Yahoo revealed yesterday that 500 million accounts were hacked in 2014. Sensitive data may have been stolen including “names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.” However, the company claims financial data like credit card numbers or bank account information was not stolen because it wasn’t stored on the system found to be affected.
Although the hack occurred in 2014, it was only discovered recently. In August, a hacker named Peace claimed to be selling data from 200 million Yahoo accounts. After opening an investigation, the company eventually discovered a hack far worse than the one described by Peace. It is believed to be the largest hack of its kind, affecting more accounts than any previous hack that is known to the public.
The nearly two-month gap between Yahoo opening its investigation and this public revelation has drawn criticism from some. Senator Richard Blumenthal stated, “If Yahoo knew about the hack as early as August, and failed to coordinate with law enforcement, taking this long to confirm the breach is a blatant betrayal of their users’ trust. Blumenthal has called for legislation which would force companies to promptly inform users if their data has been compromised. Blumenthal also called for an investigation into whether the company “concealed its knowledge of this breach in order to artificially bolster its valuation in its pending acquisition by Verizon.”
Verizon agreed to purchase Yahoo in late July and the company was only informed of the hack this week. A Verizon spokesperson told CNNMoney, “Within the last two days, we were notified of Yahoo’s security incident. We understand Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact.” Since the deal has not been finalized, Verizon may seek to renegotiate its acquisition of Yahoo or walk away entirely after this incident.
Yahoo is working with law enforcement to investigate the matter and the FBI issued a statement that it is taking the matter seriously. The company has stated that the hack is the work of a state-sponsored actor, but didn’t provide any information about what country might be responsible. U.S. intelligence officials, who declined to be identified, told Reuters that the Yahoo hack resembles previous hacks that have been traced to Russian intelligence agencies.