In one of the largest hacks in history, Yahoo Inc. admitted Thursday that hackers were able to obtain the account details of more than 500 million users in a 2014 breach.
The breach raised speculation about the potential impact on the Internet pioneer’s $4.8 billion deal to be acquired by Verizon Communications Inc. Yahoo said in a statement that account information stolen included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.
The company, which agreed in July to be acquired by Verizon in a deal that’s still pending, said that it believes the hack was undertaken by a “state-sponsored actor” but provided no further details as to which country they believe might have been behind the hack. News of a potential hack of Yahoo first emerged in August when it was revealed that a hacker by the name of “Peace” was selling the details of some 200 million Yahoo users on the dark web marketplace The Real Deal for the price of three bitcoin.
Yahoo contends that hacked data did not include unprotected passwords, payment card data, or bank account information, and that the passwords were primarily bcrypt hashed, however, the passwords in the user data that appeared on the dark web in August were MD5-encrypted, meaning that they can be easily decrypted and are nearly the same as being in unencrypted “cleartext.”
Perhaps proving that the passwords can be easily decrypted, Yahoo is asking all users to change their passwords and adopt alternative means of account verification. In addition, the company is invalidating unencrypted security questions and answers so they cannot be used to access an account.
Given Yahoo’s near constant decline in users the chances are the majority of the account details accessed in the hack do not relate to currently used accounts, but that ultimately is besides the point given that people often use the same password and security questions across multiple sites, meaning the benefit of the data is its potential use for identity theft on other services.
The scale of the hack, Yahoo’s seeming inability to defend against it and the potential consequences could result in a class action lawsuit against Yahoo. It’s not clear that the Verizon deal could be affected, though Verizon issued this statement:
“Within the last two days, we were notified of Yahoo’s security incident. We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact.
“We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in [a] position to further comment.”