Yahoo confirms 500 million user accounts were hacked

Yahoo CEO Marissa Mayer
Yahoo CEO Marissa Mayer

Yahoo has confirmed that personal information from at least 500 million users was stolen in an attack on its accounts in 2014 by what the tech company called a "state-sponsored actor".

The information may include names, email addresses, telephone numbers, dates of birth, encrypted passwords, and, in some cases, encrypted or unencrypted security questions and answers, said Yahoo.

It added that there was no indication that payment card data, bank account details, or unprotected passwords had been stolen, or that the attacker was still in the network. Affected users are being notified and accounts being secured, Yahoo said.

Yahoo used its announcement to detail the steps it was taking to protect users and make security recommendations. "Yahoo is working closely with law enforcement on this matter," chief information security officer Bob Lord said.

The revelation comes at a difficult time for Yahoo, as it undergoing a $4.83bn (£3.68bn) takeover by Verizon, expected to be completed in early 2017.

Yahoo had begun investigating in July, after hackers claimed to have access to hundreds of millions of accounts. In August, a high profile hacker advertised the details of 200 million Yahoo users for sale on the dark web, with an asking price of 3 bitcoins ($1,795 or £1,386). The hacker, Peace, had previously sold stolen Myspace and LinkedIn data.

Commenting on the breach, Jane Frost, chief executive of the Market Research Society, said: "This latest breach highlights how organisations can fall foul to having inadequate data protection policies in place.

"It’s fundamental to good business practice to embed the right data structures to safeguard the data we all rely on for commercial and public services."

Dom Waghorn, strategy director at WPP-owned digital agency, Syzygy, said:  "Breaches like these contribute to the very real risk that users will stop signing up for online services and setting up accounts. That would run contrary to the industry desire to offer personalised, tailored digital experiences – if the end user isn’t known, those experiences simply can’t be offered.

"Shorter-term, it’ll be interesting to see if there’s a legislative response to this from the likes of the EU, and more crucially, how Verizon deals with a Yahoo brand that’s fallen a long way since it’s $125bn market cap 17 years ago."

Subscribe today for just $116 a year

Get the very latest news and insight from Campaign with unrestricted access to , plus get exclusive discounts to Campaign events

Become a subscriber


The latest work, news, advice, comment and analysis, sent to you every day

register free