This is not turning out to be a good week for Yahoo.
The internet giant confirmed Thursday that it has been breached, with a massive amount of user information being stolen. Obviously, this is bad news for Yahoo, but what does it mean for users?
In IT Blogwatch, we brainstorm new passwords.
So what is going on? John Brandon has the background:
Yahoo has...confirmed the breach...the number of stolen user accounts is much higher than expected -- 500 million in total...Yahoo has been spinning out of control lately, but the one mainstay -- the reason Verizon is paying $4.8B for their primary internet business -- is that there are millions of people who rely on the service every day.
...
The timing could not be worse...It might not be another nail in the coffin [but] it is certainly a sign that Yahoo has become a company that is mainly a collection of user accounts. Now that those accounts are in jeopardy...it creates yet another dark shadow.
What user information was stolen? And what do you need to be worried about? Michael Kan gives us the lowdown:
Information including names, email addresses, telephone numbers and hashed passwords may have been stolen...the breach...involved data taken from late 2014 -- meaning hackers had two years to secretly capitalize on what they stole.
...
The stolen email addresses...put users at risk of spam attacks and the additional information could be used to trick users into divulging more information about themselves...The stolen data from Yahoo also includes the security questions and answers used to protect their accounts.
Yahoo's cheif information security officer Bob Lord did say that "the vast majority" of the stolen passwords were encrypted with bcrypt, making them extremely hard to crack. Dan Goodin, however, doesn't see that as much of a silver lining:
It's not clear what Lord meant by "vast majority." Even if 5, 10, or 20 percent of the passwords were protected by...a weaker function, that could put tens of millions or hundreds of millions of plaintext passwords into attackers' hands almost instantly...anyone who used the same or similar password to protect a different account should change it as soon as possible.
...
The possibility of attackers obtaining plaintext passwords is only one...concern stemming from the breach. Yahoo users should be wary of communications that may use some of the compromised data to trick them into clicking on links, divulging information, or taking other actions. There's no evidence the attackers obtained payment card data, or bank account information, or data associated with accounts from Yahoo's Tumblr site.
So what should users do if they have a Yahoo account? Yahoo's Bob Lord has some recommendations:
We encourage...users to follow these security recommendations...Change your password and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account...Review your accounts for suspicious activity...Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information...Avoid clicking on links or downloading attachments from suspicious emails...Additionally...consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether.
About that Verizon sale. What is going to happen there? Matt Hamblen has some info:
Verizon...said...it was notified of the massive data breach at Yahoo only in the last two days...Verizon said would evaluate what it will do next.
...
Verizon...likely won't move to break its...Yahoo deal, which is still subject to regulatory review. But Verizon might want to lower the price...because it wasn't notified of the hack sooner and doesn't yet know the full liability Yahoo and Verizon would face from victims of the hack.
So what is the flipside of all this? Mikko Hypponen likes to think about how all this benefits Yahoo:
Yahoo's ad revenue is skyrocketing, as 500 million users log in to Yahoo for the first time in years. To change their password and log out.