Yahoo recently confirmed in a press release that it had been hit by worst hack ever two years ago. At least 500 million of its user accounts were breached by hackers in 2014, well before Verizon’s ongoing $4.8 billion acquisition of Yahoo’s core business even began.
The hack, which the pioneer internet company said was carried out by a “state-sponsored actor,” is the world’s largest-ever publicly confirmed data breach, according to the Privacy Rights Clearinghouse – a nonprofit organization that tracks cybersecurity breaches.
The hack is not only the largest hack by the number of accounts compromised, but also might be one of the most significant in recent years. So many people have a Yahoo account of some type or other, from email to finance and fantasy sports, which in effect means much of the world is affected.
The hackers obtained users’ names, email addresses, phone numbers, birth dates and “hashed passwords.” In some cases they also stole security questions and answers that would let the hackers access the accounts.
Unsurprisingly, the mega-breach has attracted its first lawsuit over the hacking.
Just a day after Yahoo disclosed the hacking of its user accounts, unprecedented in size, a user filed a lawsuit in the federal court in San Jose, California. The suit accused Yahoo of gross negligence, saying the internet company demonstrated “disregard for the security of its users’ personal information.” It also faulted Yahoo for taking roughly three times longer than firms typically need to uncover a breach.
It is currently unclear when Yahoo learned about the attack and why it wasn’t announced sooner. A Yahoo spokeswoman said the Sunnyvale, California-based company does not discuss pending litigation
The hacking, however, threatens to derail Yahoo just as it is being bought by Verizon – a deal that some think will provide a lifeline for the under siege company. It also opens a window for a gaggle of class action lawyers to start suing Yahoo over the breach. Federal and state regulators will likely also launch investigations and possibly demand fines or penalties from the company. All this litigation might further complicate Yahoo’s efforts to placate its already disgruntled users.
Ronald Schwartz, the New York resident who filed the lawsuit against Yahoo on behalf of all users in the United States whose personal information was compromised in the breach, is seeking class-action status and unspecified damages. Schwartz is represented by two large U.S. class-action specialists, Robbins Geller Rudman & Dowd and Labaton Sucharow.
Far more significant than the effect the hacking will have on Yahoo’s ongoing acquisition by Verizon is the effect the breach will have on the company’s hundreds of millions of users.
“When a company has allowed their customers' data to fall into the hands of criminals, the resulting lack of trust is difficult to repair," Ebba Blitz, security expert and CEO at Alertsec, a cloud-based encryption company, said in a statement.
"Cybercriminals know that consumers use the same passwords across websites and applications, which is why these millions of leaked password credentials are so useful for perpetuating fraud," added Brett McDowell, executive director of the FIDO Alliance, an organization that vets the security of password alternatives. "We need to take that ability away from criminals, and the only way to do that is to stop relying on passwords altogether," stated McDowell.
The good news for users, though, is that Yahoo used a type of cryptography called “hashing” to protect user passwords. This means that the hackers would typically need to use very powerful computers to crack the passwords one at a time.
The bad news, however, is that many people still use common passwords, and hackers typically use readily available computer programs to test those first. If you still use “12345” or “password” or “Iloveyou,” as your password, the hackers will likely have an easy way into your account.
If you haven’t changed your password since late 2014 and or suspect your Yahoo accounts may have been compromised, the advice remains the same either way: change your Yahoo password and security questions as soon as possible. Also change the password anywhere else you may have re-used that information. A common tactic is for hackers to take usernames and passwords they steal from one site, and then try to log in with them elsewhere. Ideally, stop re-using compromised passwords altogether.
"Review your accounts for suspicious activity," Yahoo adds. "Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.”
Since Yahoo is a major webmail provider, there is one extra problem: any additional service that has password reset emails sent to a Yahoo Mail account might also be compromised. Change those passwords as well.
Furthermore, as Yahoo cautions, "Avoid clicking on links or downloading attachments from suspicious emails."
You might also like
Spotlight book of the month
by Hugh MacLeod
Ever wonder what it really takes to make a living as a creative person in today's complicated world?
MacLeod presents some witty keys for creative success, including "ignore everybody. Why should you "ignore everybody"?
Because, he writes, nobody else can tell you whether your idea is worthwhile. People can give you advice, but at the end of the day, it's your decision. The more original an idea, the less helpful the advice is going to be.
Have something to say about this article? Share it with us in the comments section below.