Yahoo Reveals Nation State-Borne Data Breach Affecting A Half-Billion Users

But still unconfirmed is whether the newly revealed attack is related to recently dumped Yahoo user credentials in an online cybercrime forum.

The other shoe has dropped - maybe. Nearly two months after signs of a Yahoo data breach surfaced with leaked user credentials in the cybercrime underground, Yahoo today confirmed that it had suffered a cyberattack in late 2014 by what the company says was likely a nation-state actor.
Some 500 million Yahoo user accounts were stolen and Yahoo is working with law enforcement in an investigation of the attack. The announcement comes as Yahoo begins the process of selling its operating business to Verizon for some $4.83 billion in cash, a deal that was first announced late July. Security experts say this could be a record-breaking breach in terms of size.
Bob Lord, CISO at Yahoo, in a blog post today said the attackers stole a copy of certain Yahoo user account information, possibly including names, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers. Most of the passwords were hashed with Bcrypt, while some security Q&As were encrypted, and some were not, he said.
Payment card and bank account information was not associated with the breached system, he said, so that information was not exposed.
The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected, he said.
Yahoos revelation today came after many Yahoo users reported receiving password-change emails over the past 24 hours, some with the subject line secure your Yahoo account, with no explanation. Others received email notices of suspicious activity on their accounts and steps for resetting their passwords.
ReCode this morning reported
that Yahoo would be announcing a breach affecting millions of its users.
But the drama officially began unfolding publicly back in August when a hacker known as Peace or Peace_of_Mind began selling online what he advertised as some 200 million Yahoo user credentials. Peace, who is known to be the co-founder of underground TheRealDeal Marketplace, had done the same with stolen LinkedIn and MySpace credentials in May of this year. At the time,
Yahoo told Motherboard
it was investigating the report.
Todays announcement is its first official confirmation of a cyberattack involving user credentials. Still unclear is whether the Peace incident is related to the newly revealed nation-state breach. And if so, whether that very same nation-state actor is responsible for the LinkedIn and MySpace attacks as well.
Its possible the two Yahoo credential breach incidents are separate attacks, notes Jeremiah Grossman, chief of security officer for SentinelOne and a former infosec officer at Yahoo. If the attackers were out of China, for example, he says, they wouldnt likely share or sell stolen information. For all we know, these are separate breaches, he says, noting that the details of the two dont quite match up.
Nation-state cyber espionage typically is all about gathering intel about geopolitical information, intellectual property, or even inside information on a merger or other business deal. The attackers who hit Yahoo likely were fishing for access to Yahoo accounts that could get them either inside the company for its secrets, or access to some Yahoo user accounts for similar purposes.
Yahoos dealings with Alibaba, for instance, would be of interest to a Chinese nation-state actor, Grossman notes. The attackers would hack the system to figure out what Yahoo was negotiating and share with guys on their side, like a Chinese organization, for example, he explains.
If the attacks are related, however, Yahoos response has confounded some experts. Why it took Yahoo nearly two months to confirm there was a breach, meanwhile potentially leaving Yahoo mail users accounts dumped and vulnerable, is a question many are mulling today. I would err on the side of caution and force a password change. Its better to be out in front of it than behind it, says Rick Holland, vice president of strategy at Digital Shadows.
Lets be honest. If [Peace] was selling this in August, these credentials were already used in other [attack] campaigns long before that, he says.
Yahoo gave no details of how the nation-state hackers infiltrated the companys network, but experts say the most likely vector was the old reliable phishing attack fooling a Yahoo employee with either a malicious attachment or link that then downloaded malware that got the attackers a foothold into its network.
Grossman says that, like any large tech firm, Yahoo is a juicy target with its massive network presence. Its a big attack surface, he says of Yahoos massive infrastructure. Theres so much to defend … Its a hot target, so attacks are no surprise, he says.
Fallout
Phishing attacks likely will be the number one possible fallout, with Yahoo user accounts being used as phish. Credential-stuffing, a brute-force attack where attackers inject stolen usernames and passwords into a website until they find a match, is another big risk.
But perhaps the biggest risk is to Yahoo users who reuse passwords among different accounts. According to a recent study by TeleSign, some 73% of online accounts use passwords that are duplicated among other accounts. Bottom line: Yahoo users whose stolen password is used on other sites need to change those accounts ASAP, too.
Yahoo doesnt require two-factor authentication, but the breach again demonstrates the time has come for this to become a standard for user authentication – for internal users and customers, experts say. The catch with this breach, however, is that the attackers have enough personal information on Yahoo users that they could still have hijacked an account with 2FA, Grossman says. If youve got birthdays and addresses, you can log into an account, he says.
The good news: some of the stolen Yahoo account data was encrypted, assuming Yahoo has strong encryption practices.
The good news is that the sensitive data that is now for sale, such as user names, email addresses and dates of birth, is encrypted, but these records could be easily decrypted if the company did not implement properly managed encryption keys, says Jason Hart, vice president and CTO of data protection at Gemalto.
Yahoos Lord says theres no evidence the nation-state hackers are still resident in its network.
What Now
Yahoo recommends users change their passwords and security questions and answers for both Yahoo and any other accounts where they used the same passwords or similar security information. In addition, Yahoo says users should:
Review your accounts for suspicious activity.
Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
Avoid clicking on links or downloading attachments from suspicious emails.
Additionally, please consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether.

Related Content:
Majority Of Major Corporations Have User Credentials Stolen And Exposed
Rand Study: Average Data Breach Costs $200K, Not Millions
5 Law Enforcement & Emergency Response Bodies IT Departments Should Know

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Yahoo Reveals Nation State-Borne Data Breach Affecting A Half-Billion Users