Following reports Thursday morning of a massive Yahoo security breach, the embattled internet giant confirmed the worst this afternoon: personal records associated with hundreds of millions of accounts had been compromised in one of the worst cybersecurity breaches this year. According to a statement on a Yahoo FAQ webpage, a “state-sponsored actor” scraped the names, email addresses, telephone numbers, dates of birth, and passwords associated with more than 500 million Yahoo accounts as recently as 2014.
Yahoo said there is no evidence the responsible party still had access to its network or internal services. Furthermore, it said not all accounts were compromised, and that some details, such as bank account numbers and credit card data, do not appear to have been targeted. But the company said that out of an abundance of caution, it had taken steps to inform affected users of the breach and invalidated unencrypted passwords and security questions. It also urged account holders who had not changed their passwords since 2014 to do so, and encouraged all Yahoo users to change their security questions and answers and review their accounts for “suspicious activity.”
Yahoo said that it was working with law enforcement and that an investigation of the breach was ongoing.
The Wall Street Journal, citing an unnamed source within the company, reported that Yahoo’s databases contained well north of one billion user accounts, and that passwords were protected with an encryption scheme — MD5 — that would have required the latest password-breaking techniques to compromise. In an FAQ published Thursday afternoon, Yahoo said that its hashing method, or one-way mathematical function responsible for obfuscating data, was chosen for its proven robustness against “password cracking” and reliability. “[It’s] a … mechanism that incorporates security features … including … multiple rounds of computation,” Yahoo said.
Rumors of massive security breach emerged as early as August when a hacker, identified by the username Peace, offered to sell 200 million Yahoo usernames and passwords for $1,900 in online forums. The suspected cybercriminal is widely believed to have engineered the sale of stolen data from high-profile networks like LinkedIn and Myspace — reportedly to the collective tune of between $50,000 and $60,000 — and has been implicated in hacks of European social networking site VK, Fling, Dropbox, Tumblr, OK.ru, Twitter, and Facebook.
At the time, a Yahoo representative said the company was aware of the incident and was “working to determine the facts.”
It is not the first time Yahoo suffered a large-scale security breach. In 2012, a group of unscrupulous programmers known as D33D Company managed to download 453,000 unencrypted usernames and passwords belonging to Yahoo Voices, a self-publishing service. Following the infiltration, Yahoo fixed the vulnerability that led to the breach, changed affected users’ passwords and dispatched notifications to companies with accounts that might have been compromised.
As of late, Yahoo has made strides in the area of security. Last year, as part of a separate effort to beef up the network’s broader security, the company deployed a service that automatically detects and notifies users when it suspects their account may have been targeted by a state-sponsored actor. It encouraged affected users to turn on Account Key, Yahoo’s passcode-free login service, activate two-step verification, to choose a strong, unique password. and to review recent activity in account settings.
Yahoo said that before Thursday’s breach, roughly 10,000 users had received an alert via the service.
It is unclear how Thursday’s disclosure will affect the $4.83-billion sale of Yahoo’s core assets to internet service provider and budding content mogul Verizon. “We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities,” a Verizon spokesperson said on Thursday.
As of publication, shares of Yahoo had fallen 0.3 percent to $44.02, while shares of Verizon had climbed one percent to $52.39.
The breach is yet another blemish on Yahoo President and CEO Marissa Mayer, who has struggled to turn the beleaguered Silicon Valley company around since its height in early 2000. Yahoo’s web properties, despite attracting more than 200 million U.S. monthly visitors in the past year, reported an 11 percent year-over-year decline in revenue during the company’s most recent earnings call. And Yahoo laid off 1,000 employees, or about 10 percent of its workforce, in the first quarter of 2016.
Analysts blame a failure to capitalize on mobile — and ballooning investments. In the first quarter of 2016, Yahoo made $250 million in revenue from smartphone and tablet users; Facebook, in contrast, made $4.5 billion in the fourth quarter of 2015. The company’s capital expenditures, driven by substantial investments such as streaming licenses for National Football League broadcasts and the purchase of shopping site Polyvore, climbed an average of 21 percent in 2015.
But Yahoo’s advertising business remains one of the web’s largest. This year, the company is expected to generate $2.83 billion in profit on a 1.5 percent share of the online market. Yahoo Japan, an Asian culture web portal that is the product of a joint venture between Yahoo and Japanese internet company SoftBank Group, has been appraised at nearly $9 billion. Yahoo’s other ventures, which include online publications like Yahoo Tech and Yahoo Finance, are worth an estimated $5 billion to $8 billion.