In the September/ October timeframe this year it became clear that Yahoo had lost more than 500 million records which was the biggest hack of the year. Who knew that they would top themselves just a few months later!
Yahoo just stated today that a separate incident has exposed at least a billion more user accounts. They also warned that attackers figured out a way to log into targeted Yahoo accounts with forged authentication cookies without having to supply the victim’s password.
How can this get any worse…. It’s a Massive Epic Fail. Here is the updated graph from the Wall Street Journal on the size of this monstrous hack.
“Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts,” Yahoo’s chief information security officer Bob Lord said in a statement the company published Wednesday afternoon. “We have not been able to identify the intrusion associated with this theft.”
Yahoo said they were in the process of notifying the affected account holders, and that they have invalidated the forged cookies. “We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016,” Lord said.
Blaming it on the Russian Government in this case is a cop-out. These are high level criminal hackers that simply get air cover from Putin but are not on his payroll.
At this point, Yahoo has fallen down on security in so many ways that I have to recommend that if you have an active Yahoo email account, either direct with Yahoo or via a partner like AT&T, get rid of it. But clean it out first, get rid of all the folders, delete the account and open a gmail account instead. Check if you have used your Yahoo password in other sites, and change the password and security questions for those accounts. And remember, never reuse your email password (or any other password tied to an account that holds sensitive data about you) at any other site.
If you used a mobile phone number in association with your Yahoo! account, and you still use that mobile phone number, then SMS phishing (a.k.a. Smishing) is now a distinct possibility, so be be very wary of Smishes.
Thanks Verizon, for your interest in Yahoo and the due diligence that followed. I would recommend to not pursue this course of action though.