Sunday, September 25, 2016

Yahoo Believes Hack Was State-Sponsored

Yahoo Hacking
Yahoo finally acknowledged what many feared all along: the massive attack on its network in 2014 which allowed hackers to steal data from half a billion users may have been "state sponsored."

Last 22 September, Yahoo said its investigation concluded that "certain user account information was stolen" and that the attack came from "what it believes is a state-sponsored actor." The breach was confirmed by Yahoo months after reports of a major hack.

"Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen," a statement from the US internet giant in what is likely the largest-ever breach from a single organization.

"Yahoo is working closely with law enforcement on this matter."

The comments come after a report earlier this year quoting a security researcher saying some 200 million accounts may have been accessed and that hacked data was being offered for sale online.

Yahoo said the stolen information may have included names, email address, birth dates, and scrambled passwords, along with encrypted or unencrypted security questions and answers that could help hackers break into victims’ other online accounts.

While there is no official record of the largest breaches, many analysts have called the Myspace hack revealed earlier this year as the largest to date, with 360 million users affected.

Computer security analyst Graham Cluley said the stolen Yahoo data "could be useful ammunition for any hacker attempting to break into Yahoo accounts, or interested in exploring whether users might have used the same security questions/answers to protect themselves elsewhere on the web."

He noted that while Yahoo said that it believes the hack was state-sponsored, the company provided no details regarding what makes them think that is the case.

"If I had to break the bad news that my company had been hacked ... I would feel much happier saying that the attackers were 'state-sponsored,'" rather than teen hackers, Cluley said in a blog post.

It appeared that looted data did not include unprotected passwords or information associated with payments or bank accounts, the Silicon Valley company said.

No comments:

Post a Comment