Yahoo has had the unfortunate pleasure of disclosing to the public that more than one billion accounts may have been breached as part of the company being victim to latest cyber-attack.
The beleaguered company has already had to suffer the humiliation of letting the world know that around 500 million accounts were accessed without permission during September of 2014. This latest reveal occurred a year previous to that, in August 2013, with Yahoo also confirming that it’s unable to identify how the attackers were able to get access to the accounts.
The official statement from Yahoo came after markets closed on Wednesday, and not only highlighted that the attack had occurred, but also went into additional detail on the type of data that may have been taken as part of the hack. The statement claimed that the malicious individuals may have gotten access to names, email addresses, telephone numbers and hashed passwords associated with an account. The company also believes that a number of encrypted and unencrypted security questions may have been obtained.
The hack and ability to gain unauthorized access to the systems will definitely be of huge concern for anyone with a Yahoo account, but there is some relatively softening news in the fact that Yahoo believes that no bank account information or payment data was obtained by the hackers. The company has ensured that all stolen data in an unencrypted manner has been invalidated, and is therefore of no real use to the hackers.
However, it’s potentially the method of access that could be considered the most concerning. Yahoo believes that attackers may have stolen its secret source code, and therefore didn’t need a password to access accounts:
Separately, we previously disclosed that our outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. We are notifying the affected account holders, and have invalidated the forged cookies.
Yahoo may have invalidated any unencrypted data and the forged cookies, but it’s an announcement that the firm could simply do without, given its current situation and the fact that it has taken more than two years to actually confirm and announce the breach.
If you are a Yahoo account holder, it’s likely you will have an email from the business confirming the breach and next steps. It’s prudent to listen to the information in that mail. In any case, we’ll highly recommend changing your password right now!