Cyber Security

Yahoo Reports Largest Known Hack In History, Blames Foreign Government

500 million Yahoo users' information has been stolen. But by who?

Cyber Security
Illustration: Vocativ
Sep 22, 2016 at 4:02 PM ET

Yahoo has admitted to a massive hack that stole some 500 million users’ information — making it the largest reported hack of a commercial website in history.

The company blames an unnamed country’s government on the attack, and says it’s currently working with law enforcement. State-sponsored cyberattacks are known for being extremely difficult to attribute, and Yahoo didn’t offer any clues to which government it suspected is responsible.

The scale of the hack is vast, considering a Yahoo doesn’t require a new user to provide much personal information to sign up. While users’ passwords seem mostly safe — the “vast majority,” were encrypted with bcrypt, a tough encryption algorithm, the company says — most other information is not. If at some point in or before 2014 you gave Yahoo your name, email addresses, telephone number, or birthday, that information is likely now in the hands of hackers. In some cases, the company said, the hackers even accessed unencrypted security questions and answers.

Journalists and researchers have discovered a number of so-called “megabreaches” in recent months. In such cases, a massively popular site, like LinkedIn or Dropbox, had been hacked several years ago, tens or hundreds of millions of users’ information is stolen and gradually sold and resold by criminals online. MySpace previously held the record for the largest known commercial megabreach, with an estimated 427 million users affected.

In August, Yahoo was reported to have been hit by a megabreach, when a pseudonymous online criminal called Peace told Motherboard he had a database of around 200 million user accounts, some of which reporters were able to verify. Peace, though, indicated he had gotten the database from elsewhere, and that he believed the data was from 2012. In its announcement, Yahoo said the attack was in 2014.

Stolen passwords, even for accounts long gone dormant, can prove to be a real headache for everyday users, especially considering the human tendency to reuse passwords across sites. After the LinkedIn database was openly shared on online black markets, a number of people reported financial sites, like banking sites and PayPal accounts, had been compromised.