500M Accounts Stolen in Yahoo Data Breach

John Lister's picture

A US senator wants the Securities and Exchange Commission to investigate Yahoo's handling of a major data breach. Mark Warner says the company left the public, and specifically investors, in the dark.

Last week the company announced that it was hit in late 2014 by an attack that it believed to have been backed by a foreign government. Around 500 million accounts were affected and the stolen data included names, email address, dates of birth, phone numbers and passwords.

The good news is that the passwords were encrypted. The bad news is that the data also included security questions and answers, not all of which were encrypted. While the type of data stolen may have varied from account to account, it certainly appears likely there will be many cases where there's enough information for a hacker to access a user's account (including by resetting a password) and/or commit identity theft.

The big question is when Yahoo found out about all of this. Journalists began asking the company about reports of a leak in August, 2016, and some claims say Yahoo itself found out in July of 2016.

Lawsuits Already Filed

The delay in going public with the news is already causing problems for the company. Perhaps inevitably, some users who say they've had sensitive financial information accessed as a result of the breach have already filed lawsuits, and one lawyer believes the case will gain class action status.

Meanwhile Senator Warner wants the SEC to find out if any laws have been broken. He's pointing to a financial filing the company made on September 9 which included the statement "To the knowledge of [Yahoo], there have not been any incidents of, or third party claims alleging, (i) Security Breaches, unauthorized access or unauthorized use of any of Seller's or the Business Subsidiaries' information technology systems." (Source: techcrunch.com)

That seems questionable at best, given reporters say Yahoo specifically confirmed in August 2016 that it was aware of a claimed breach.

SEC Urged To Review Rules

Warner notes that federal law requires publicly traded companies to tell stockholders within four days of a material event, meaning something that could affect the stock's value. To make things worse, the September 9, 2016 statement was made as part of a planned buyout of Yahoo by Verizon.

As well as demanding specific investigation of Yahoo, Warner wants the SEC to examine whether current rules on when a company must report a data breach are tough enough. He notes that since 2010, fewer than 100 among a total of around 9,000 public companies have reported a breach. (Source: senate.gov)

What's Your Opinion?

How quickly should companies report a data breach? Should they wait until they have full confirmation and details or should they make people aware whenever they start investigating a credible claim? Do you use Yahoo and if so are you happy with how they've kept users informed?

Rate this article: 
Average: 5 (4 votes)


Dennis Faas's picture

Once again - if you don't use the same password / password hint on every site, you should not be affected. I personally use Roboform and a fingerprint sensor to remember and fill my passwords automatically.

ecash's picture

AS the gov. has been hit many times, has Fired IT Czars.. Hasnt updated many machines used in the gov..
What about the Sony hack?
How about the other 20+ hacks around this country and other nations?? Even MSN has been hacked a few times..
Mostly its the email servers.

Nothing will be done, until Everyone starts Thinking about the OLD ways of protection and implementing New/Current alternatives..
Using a program KEY to tell the system You belong there..

And Why in hell, everything has to be ON the net..is STUPID.

matt_2058's picture

I follow tried and true when possible: upper case, lower case, numbers, symbol characters, and no common dictionary words. And different passwords for each site/account.

The other thing I do is have an email account that is only for personal important stuff, a separate one for normal use, and a third for sign-ups like newsletters, the occasional site that has info I'm looking for when researching parts and such. That way, everything important is in one place and I don't have hobby stuff mixed in with personal ID info. Banking accounts are the only ones with a real name....everything else is an alias with a fake b-day, zip code, etc.

ecash's picture

is that the Company let them in..
Not you..
Between hardware updates, Software updates, and Just STRAIGHT restricting access..
They goofed.

Even hardware is having a hard time Keeping up with WHAT is needed to BLOCK people..
Should I mention AUTOMATED systems??that are supposed to be the Admin/sysop??

There are Tricks that can be done, AND SHOULD..but companies dont listen. And Some think the OLD ways dont work.

tmcd's picture

I have a Yahoo email account and never got any sort of official notice from Yahoo itself regarding the breach.

I'm a list moderator for several groups hosted on Yahoo. We have had a slight uptick in messages from unmoderated member addresses from compromised yahoo.com email users.

In addition to the suggestions made earlier I always keep one email address on one of the free services that I literally never use for anything. This is the address I give when asked for a "recovery email address" when I sign up for a service or list.