Coverage: Yahoo admits that 500 million accounts hacked

Yahoo said Thursday that a hack has resulted in personal information from 500 million accounts being stolen, which the company blamed on a foreign government.

Jeff John Roberts of Fortune magazine had the news:

The incident is a big deal, since so many have a Yahoo account of some type or other — for email or finance or fantasy sports and so on. The fallout will have major implications for consumers and Yahoo’s still on-going merger with Verizon. Here’s a plain English Q&A about what we currently know.

What did the hackers steal?

They obtained consumers’ names, email addresses, phone numbers, birthdates and “hashed passwords” (more on that below). In some cases they also stole security questions and answers that would let the hackers access the account.

Who are the hackers?

Yahoo would only describe them as a “state-sponsored actor.” In other words, a foreign country used its military or intelligence services to break into Yahoo’s systems. The most likely culprits, in order, are: China; Russia; North Korea.

Laura Hautala of CNET has advice on what do you if your account was hacked:

This might sound obvious, but if you’re like a lot of people, you might not use Yahoo Mail as your primary email account. Yahoo has 1 billion monthly active users on its services overall and just 225 million monthly active users for its Yahoo Mail service, according to figures the company gave CNET in June.

So check the email affiliated with your Yahoo account if you haven’t already. Yahoo has started sending out notifications to users, and you should be receiving one at that account if you were affected by the data breach.

Change your password

Yahoo is recommending that people who haven’t changed their password since 2014 do so now. The company says the passwords that hackers stole were encrypted — scrambled up with a tool called bcrypt. This kind of encryption can potentially be broken with enough persistence, said Brett McDowell, executive director of the FIDO Alliance, a nonprofit group that vets login systems.

Nicole Perlroth of the New York Times notes this is not Yahoo’s only problem:

The Yahoo hack also adds another miscue to what has been a troubled sale of a long-troubled company. In July, Verizon said it would acquire the internet pioneer, roughly a month before Yahoo security experts started looking into whether the site had been hacked. It is unclear what effect, if any, the breach will have on Yahoo’s sale price.

In a statement on Thursday, a Verizon spokesman, Bob Varettoni, said his company learned of the breach of Yahoo’s systems only two days ago and had “limited information and understanding of the impact.”

It is unclear whether security testing — such as a test to see if security experts could break into the Yahoo network — was performed as part of Verizon’s due diligence process before it agreed to the acquisition.

But such security is often overlooked by investors, even though breaches can result in stolen intellectual property, compromised user accounts and class-action lawsuits. To date, no law requires such security checks as part of due diligence.