On 22 September 2016 Yahoo! released a statement and the full extent of the 2014 Yahoo! data breach was revealed. With at least 500 million Yahoo! accounts being hacked and their information stolen, this is to date the biggest data theft that the Internet has experienced. The occurrence of data theft instances has increased rapidly in recent years, but this one is quite severe.

The breach occurred in late 2014, and it is unclear how long Yahoo! have been aware of the enormity of it. In their statement, they also claim that they believe a “state-sponsored actor” (hacker paid by the government) was responsible for the crime. Their official statement came two months after the company admitted to investigating a hacker who was selling the data of some 200 million Yahoo! stolen accounts on a dark web marketplace for a meagre one bitcoin (more or less $2000).

Verizon and Yahoo!

This airing of Yahoo!’s dirty laundry comes at a very inappropriate time for them, as a company named Verizon agreed to buy Yahoo! in late July 2016 for $4.83 billion. The acquisition was scheduled to be finalised in early 2017. Verizon only found out about the breach in September.

The Damage

Damages to Yahoo! and Verizon as companies set aside – let us reflect on what the ramifications are for the Yahoo! account holders in question:

1. Just because you haven’t used your Yahoo! account in years does not mean you are not at risk. With 500 million accounts affected the odds are good that one of them is yours. Yahoo peaked in the late 90s and early 2000s before Google started dominating the market. The problem with this is, everyone opened a Google account, but most of us forgot, or didn’t bother to close our Yahoo! accounts. If this is the case, your personal information is still floating around out there.
2. Other Yahoo! associated accounts can also be affected. Users of Flickr, Sky and BT might all be at risk too because they are linked or hosted by Yahoo!.
3. The extent of the damage or potential damage is unknown. To be frank, no one can really predict what the extent of the damage will be. All that the authorities know is that personal information, including names, email addresses, telephone numbers, dates of birth, hashed passwords and in some cases, encrypted and unencrypted security questions and answers were stolen. This information is also believed to be in criminal possession, so it is reasonable to assume they are not going to just look at the data.

How to protect yourself

It’s fair to accept that most users won’t take online account security advice from Yahoo!.

1. Immediately change your Yahoo! account details. Be on the lookout for unusual activity on your account and Yahoo! related accounts, but more importantly, be cautious of unusual suspicious activity on other online accounts. With the type of information that was leaked, hackers would be able to guess access to other online accounts that belong to you.
2. Be vigilant of unsolicited emails and attachments. Yahoo! mentioned in their statement that they will send an email to the accounts which they believe are affected. Here is a copy of their proposed email communication. It will be easy for cybercriminals to email you (containing personal information) trying to perpetuate the exploitation.
3. Practise password hygiene. Two-step verification, using different passwords for different accounts, strong passwords, just to name a few. Avoid using the same security questions and answers for more than one account, this will minimise the damage if your account was compromised.

Meanwhile, our hearts bleed for Yahoo!. Godspeed!