Last Thursday, Sept 22, 2016, Yahoo announced that at least 500 million accounts were hacked.  Since many of our clients and their users use Yahoo, we immediately posted an alert to social media and published a Security Bulletin.

Here’s what we know so far:

  • Names, email addresses, phone numbers, dates of birth, and even security questions and answers may have been stolen.
  • This is potentially the largest data breach in terms of user accounts…ever.
  • The attack probably goes back as far as 2014.
  • Yahoo has publicly stated that a “state-sponsored actor” is responsible.

UPDATE:  Some believe that hacker and dark web data peddler “Peace” is responsible, as last month they had posted for sale data from 200 million Yahoo users.  But others feel that if the breach is state-sponsored, “Peace” is ruled out.  Still others think the “state-sponsored actor” is just a scapegoat.  Yahoo is currently non-committal on who is behind the hack.  There is no specific indication as to which nation is being blamed for this.

What’s affected:

  • Yahoo Mail (250 million users)
  • Yahoo Finance (81 million users)
  • Yahoo Fantasy Sports (several million users)
  • Flickr users linked to Yahoo IDs (113 million users)

The Good News:  Fortunately, Tumblr is supposedly NOT affected.

The “Badder” News:  If you use the same password for Yahoo for multiple accounts, hackers can and will search for access to your other accounts!

What to do!

Reset passwords – Well…duh…but this should be taken care of!

Invalidate security questions – Thankfully, Yahoo has provided a link for this when you log in.  Log in now and you’ll see more details.

Implement multi-factor authentication – Yahoo has several alternatives to improve your authentication.

We have some specific steps and links that we will be sending exclusively to our newsletter subscribers.  If you’d like to sign up, please visit http://t2d.la/signup

Be sure to follow our Security Blog at http://t2d.la/security and @BansheeCloud on Twitter for real time updates!

Here’s our initial Security Bulletin on this: http://conta.cc/2d0DZvN 

Finally, please check out why we’ve always advised clients to avoid free email services for business:  Free Email Is No Bargain

More Information:

500 million Yahoo accounts breached

http://www.usatoday.com/story/tech/2016/09/22/report-yahoo-may-confirm-massive-data-breach/90824934/ or Short URL http://t2d.la/a101

 

Yahoo says 500 million accounts stolen

http://money.cnn.com/2016/09/22/technology/yahoo-data-breach/ or Short URL http://t2d.la/a102

 

Yahoo’s Data Breach: What to Do If Your Account Was Hacked

http://www.bloomberg.com/news/articles/2016-09-22/yahoo-s-data-breach-what-to-do-if-your-account-was-hacked or Short URL http://t2d.la/a103

 

 

 

#OnlineThreat Yahoo! Hack!