Friday, 20 January 2017

Yahoo reveals new hack affecting more than 1bn users

By Nick Wood, Total Telecom
Thursday 15 December 16

Troubled Internet company says profile information was stolen probably in August 2013, but it doesn't know how.

Yahoo late on Wednesday revealed details of a fresh cyber attack affecting more than 1 billion users. The troubled Internet company said someone hacked into its network in August 2013 and stole names, email addresses, phone numbers, dates of birth, hashed passwords, and in some cases, encrypted or unencrypted security questions and answers. Yahoo said the new attack was identified based on an analysis of data obtained by law enforcement investigating claims by a hacker in July that they had accessed Yahoo user data…

Yahoo late on Wednesday revealed details of a fresh cyber attack affecting more than 1 billion users.

The troubled Internet company said someone hacked into its network in August 2013 and stole names, email addresses, phone numbers, dates of birth, hashed passwords, and in some cases, encrypted or unencrypted security questions and answers.

Yahoo said the new attack was identified based on an analysis of data obtained by law enforcement investigating claims by a hacker in July that they had accessed Yahoo user data.

"The company has not been able to identify the intrusion associated with this theft," Yahoo said, in a statement. "Yahoo believes this incident is likely distinct from the incident the company disclosed on September 22 2016."

That cyber attack, thought to have taken place in 2014, affected 500 million users.

What is troubling about these attacks is not just the sheer scale of them, but that Yahoo either failed to detect them, or it did, but the information was not passed to the right people.

In September's hacking disclosure, Yahoo maintained it had only recently learned of the attack, even though it took place two years earlier.

However, in an SEC filing in November, Yahoo revealed that an attack had in fact been detected in late 2014. It initiated an investigation into "the scope of knowledge within the company in 2014 and thereafter" regarding the hack.

The latest revelations will do little to ease any concerns Verizon may have about its $4.83 billion acquisition of Yahoo. After September's disclosure, rumours spread that the U.S. telco would seek to reduce the purchase price. Some suggested that Verizon may abandon the deal altogether.

"As we've said all along, we will evaluate the situation as Yahoo continues its investigation. We will review the impact of this new development before reaching any final conclusions," said a Verizon spokesman, late on Wednesday.

Meanwhile, in addition to stealing user data, Yahoo on Wednesday also revealed that it believes a hacked accessed its proprietary code and learned how to forge Internet cookies, which are placed on the user's Web browser or computer when they visit a Website that wants to gather visitor information.

Creating forged cookies could allow an intruder to access users' accounts without a password, Yahoo said.

"The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used," the company said, adding that it believes it is the same handiwork as the sate-sponsored hacker believed to be responsible for the attack disclosed in September.

As before, Yahoo advised users to monitor their accounts for suspicious activity. It also urged users to change their passwords and security questions for any accounts on which they use the same or similar information – for example, mother's maiden name – used for their Yahoo account.

Please enable JavaScript to view the comments powered by Disqus.

Newsletter signup

Quickly get on board and up to date with the telecoms industry