Yahoo hit with a Massive 500 Million Account Data Breach
By Lawrence Abrams
Published: 2016-09-22 · Archived: 2026-04-05 21:48:22 UTC
In what could be the largest data breach in history, Yahoo announced today that attackers infiltrated their servers in 2014 and
walked away with account information for at least 500 million users. This stolen information may include names, email
addresses, telephone numbers, dates of birth, hashed passwords, with most being encrypted using bcrypt, and
potentially encrypted or unencrypted security questions and answers. According to Yahoo, they feel that this attack was
conducted by a state-sponsored attacker, rather than a small hacking group or lone hacker.
In a notice posted to Tumblr, Yahoo's CISO Bob Lord stated:
We have confirmed that a copy of certain user account information was stolen from the company’s network in late
2014 by what we believe is a state-sponsored actor. The account information may have included names, email
addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some
cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen
information did not include unprotected passwords, payment card data, or bank account information; payment
card data and bank account information are not stored in the system that the investigation has found to be
affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million
user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in
Yahoo’s network. Yahoo is working closely with law enforcement on this matter.
So what does this mean to Yahoo users? It means that if you used the same password from Yahoo on other sites, you better
go to those sites and change the passwords now! With today's modern hardware, decrypting stolen encrypted passwords is
not the hard task it used to be. Criminals will buy this Yahoo data, decrypt the passwords, and try to use it to login to other
accounts you may own. This could lead to identity theft, massive SPAM attacks, or banking theft.
https://www.bleepingcomputer.com/news/business/yahoo-hit-with-a-massive-500-million-account-data-breach/
Page 1 of 4

0:00
https://www.bleepingcomputer.com/news/business/yahoo-hit-with-a-massive-500-million-account-data-breach/
Page 2 of 4

Visit Advertiser websiteGO TO PAGE
With that said, the first thing anyone should do who has a Yahoo account is to immediately change their passwords at the
other sites they visit.
So how can you protect yourself from data leaks in the future?
Data leaks are becoming so common, I suggest that people use the following strategies to keep their online accounts secure:
1. Never reuse the same password at another site. Yes, I know this is a pain in the arse, but so is getting your bank
account broken into. There is no excuse not to use password managers such as KeePass or online services like
LastPass to store unique passwords for every site you visit.
 
2. Never reuse the same password at another site. No, this wasn't repeated by mistake. Most people will ignore step 1,
so I am repeating it.
 
3. Enable two-step verification on any online accounts that support it. Two-step verifications makes your online
accounts more secure as it requires user's to login with their normal password and with a special password sent to a
user's cell phone or selected email address. This sounds like a pain, but you quickly get used to it. It also makes your
account very secure.
 
4. Use strong complex passwords. If you use a password manager as suggested in step 1, the programs can create
unique and strong passwords and the password managers will automatically log you in with them.
Out of all of these steps, though, using unique passwords at every site you have an account is the most important. That way
if one site is hacked, you are still safe and secure on any other ones.
Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the
other.
https://www.bleepingcomputer.com/news/business/yahoo-hit-with-a-massive-500-million-account-data-breach/
Page 3 of 4

This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic
questions for any tool evaluation.
Source: https://www.bleepingcomputer.com/news/business/yahoo-hit-with-a-massive-500-million-account-data-breach/
https://www.bleepingcomputer.com/news/business/yahoo-hit-with-a-massive-500-million-account-data-breach/
Page 4 of 4