Yahoo says “state-sponsored” hackers stole private information from about 500 million users. The FBI has confirmed it is investigating the incident in what appears to be the largest publicly disclosed cyber-breach in history.
“We take these types of breaches very seriously and will determine how this occurred and who is responsible,” the FBI said.
Stolen information includes names, email addresses, telephone numbers, dates of birth and encrypted passwords, but not credit card data, Yahoo said.
The company also said the information was “stolen by what we believe is a state-sponsored actor” but did not specify which country it held responsible.
News of a possible major attack on the technology firm emerged in August when a hacker known as “Peace” was apparently attempting to sell information on 200 million Yahoo accounts.
On Thursday, Yahoo confirmed the breach was far bigger than first thought.
Yahoo is recommending all users should change their passwords if they have not done so since 2014.
“It is really worrying that a breach from 2014 can have gone undetected for so long,” said Prof Alan Woodward from the University of Surrey.
“It is also surprising the public statement took so long to appear,” Woodward added. “I would have thought most companies had learned by now that early disclosure is better, even if you have to revise and update as you learn more.”
The hack dwarfs all other recent technology breaches – such as MySpace (359 million), LinkedIn (164 million) and Dropbox (68 million).
Yahoo Fantasy Sports, Yahoo Finance and Yahoo mail were all compromised.
According to a Gartner survey, 50% of users reuse their passwords across multiple platforms. So if you have had a Yahoo account in the past with a similar password on other platforms it’s highly recommended that you immediately change your passwords.
Finally, any further service which has password reset emails sent to a compromised Yahoo Mail account should also be reset, and passwords accordingly changed.