Back in September, Buzzing Crow reported on the biggest recorded hack in history. At that time, Yahoo had issued a statement suggesting over 500 million user accounts had been compromised – they have since increased the number to include over 1 billion affected accounts. To put this number in perspective, the hack targeted more than double the entire population of the United States.
Yesterday Yahoo sent out a notice to their users signaling that the network had been compromised earlier than their initial September announcement indicated. The previous press release, which they’ve since moved or deleted from Yahoo’s official tumblr account (editors note: link is now live) claimed that user’s data was stolen in late 2014, citing suspicions of “state-sponsored” actors responsible for the breach. New information released by the company claims that a separate unrelated hack occurred in August 2013. A copy of the original communication is available for download here, and will be republished in it’s entirety later in this article.
Notice sent to users Tuesday, December 14th, 2016:
In this communication, they touch again on the unencrypted security question vulnerability which appears to be one of the two primary attack vectors leveraged by the perpetrators, along with forged cookies, which have since been invalidated.
Law enforcement provided Yahoo in November 2016 with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. Yahoo has not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016. We are notifying potentially affected users and have taken steps to secure their accounts, including requiring users to change their passwords. Yahoo has also invalidated unencrypted security questions and answers so that they cannot be used to access an account.
Separately, our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, the outside forensic experts have identified user accounts for which they believe forged cookies were taken or used in 2015 or 2016. The company is notifying the affected account holders, and has invalidated the forged cookies. We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on September 22, 2016.
Original press release from September:
Three weeks after this announcement, Yahoo disabled user’s ability to set automatic forwarding on their accounts, paralyzing victims wanting to change e-mail providers. We tested several mail recovery/restoration products in an effort to supply readers with a path to regaining control of their now compromised inboxes. With cost and ease-of-use as primary considerations, we recommended (and still highly recommend) Aid4Mail – a Swiss-based email recovery service that’s been in business for 20 years, offering a risk-free trial of the software’s full capabilities without having to supply any payment information. Bonus.
Yahoo has not return requests for comment.
We strongly advise readers to migrate all messages from their Yahoo e-mail accounts and move to a more secure, encrypted email provider.
Note: Buzzing Crow receives absolutely no commission or incentives from Aid4Mail and is providing this information solely to assist affected users.