Why losing 500 million passwords is not great

Yahoo has confirmed that it was subject to a massive email breach in late 2014 that affected close to 500 million users. The US based email service has said that its investigation has confirmed the attack and the company has now come forward and accepted the breach. Officials say that the investigation is on-going.

The unfathomable severity of the attack

The attack occurred somewhere in late 2014. The attackers gained access to more than 500 million user accounts tied to Yahoo. 500 million – if you flicked through one stolen password manually per second, you would have to keep going 15 years to get through them all, if you worked 24/7 that is. However, a computer can search for sensitive details in second. The attackers got access to critical information like names, email addresses, date of births, telephone numbers, as well as hashed passwords. Some of the passwords that were stolen were unencrypted while others were encrypted. However, it is known that cracking these encrypted passwords from such data stores is a fairly simple and less time consuming job. We have been able to verify part of the stolen information on Dark Net ourselves, and can confirm that the information is genuine. (For the record, we have not kept any stolen information on our system, but erased it immediately after verification).

The attackers gained incredible access to deeply personal information of the users. They got access to the account and could therefore use the user information stolen by them in card fraud and identity theft. Yahoo has claimed that no payment information was stolen in this massive breach. As for the culprits, Yahoo has said that it believes state-sponsored players were behind this attack.

Action by Yahoo, too little, too late

As confirmed in the report given by Yahoo, the attack happened somewhere in late 2014. However, Yahoo only came forward with the official confirmation this year. What? There is no justification for not disclosing the breach earlier. All affected users need to know as soon as possible, so that they can take preventive measures. They may need to change passwords on other websites, and they may need to chance bank account numbers and credit cards.

Yahoo has accepted that it has been subjected to one of the biggest breaches against a US based company, and although a lot of damage could have already been done as the hackers had access to around 500 million user accounts, the company has now claimed that things are under control. Yahoo also said that the state-sponsored hackers believed to be involved in the attack are no longer in their network. We can only imagine the feeling of despair and fear that must have hit IT staff and management at Yahoo, when they discovered hackers within their system.

As for mitigation, Yahoo has sent emails to potentially affected users. It has provided a detailed FAQ section about the attack. In this FAQ section, they have covered the issue comprehensively. Yahoo has given detailed information as to when did the attack happen, what information was stolen, what the company has done since, what the users can do to make sure their accounts are safe, and how they can seek further assistance from the technical staff. The basic pointers given by Yahoo are:

  1. Users who have not changed their passwords since 2014 are urged to do so immediately
  2. Users are urged to change their security questions as well. The company has said that they are doing away with weak storage algorithms for passwords and security questions.
  3. Yahoo has asked users to be wary of the emails they receive about the issue. It has warned the users that an email sent by Yahoo will never ask them to click on a link, download an attachment, or provide their personal information. They have given a template of their official email for users to see so that they are not tricked into opening fraudulent emails
  4. Yahoo has requested users to use stronger mechanisms for authentication and account recovery


Yahoos value didn’t exactly go up

One does not need to point out that the impact of this email breach is enormous. The sheer number of accounts compromised is enough to make anyone understand the fact. 500 million users accounts compromised is something nobody can come out from without any scratches. The only strategy for Yahoo right now is damage control and safeguarding against future attacks.

Yahoo has not seen worse days. The company was already in shambles as they have been acquired by Verizon in July 2016 for $4.3 billion. The deal is said to close in 2017. Verizon, though, was as dumbfounded as the general masses when Yahoo came forward with news confirming the email breach. Verizon claimed that they knew nothing about the attack before Yahoo came forward with it, adding to the dark clouds surrounding Yahoo. The precarious situation poses a tough problem for both these companies. While they would have been looking to complete all the formalities and close the deal in time, they now have to sort out this mess in order to clear their sullied name as much as possible. One thing is sure, though; the job won’t be easy.

What you need to do now

We have already mentioned the information that was stolen in this mega-breach. Yahoo has provided its user base with a list of Do’s and Don’ts. They have assured their users that no payment information was stolen, but personal information was stolen, and one cannot neglect the fact that the privacy of users was blatantly violated. Here are the first things you should do:

  1. As asked by Yahoo, if you have not changed your password since 2014, now is as good a time to change it as any
  2. Look for suspicious activity related to your account. Yahoo is sending out emails to potentially affected users, but that figure is more than 500 million, and you should do better than waiting ideally for them to notify you of your account being compromised.
  3. In case you find your suspicious activity related to your account, go through Yahoo’s FAQ and contact them immediately, and of course, change your password
  4. Look at your credit statements to check for fraudulent transactions. Although Yahoo has confirmed that no payment information was stolen, they do mention in their FAQ that users can freeze their accounts temporarily if they believe their account had been compromised in the breach.

3 dangers of losing email and password login information

  1. The hackers have access to your email account. This means that they have access to your correspondence with all your contacts. They can see everything you’ve sent and received through your email account.
  2. Hackers have access to your personal information. Many hackers steal this information and then sell it on the black market for people looking to masquerade as someone else for credit fraud, or accessing your bank accounts.
  3. In case other accounts are linked with this one and use the same password, then the hacker gains access to those accounts as well.

The email breach that has been confirmed by Yahoo is the biggest of its kind against any US based company. Yahoo’s stock value hasn’t been as high as it was a decade or so ago, and this is certainly not what they would need to make things better.


By James Duncan, Hidden24