2014 brought us a Yahoo! data breach only disclosed now; it formally declared the breach to consumers on September 22. This isn’t the first large data breach breach that Yahoo! has had over the past few years just the largest.
In 2012, there was a breach of 450,000+ identities back in 2012. Millions of identity records were apparently being sold by hackers in August 2016 that the media initially linked to the 2012 breach. It would be speculative to assume that the records for sale in August was part of the 2014 raid.
The facts so far:
- 500 million records were stolen by the hackers. Based on the latest active email account numbers disclosed for Yahoo! many of these accounts are inactive or forgotten
- Some of the data was stored unencrypted
- Yahoo! believes that it was a state sponsored actor, but it has offered no evidence to support this hypothesis. It would be a bigger reputational issue if it was ‘normal’ hackers or an organised crime group
- There are wider security implications because the data included personal security questions
Vermont senator asked the following questions in a letter to Yahoo!:
- When and how did Yahoo first learn that its users’ information may have been compromised?
- Please provide a timeline detailing the nature of the breach, when and how it was discovered, when Yahoo notified law enforcement or other government authorities about the breach, and when Yahoo notified its customers. Press reports indicate the breach first occurred in 2014, but was not discovered until August of this year. If this is accurate, how could such a large intrusion of Yahoo’s systems have gone undetected?
- What Yahoo accounts, services, or sister sites have been affected?
- How many total users are affected? How were these users notified? What protection is Yahoo providing the 500 million Yahoo customers whose identities and personal information are now compromised?
- What steps can consumers take to best protect the information that may have been compromised in the Yahoo breach?
- What is Yahoo doing to prevent another breach in the future?
- Has Yahoo changed its security protocols, and in what manner?
- Did anyone in the U.S. government warn Yahoo of a possible hacking attempt by state-sponsored hackers or other bad actors? When was this warning issued?
Added to this, shareholders and Verizon are likely to want to know:
- Chain of events / timing on the discovery on the hack?
- Has Yahoo! declared what it knew at the appropriate time?
- Could Yahoo! be found negligent in their security precautions?
- How will this impact the ongoing attrition in Yahoo! user numbers?
- How does Yahoo! know that it was a state sponsored actor?
- Was there really Yahoo! web being sold on the dark web in August?
- Was that data from the 2014 cache?
- How did they get in?
An Important Message About Yahoo User Security | Yahoo – Yahoo!’s official announcement
UK Man Involved in 2012 Yahoo Hack Sentenced to Prison | Security Week
Congressional Leaders Demand Answers on Yahoo Breach | Threat Post