Yahoo reportedly to confirm massive data breach
Security

Yahoo reportedly to confirm massive data breach

Following reports that Yahoo will confirm a data breach that affects hundreds of millions of accounts, some users reported Thursday on Twitter and elsewhere that they were prompted to change their email password when trying to log in.

Yahoo launched an investigation into a possible breach in early August after someone offered to sell a data dump of over 200 million Yahoo accounts on an underground market, including usernames, easy-to-crack password hashes, dates of birth and backup email addresses.

The company has since determined that the breach is real and that it's even worse than initially believed, news website Recode reported Thursday, citing unnamed sources familiar with the investigation.

While Yahoo has yet to make an announcement and did not immediately respond to a request for comment, the company has prompted some users to reset their passwords in the past 24 hours due to "suspicious activity" on their accounts.

The prompt to reset passwords may not be directly linked to the reported data breach. But a confirmation of the breach now, more than a month and a half after the data was put up for sale, will likely prompt questions as to why the company waited so long before forcing users to change their passwords.

"If it really was available then and Yahoo are only confirming it now, I’d be really interested in why the delay was so long," said Troy Hunt, a security researcher who runs the data breach notification website Have I been pwned?.

The user who advertised the Yahoo account data on an underground website uses the online handle peace_of_mind and is a well-known seller of stolen information. He has previously put up for sale millions of account records from MySpace, LinkedIn, Tumblr and other websites and for the most part those breaches have been confirmed even though they had actually occurred years earlier.

"We saw LinkedIn, MySpace and tumblr [data dumps] all dating back many years yet just appearing for sale now so Yahoo may be consistent with that," Hunt said via email.

Given Peace's track record, the researcher said that he wouldn't have been surprised that the data was put up for sale last month if it proved to be authentic, even though some people questioned whether Peace actually had the information at that time.

It's odd that no one has managed to obtain a copy of the data set so far and confirmed its authenticity, at least not publicly, especially since Peace is known to drop his price over time. Hunt believes that if this data dump follows the the same pattern as other recent ones, it will turn up in the public domain soon and he will be able to add it to Have I been pwned.

A confirmation of the data breach this week would come as Yahoo's US$4.8 billion sale of its core internet operations to Verizon is being finalized; the deal has yet to be approved by regulators.

IDG Insider

PREVIOUS ARTICLE

«Surface Pro 3 owners plagued by more battery problems

NEXT ARTICLE

Hulu's rolling out two VR-only TV shows this fall»

Add Your Comment

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

Should we donate our health data the same way we donate organs?