On Thursday Yahoo claimed a massive attack on its network in 2014 allowed hackers to steal data from half a billion users and may have been “state sponsored.” Full passwords, payment card data and bank account info weren’t targeted.
The data breach included people’s names, email addresses, telephone numbers, dates of birth, hashed passwords and even security questions and answers, Yahoo CISO Bob Lord explained.
“Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen,” said a statement by the US internet giant in what is likely the largest-ever breach for a single organisation.
The hacker who collated them and put them up for sale online, going by the name ‘Peace’, said those details were from “2012, most likely”.
Yahoo is now in the process of notifying customers who may be affected, and asking them to change their passwords, or use different methods of confirming their identity.
The huge batch of exposed passwords beats Dropbox’s 61 million credentials that were leaked online in August after a hack in 2012, leading to Dropbox also urging users to change their passwords.
Although the size of the breach is staggering, what has stunned the industry most is the fact that it has taken Yahoo 2 years to disclose.