Yahoo Reveals Massive Breach of Data from 500M Accounts

The hack happened in late 2014 but wasn't discovered until weeks ago.

ByABC News
September 22, 2016, 11:55 PM

NEW YORK -- Popular web portal Yahoo said today that it believes a "state-sponsored actor" stole information relating to some 500 million user accounts from its network at the end of 2014.

But Yahoo only learned about the breach "in the last few weeks," a source familiar with the matter told ABC News.

The stolen information, according to Yahoo, could include names, email addresses, dates of birth, telephone numbers, password information, and possibly the question-answer combinations for security questions, which are often used to reset passwords.

An internal investigation was launched following media reports in late July of a hacker attempting to sell the credentials for 280 million accounts, the source familiar with the matter told ABC News.

Several news outlets reported at the time that a hacker identifying himself/herself as "Peace" was attempting to sell what he/she claimed was data associated with some 200 million Yahoo accounts.

The BBC reported that the data that "Peace" was flogging included "usernames, passwords and dates of birth," which the hacker reportedly said was "most likely" from 2012. The BBC reported that the passwords were hashed.

The source told ABC News that the company "found no evidence to substantiate the hacker’s claims," but when an internal security team broadened the scope of its investigation, the team found evidence that led it to discover the breach that the company believes occurred in late 2014.

It has not been made public which state was backing the attack, or if the breach is connected to any other high-profile breaches in recent years.

Public revelation of the breach comes as Verizon and Yahoo try to finalize an acquisition deal -- announced on July 25 -- that, if finalized, would see Verizon acquire Yahoo for $4.83 billion.

Data breaches can damage user trust, potentially hurting growth or causing some users to leave -- both of which could lower Yahoo's value.

After the breach was revealed this afternoon, Verizon released a statement saying that it found out about the security breach "within the last two days."

"We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact," the company said in a statement to ABC News. "We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment."

FBI Involved in Breach Investigation

ABC News has also learned that the FBI is now involved in the investigation of the breach.

“The FBI is aware of the intrusion and investigating the matter," the agency told ABC News, vowing to "determine how this occurred and who is responsible."

Yahoo said that bank and payment card information does not appear to have been stolen in this data breach, according to the investigation so far.

It is urging users to change their passwords, if they haven't done so since 2014.

The security questions, the company said, may have been stolen in encrypted or unencrypted forms. It said that it was "invalidating" security questions that were unencrypted.

'State-Sponsored' Breach

In revealing the details of the hack, Yahoo said that it was working with law enforcement on the investigation. Yahoo did not say which law enforcement agency was involved, nor which state it believed was sponsoring the hacking.

But ABC News since learned that the FBI is investigating.

The company launched a program to notify users if their accounts had been compromised by state-sponsored hackers in 2015 -- a year after this breach.

The tech firm said that since that program was launched, some 10,000 users have received a notice saying that a state-sponsored hacker was targeting their accounts. Those notifications were not associated with the accounts subject to the breach announced today.

Around the time that this attack was said to have occurred in late 2014, North Korea was blamed by the U.S. government for a massive attack on Sony Pictures in retaliation for a film called "The Interview," a comedy that lampooned the reclusive state.

There is no evidence to suggest that the Yahoo breach is connected to the one on Sony Pictures, and a Yahoo spokesperson did not immediately comment on whether the two breaches were linked.

Stolen Password Information

The company said that the password information that was stolen was "hashed passwords."

As a matter of standard practice, most websites do not store passwords in their databases. Instead, passwords are run through a one-way formula, which generates a hash -- a string of random characters that is stored on the server. Every time a password is run through the formula, the same hash is generated.

However, the formula cannot be reversed, meaning that hashes cannot be converted into passwords. In this way, passwords can be verified -- without storing them on the server -- by comparing the hash stored on the server with the one generated by the password provided by the user at each login.

So, while the actual passwords likely haven't been stolen, the method of hashed passwords is not a foolproof practice because hashes can be generated from guessing passwords.

Yahoo said that it is contacting users who might have had their information stolen.

ABC News' Mike Levine contributed to this report from Washington.

Related Topics