Yahoo! We Lost Your Data! Two Years Ago…

Gavin Phillips 23-09-2016

Web giant Yahoo has suffered an enormous data breach. The breach, which took place in 2014, resulted in the information of 500 million Yahoo users being offered for sale on the dark web 10 Little-Known Corners of the Deep Web You Might Actually Like The dark web has a bad reputation, but there are some really useful dark web sites you might want to check out. Read More .


Image Credit: Ken Wolter via
Image Credit: Ken Wolter via

The scale of the theft dwarfs other recent, major data breaches, and places the security practices in place at Yahoo firmly under the spotlight.

What Has Been Breached?

Yahoo issued a statement confirming and detailing the security breach, making an assertion that the data was stolen by “state-sponsored” hackers. Information, including names, email addresses, phone numbers and security questions were stolen from the company in 2014.

“A recent investigation by Yahoo has confirmed that a copy of certain user account information was stolen from our network in late 2014 by what we believe is a state-sponsored actor. We are working closely with law enforcement authorities and notifying potentially affected users of ways they can further secure their accounts.”

One small positive arrives in the knowledge that the breach did not contain “unprotected passwords, payment card data, or bank account information.” Nonetheless, the statements issued by Yahoo will raise further questions from security researchers concerning the timeline of events, as well as the company’s actions in the days following the breach.


Raising Important Questions

Firmly atop many security researchers list of questions will simply be “why did it take so long to confirm a hack Why Companies Keeping Breaches a Secret Could be a Good Thing With so much information online, we all worry about potential security breaches. But these breaches could be kept secret in the USA in order to protect you. It sounds crazy, so what's going on? Read More of this scale?” This easily segues into others questions, as well. Why did Yahoo take so long to inform its users of the breach?

The notion of a state-sponsored attack is also puzzling. As yet, Yahoo has failed to produce any evidence linking the breach to a nation-state actor, although three U.S. intelligence officials – who declined to be identified by name – confirmed to Reuters:

“…they believed the attack was state-sponsored because of its resemblance to previous hacks traced to Russian intelligence agencies or hackers acting at their direction.”

Even if the breach bore resemblance to previous nation-state attacks When Governments Attack: Nation-State Malware Exposed A cyberwar is taking place right now, hidden by the internet, its results rarely observed. But who are the players in this theater of war, and what are their weapons? Read More , those breaches do not typically result in the release of private user data. Rarer still is finding those credentials advertised for sale on the dark web Here's How Much Your Identity Could Be Worth on the Dark Web It's uncomfortable to think of yourself as a commodity, but all of your personal details, from name and address to bank account details, are worth something to online criminals. How much are you worth? Read More .


Adding further intrigue is the identity of the individual selling part of the data breach. A user named “Peace of Mind,” who had also sold data dumps of the MySpace and LinkedIn breaches, was actively touting the data.

Image Credit: adike via Shutterstock

Jeremiah Grossman, head of security strategy at SentinelOne, said “While we know the information was stolen in late 2014, we don’t have any indication as to when Yahoo first learned about this breach. This is an important detail in the story.”

Grossman believes that as Peace of Mind was a “profiteer hacker” they would be highly unlikely to have received state-sponsorship; consequently, “this means it’s possible we’re looking at two different Yahoo breaches with two different hacking groups in their system.”


“The vast number of people affected by this cyber attack is staggering and demonstrates just how severe the consequences of a security hack can be…We don’t yet know all the details of how this hack happened, but there is a sobering and important message here for companies that acquire and handle personal data. People’s personal information must be securely protected under lock and key – and that key must be impossible for hackers to find.” – United Kingdom Information Commissioner Elizabeth Denham

How Serious Is This?

Yahoo’s statement confirmed that the vast majority of stolen passwords were hashed using bcrypt. Hashing is the process of turning a password into a fixed length “fingerprint” that is recalled and checked when a user attempts to login. It is a basic method of protecting user information Every Secure Website Does This With Your Password Have you ever wondered how websites keep your password safe from data breaches? Read More , yet is still overlooked by some websites The 7 Most Common Tactics Used To Hack Passwords When you hear "security breach," what springs to mind? A malevolent hacker? Some basement-dwelling kid? The reality is, all that is needed is a password, and hackers have 7 ways to get yours. Read More .

Bcrypt is considered a secure method of hashing as the hashes are also “salted,” How Do Websites Keep Your Passwords Secure? With regular online security breaches reported, you're doubtless concerned about how websites look after your password. In fact, for peace of mind, this is something everyone needs to know… Read More a process where each hash will be different, even if it is protecting the same password.

