Yahoo recently confirmed it had been hit by its worst hack two years ago. At least 500 million of its user accounts were breached by hackers back in 2014, well before Verizon’s ongoing $4.8 billion acquisition of Yahoo’s core business began.
The hack, which the pioneer internet company said was carried out by a “state-sponsored actor,” is the world’s largest-ever publicly confirmed data breach, according to the Privacy Rights Clearinghouse – a nonprofit organization that tracks cybersecurity breaches.
The hack is not only the largest hack by the number of accounts compromised, but also might be one of the most significant in recent years. A large number of people across the world have a Yahoo account of some type, ranging from email to finance and fantasy sports. This in effect means much of the world is affected.
The hackers obtained users’ names, email addresses, phone numbers, birth dates and “hashed passwords.” In some cases they also stole security questions and answers that would let the hackers access the accounts.
As expected following the mega-breach, the hacking has attracted its first lawsuit.
First lawsuit filed over breach of Yahoo user accounts
Just a day after Yahoo disclosed the hacking of its user accounts that is unprecedented in size, a user filed a lawsuit in a federal court in San Jose, California. The lawsuit accused Yahoo of gross negligence, saying the internet company demonstrated “disregard for the security of its users’ personal information.”
The suit also faulted Yahoo for taking roughly three times longer than firms typically require to uncover a breach. It is unclear when Yahoo learned about the attack and why it wasn’t announced sooner. A Yahoo spokeswoman said the Sunnyvale, California-based company does not discuss pending litigation
The hacking threatens to derail Yahoo just as it is being acquired by Verizon, a deal that some think will provide a lifeline for the under siege company. It also opens a window for a gaggle of class action lawyers suing Yahoo over the breach. Federal and state regulators will likely also launch investigations and possibly demand fines or penalties from the company. All these litigations could complicate Yahoo’s efforts to placate its already disgruntled users.
Ronald Schwartz, the New York resident who filed the lawsuit against Yahoo on behalf of all users in the United States whose personal information was compromised in the breach, is seeking class-action status and unspecified damages. Schwartz is represented by two experienced U.S. class-action specialists, Robbins Geller Rudman & Dowd and Labaton Sucharow.
Effects of the mega-hacking at Yahoo.
Far more significant than the effect the hacking will have on Yahoo’s ongoing acquisition by Verizon is the effect the breach will have on the company’s hundreds of millions of users.
“When a company has allowed their customers' data to fall into the hands of criminals, the resulting lack of trust is difficult to repair," Ebba Blitz, security expert and CEO at Alertsec, a cloud-based encryption company, said in a statement.
"Cybercriminals know that consumers use the same passwords across websites and applications, which is why these millions of leaked password credentials are so useful for perpetuating fraud," added Brett McDowell, executive director of the FIDO Alliance, an organization that vets the security of password alternatives. "We need to take that ability away from criminals, and the only way to do that is to stop relying on passwords altogether," stated McDowell.
The good news for users, though, is that Yahoo used a type of cryptography called “hashing” to protect user passwords. This means that the hackers would typically need to use very powerful computers to crack the passwords one at a time.
The bad news, however, is that many people still use common passwords, and hackers typically use readily available computer programs to test those first. If you still use “12345” or “password” or “Iloveyou,” as your password, the hackers will likely have an easy way into your account.
What to do if your Yahoo account has been compromised.
If you haven’t changed your password since late 2014 and or suspect your Yahoo accounts may have been compromised, the advice remains the same either way: change your Yahoo password and security questions as soon as possible. Also change the password anywhere else you may have re-used that information. A common tactic is for hackers to take usernames and passwords they steal from one site, and then try to log in with them elsewhere. Ideally, stop re-using compromised passwords altogether.
"Review your accounts for suspicious activity," Yahoo adds. "Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.”
Since Yahoo is a major webmail provider, there is one extra problem: any additional service that has password reset emails sent to a Yahoo Mail account might also be compromised. Change those passwords as well.
Furthermore, as Yahoo cautions, "Avoid clicking on links or downloading attachments from suspicious emails."