UPDATE: Sept. 22, 3:45 P.M., EASTERN: Yahoo confirmed the report, but the breach turned out to be greater than previously expected. More details here.
Yahoo, the web portal popular among fantasy football players and free webmail users, may have been the victim of a data breach affecting about 200 million users (later confirmed to be 500 million users). Rumors of such a breach surfaced last month, and a Recode report posted early today (Sept. 22) indicated that the company would soon confirm the rumors.
Two Tom's Guide staffers saw a tacit admission that something may be wrong when they tried to log into their Yahoo Mail accounts this morning. Both received suggestions to change their passwords, even on accounts that had two-factor authentication enabled. Have I Been Pwned? administrator Troy Hunt, who collects credentials exposed in data breaches, reported the same thing.
It's still possible that Yahoo was not itself breached, and that the reported 200 million Yahoo accounts were aggregated and sifted from data breaches at other online services, such as those affecting LinkedIn (177 million accounts) and MySpace (360 million accounts).
The alleged malicious hacker who first came forward with the details of the Yahoo accounts — said to include usernames, hashed passwords, birth dates and backup email addresses — told VICE Motherboard last month that the Yahoo data is from "2012 most likely."
Motherboard broke the news Aug. 1 when that hacker, who uses the pseudonym Peace, put the Yahoo data up for sale for 3 Bitcoin (approx. $1,801 US) on The Real Deal online-crime marketplace. Peace earlier this year disclosed the MySpace and LinkedIn data breaches, but it's unlikely that he himself stole that data. The low price he wanted for the Yahoo data indicates that it's probably old, well picked over and no longer worth much to cybercriminals.
In August, Yahoo told Motherboard that it was "aware of a claim," but didn't deny a data breach. Peace replied that "they dont [sic] want to confirm well better for me they dont [sic] do password reset."
Peace also claimed to have "been trading the data privately for some time" before deciding to sell it.
Motherboard checked two dozen account credentials supplied by Peace, and discovered that the usernames did correspond to Yahoo accounts. Yahoo apparently protected its user passwords with the MD5 hashing algorithm, for which the first weakness was found in 2005. No company should have been using the algorithm in 2012.
Yahoo is currently trying to sell itself to Verizon, and Recode speculated that news of a massive data breach could sent Yahoo stock tumbling, lowering the cost for Verizon.
Yahoo users who want to protect their accounts should log in to Yahoo.com immediately and reset their passwords. If Yahoo doesn't prompt you to do so, then visit Yahoo's Set a new password page and change the password manually. Users can also use Yahoo Account Key, which eschews passwords in favor of using the Yahoo mobile app to turn smartphones into authentication devices.
As we say every time we report on a massive server breach, never, ever, recycle passwords. If your email address and password have been available on the black market for months, along with a secondary email address, you better not have used those same credentials for online banking or other highly valuable accounts.