500 million accounts stolen, Yahoo confirms

Gelo Gonzales
It is history's biggest data breach from a single site, according to one database

BIG BREACH. Yahoo encourages users to change their password in light of the massive data breach.

MANILA, Philippines – Yahoo confirmed at least 500 million user accounts has been stolen from them in a data breach that occured in 2014. The company’s chief information security officer (CISO), Bob Lord, made the announcement through a Tumblr post on Thursday, September 22, US time. 

In Lord’s post, titled, “An Important Message About Yahoo User Security,” he detailed what types of information may have been stolen: 

“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.”

The data breach is said to be the largest from a single site, CNBC mentioned. Other massive data breaches include: 

  • An August incident where hackers were discovered to be selling 200 million Yahoo accounts
  • The 2014 uncovering of a Russian gang which stole 1.2 billion unique usernames and passwords from different sites
  • The discovery that 360 million Myspace accounts were up for sale in an online hacker forum in 2016

In the Philippines, the Commission on Elections (Comelec) database was hacked in late March, putting the data of 55 million Filipino voters at risk. 

In line with the confirmation of the data breach, Yahoo encouraged its users to perform the following things:  

  • Change your password and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account
  • Review your accounts for suspicious activity
  • Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information
  • Avoid clicking on links or downloading attachments from suspicious emails

Sumit Bansal, cybersecurity firm Sophos’ ASEAN and Korea sales director, emphasized the need to secure your data after such a breach. “Cyber criminals are very proficient at using such data – profile, password, date of birth, or security question data – to commit broader fraud, so the ramifications of such a breach can extend well beyond e-mail,” he said. 

The fact that some people use the same password for multiple accounts makes it even more urgent for people to be aware of such data breaches, Bansal suggested. Data leaked from one site, say Yahoo, could potentially be used to access accounts on other sites. – Rappler.com 

Gelo Gonzales

Gelo Gonzales is Rappler’s technology editor. He covers consumer electronics, social media, emerging tech, and video games.