Yahoo Data Breach Confirmed: 500 Million Users Affected

Two months ago, a massive Yahoo data breach appeared to have been uncovered. The records of more than 200 million Yahoo email account holders seemed to have been listed for sale on a Darknet marketplace. The hacker who placed the listing on the site – Peace – had previously listed other large databases for sale, including the data from the MySpace and LinkedIn data breaches. Peace is the co-founder of the Darknet marketplace TheRealDeal, where the data were listed for sale.

The Yahoo Data Breach is the Biggest Ever Reported

Yahoo conducted an investigation into the apparent breach and now, more than two months later, the Yahoo data breach has been confirmed. However, the Yahoo data breach is far worse than the data listing suggested. The account details of more than 500 million Yahoo users have been stolen.

Yahoo determined that the cyberattack is not recent. As with the breaches at LinkedIn and MySpace, the attack occurred many months previously. Yahoo says the hackers accessed its systems and stole the data back in 2014. Yahoo has also suggested the cyberattack was conducted by a nation state-backed hacker.

Yahoo has confirmed that a copy of users’ data has been obtained by the hacker responsible for the attack. The data set includes usernames, hashed passwords, email addresses, secondary email addresses, dates of birth, phone numbers, and security questions and answers. The passwords were encrypted using Bcrypt, which should make it hard for cybercriminals to decrypt them. However, many of the security questions and answers were not encrypted.

Yahoo has confirmed that payment card details and other bank information were stored separately and were not compromised. The breach has been reported to law enforcement and an internal and criminal investigation is ongoing. According to Yahoo CISO, Bob Lord, no evidence has been uncovered to suggest that the attackers still have access to its systems.

Yahoo has already started notifying affected users by email and a breach notice has been placed on the Yahoo website. However, it is unclear why it took Yahoo two months to start notifying users that their data had been stolen, when it appeared clear that a breach had occurred when data were listed for sale in August. Questions are also being asked about why it took the listing of data for sale on a Darknet website before Yahoo realized it had suffered a breach.

Did Yahoo Suffer Two Separate Data Breaches?

It is also unclear whether the data listed for sale by Peace is linked to the 500 million-record Yahoo data breach. Yahoo believes the data breach was conducted by a nation state-backed hacker. That would suggest that the data listed for sale by Peace came from a separate attack. It would be unlikely for data to be sold or passed on to Peace if the attack came from a state-sponsored hacker from North Korea or China.

The discovery of the Yahoo data breach has come at a particularly bad time. Yahoo is in the process of selling off its core business to Verizon. The deal, which was announced in July before, is for $4.83 billion and includes Yahoo email. The breach will come as bad news to both parties, although whether it affects the deal or the purchase price remains to be seen.

Yahoo account holders’ passwords may not have been cracked, but that does not mean that they will not be targeted by cybercriminals. Enough data has been stolen to launch any number of attacks on users. Since email addresses and personal information were stolen, users will be at risk of phishing attacks. Brute force attacks may be conducted and users with weak passwords face a higher risk of their accounts being compromised.

All Yahoo account holders should take steps to secure their accounts. Passwords should be changed for Yahoo accounts, and if passwords have been shared across multiple platforms, they too should be changed. Security questions and answers should also be changed for Yahoo accounts, and any other accounts that use the same questions. Users should also be particularly wary of any unsolicited emails they receive.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of