recommending users who haven’t changed their passwords since 2014 to do so, we think it’s wise to change your password if you have’t done it recently (it’s just good practice). More importantly, if you’ve used the same password to protect other accounts, it’s wise to change their passwords now.
Lastly, since personal info like names, email addresses, phone numbers, and dates of birth have been stolen too, you need to keep a lookout for social engineering attacks. Be wary of unsolicited communications that ask for your personal information or refer you to a web page asking for personal information, and please don’t click on links or download attachments from suspicious emails.
Update: Here's an FAQ from Yahoo.
Update 2: Updated article on what it means if a weaker hash is used.