More and more information has come to light since Yahoo’s major security breach in 2013. In September 2016, Yahoo revealed that a hack in 2014 compromised an estimated 500 million users. A second disclosure in December of that year acknowledged that an earlier hack in 2013 was found to breach 1 billion user accounts.
Today that number is reportedly 3 billion, virtually every single Yahoo account in existence, making it far and away the largest known cybersecurity breach in modern history.
With the 2014 Yahoo breach at number two, additional runners-up include the Adult Friend Finder breach of 2016 and the eBay breach of 2014, which hit 412 million and 145 million users, respectively. Newest data also puts the Equifax breach on par with eBay’s.
Yahoo’s announcement comes as the result of an ongoing investigation into the attack. Bob Lord, Yahoo’s CISO, says they do not believe credit card or bank account data was breached (but I reiterate this is an ongoing investigation).
According to Lord, the vulnerable information included “names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.
“An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries,” Long wrote. “Through strategic proactive detection initiatives and active response to unauthorized access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure.”
It should be noted that the Equifax hack of this year will still probably have larger long-term implications since the data included social security and credit card information.
What to Do Now
Yahoo’s announcement included suggestions to update passwords and security information, review accounts for suspicious activity, and be cautious of unsolicited communications.
Remember too that the National Institute of Standards and Technology (NIST) updated their password guidelines this year. The suggestions remove periodic updates for password changing, drop algorithmic and randomized passwords, and require new passwords be screened against a list of common ones.
For corporate entities, consider risk-based authentication software. This is an emerging technology field and a new category to G2 Crowd. These identity and access management tools use a variety of recognition metrics to evaluate risk.
They monitor IP addresses, devices, behaviors and users to set customized authentication methods for each individual user hoping to access the network. Non-suspicious users accessing applications from known devices, locations, and networks may be automatically signed in.
Interested in cybersecurity? Check out our weekly digest and have the important stories from around the web sent to your inbox.