In a press release today (Sept. 22), Yahoo confirmed earlier reports of a massive data breach of its servers, disclosing that in 2014 someone had stolen users' names, email addresses, telephone numbers, dates of birth and hashed passwords. Contrary to earlier reports, the data set contained 500 million accounts, not 200 million, making it the largest data breach on record.
Yahoo said it believed the theft was performed by "a state-sponsored actor," as opposed to a criminal group or individual. The good news is that Yahoo said the "vast majority" of the stolen passwords had been "hashed" using Bcrypt, a method that makes it impossible (so far) to recover the original password. Bcrypt includes built-in "salting," which adds a secret string of text to make it hard to recover even inadvisable passwords such as "password".
Yahoo added that the data set did not include credit card information or bank-account numbers. But, it said, "in some cases, encrypted or unencrypted security questions and answers" were included.
The company did not say how it had discovered the data, although rumors of a large set of Yahoo data circulating in online criminal markets first appeared in early August. Nor did it mention whether accounts with its subsidiary Tumblr, which was hit by its own data breach earlier this year, might be affected. (Yahoo's other major subsidiary, Flickr, makes users sign in through Yahoo and was hence definitely affected.)
Yahoo has posted an FAQ regarding the data breach at https://help.yahoo.com/kb/account/SLN27925.html.
The company said it was "notifying affected users" and "invalidating unencrypted security questions and answers." Two Tom's Guide staffers were prompted to voluntarily change their passwords when they logged into Yahoo this morning, a step Yahoo said it was asking of all users who had not changed their passwords since 2014.
In its FAQ, Yahoo warned users to be wary of email messages purporting to come from Yahoo regarding the data breach, but which might actually come from spammers or scammers. Yahoo is sending an email to affected users, but it "does not ask you to click on any links or contain attachments and does not request your personal information."
Yahoo provided a template of the breach-notification email to be sent to affected users. It's not clear what distinguished "affected users" from the presumably larger pool of users who hadn't reset their passwords since 2012. The Tom's Guide staffers asked to voluntarily change their passwords did not receive such an email.
Yahoo recommended that all its user switch to the Yahoo Account Key instead of entering passwords. When you try logging into your Yahoo account, Account Key sends a notification prompt to the Yahoo app on your iOS or Android smartphone, which the person holding the phone &mash; presumably you &mash; taps to confirm.
Alternatively, you could activate Yahoo's two-factor authentication (2FA) mechanism, which forces you to both enter a password and then, if you're logging in from a device Yahoo hasn't seen before, enter a digital code texted to your phone. 2FA is not dependent on cellular-data or Wi-Fi networks, works on feature phones as well as smartphones and doesn't require the bandwidth-hungry Yahoo app.
The company also suggested that worried users should check their credit-reporting files. That may not absolutely be necessary, as no financial data seems to have been compromised in the breach, but checking on your credit report doesn't hurt. (Credit freezes, however, can create problems; better to institute a free credit alert, which notifies you of activity involving your name for 60 days, but doesn't block anyone from running your credit report.)
However, the stolen data did include user birth dates, which can be useful to identity thieves, and unencrypted security questions and answers, which can be useful to criminals trying to break into a Yahoo user's other online accounts.
It seemed unusual that state-sponsored hackers, working at the behest of a foreign government, would steal Yahoo account credentials. Such data is of more immediate use to ordinary cybercriminals. And reports in early August featured a lone hacker trying to sell 200 million Yahoo credentials for about $1,800, hardly the actions &mash; or the low price &mash; you'd associate with state-sponsored hackers.
But the wave of medical-record breaches early in 2015 did appear to have been the work of Chinese state-sponsored hackers, whose plans for that data remain unclear.
For more background on what is now probably the largest data breach ever, we've got further information in our original report.