Yahoo: Personal info of 500 million accounts stolen
"An important message about Yahoo user security" – came in from email provider Yahoo: In 2014, a copy of user data was stolen, containing the following data: names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. Yahoo believes that this attack has gotten the data of more than 500 million users into the hands of what the company thinks are "state-sponsored" hackers, meaning the attackers were sponsored by a foreign government.
At the moment, the attackers do not have access to Yahoo's network any longer. The data copy seems to have surfaced in the Darknet and is being sold there, this is obviously how Yahoo got to know of the attack.
Yahoo has taken the following security measures:
- Affected users will be notified. The content of the email Yahoo is sending to those users will be available at https://yahoo.com/security-notice-content. Yahoo states that users should be aware that there might be phishing attempts and that the original email from Yahoo will not ask them to click any links.
- Potentially affected users should promptly change their passwords and adopt alternate means of account verification, e.g. the Yahoo account key.
- Unencrypted security questions and answers have been invalidated, so they cannot be used to access an account.
- All users who haven’t changed their passwords since 2014 should do so.
- Users should keep an eye on their account and not click links in any suspicious-looking email.
Further information is available at this site.