Passwords are irritating but easy to change; a mother’s maiden name isn’t. Hackers also breached plaintext security questions. Security questions have long come under scrutiny How To Create A Security Question That No One Else Can Guess In recent weeks I have written a lot about how to make online accounts recoverable. A typical security option is setting up a security question. While this potentially provides a quick and easy way to... Read More for their role in identifying user accounts in previous breaches, yet they still form a primary feature of most user account login systems.

Accordingly, Yahoo have sent all of their users a password reset message. They encourage their users to:

  • Change your password and security questions and answers for any other accounts on which you use the same or similar credentials as the ones used for your Yahoo Account.
  • Review your accounts for suspicious activity.
  • Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
  • Avoid clicking on links or downloading attachments from suspicious emails.

We can not emphasize the first suggestion enough. We also advise our readers to consider other sites they may have used their login credentials with, such as photo-storage service Flickr, or social bookmarking site

You may have created a Yahoo account without realizing it was insecure.

A Big Old Breach

Yahoo now takes an unwanted crown What You Need To Know About the Massive LinkedIn Accounts Leak A hacker is selling 117 million hacked LinkedIn credentials on the Dark web for around $2,200 in Bitcoin. Kevin Shabazi, CEO and founder of LogMeOnce, helps us to understand just what is at risk. Read More : the biggest corporate data breach in history.

  • Yahoo – 500 million user credentials
  • MySpace – 359m
  • LinkedIn – 164m
  • Adobe – 152m
  • Badoo – 112m

In July 2016, U.S. telecommunications giant Verizon made the $5bn acquisition of Yahoo’s internet business. Though, this breach is not expected to affect the takeover.

Our advice remains the same as with any major data breach. Reset your passwords. Also, scrutinize your emails and text messages over the coming weeks and months. Remember to never reuse your account credentials.

Credential reuse; not even once.

Has your account been compromised? Are you surprised at how long it took Yahoo to act? Which major service will be breached next? Let us know your thoughts below!

Related topics: Hacking, Online Security, Password.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Tijuanna Battle
    January 17, 2018 at 8:36 pm

    I have been trying for months to access my yahoo acct with no success. I have tried everything. I answered my security questions, I've tried to change my password several times , I've tried everything I can think of to no avail. Wht do I need to do to get into my acct. This is ridiculous.

  2. Aldo Progressino
    December 20, 2016 at 2:28 pm

    Don't you think it's time to convince the "public at large" to "stop" using all theses "free" services? They all collect and use our data for their own purposes! Do you really think they want you just to have a good time on their sites, or that they really care about you personally so they want to give you something for nothing? Its all about data collection, the company with the most data is obviously worth the most. Why do giant corporations gobble each other up? Believe me its not because that company has great parking spots! The first and foremost intent of these "free email" corporations and social media sites is to collect data, "YOUR DATA" that can be harvested and gleaned to be sold to the highest bidder, or used for profiting in some form or another. Read the tiniest of small print written in the longest of their service agreements and you will realize how little protection you really, have under law, by agreeing to utilize these "free" services. You basically are agreeing to whatever vague and obscure language they use to get you to accept their use of your personal and intellectual property without regard or repercussion. WHAAAAT!!! A small investment can get you a personalized domain and a personalized email. There are hundreds of services out there that offer domains and hosting for a very small fee. These are so affordable in this day and age its a "no brainer" to "migrate" over to your "own" email service. With pricing as low as 3.99 month, the same you pay for a worthless game app that adds absolutely no productive footprint to our lives. Or just give up one Latte a week for 3 months and it's paid for the year. Seems to me the "talking heads" are "talking loud" and "sayin nothing"! Move over to the next "free" service that will be hacked? Good sound advice? Take control of what little you can of your life and stop acting surprised when the worst happens. Be Safe, Be Secure, Be Self Reliant!

  3. Maryon Jeane
    September 30, 2016 at 11:11 am

    "Passwords are irritating but easy to change; a mother’s maiden name isn’t."

    I've never understood why 'mother's maiden name' is used for security purposes. Your mother's original (I seriously hate this 'maiden' business...) name is a matter of record and is hardly difficult to find out. When asked to use my mother's maiden name I always use a random and different-each-time name; to do anything other seems daft to me.

    • Gavin Phillips
      September 30, 2016 at 11:35 am

      Completely agree. I'm currently writing an article explaining how you should really answer security questions and why, as you point out, they're a massive potential vulnerability.