The information was taken in late 2014 and may include users’ names, email addresses, birth dates, telephone numbers and security questions and answers, Yahoo said in a post on its company blog. The Sunnyvale company said it believes a “state-sponsored actor” — meaning a foreign government or a group with government backing — was responsible for the act.
The company said affected users will be notified by email. It is encouraging users to change their passwords if they haven’t done so since 2014. It is also advising them to change their security questions and answers on other services if they used similar ones on Yahoo.
“Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure,” wrote Bob Lord, Yahoo’s chief information security officer, in the blog post.
Yahoo said it does not believe that the responsible parties currently have access to its network. Users’ unprotected passwords, payment card data or bank account information were not stolen, according to the company. Unprotected passwords weren’t part of the breach, Yahoo said, but hashed or digitally obscured passwords may have been taken.
The announcement comes as Yahoo is preparing to sell its Internet properties to Verizon next year. Verizon said it was notified of the breach within the last two days.
“We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities,” Verizon said.
Why would a government target Yahoo users? Goals could include gaining access to the personal correspondence of human-rights activists, or U.S. government employees with access to sensitive information that could be used as blackmail, said Craig Young, a security researcher for software firm Tripwire. Those responsible may want to use the information to impersonate U.S. officials through their email to get others to do something for them, he added.
Yahoo and other tech companies have seen data breaches in the past. In 2012, roughly 450,000 Yahoo user name and passwords were compromised. More than 100 million LinkedIn accounts were stolen in that same year, a hacking exploit which continues to haunt the company. Hackers sometimes seek to sell user information online for profit, or exploit it to log into other non-Yahoo accounts, relying on consumers’ habits of using the same login names and passwords from service to service. Even companies whose servers haven’t been hacked can be affected, as hackers test purloined logins. Netflix recently warned its customers about the problem.
In some cases, Silicon Valley companies like PayPal go through intermediaries to purchase stolen account information from the criminals who stole it from them, in part to determine the extent of the
©2016 the San Francisco Chronicle. Distributed by Tribune Content Agency, LLC.