Security experts say Yahoo hack will “cause ripples online for years”
NEW YORK — Security experts are calling the Yahoo account breach “massive.”
Yahoo confirmed on Thursday that more than 500 million of its user accounts had been stolen in a breach said to have occurred in late 2014.
Experts say it could the biggest hack ever in terms of scale.
In comparison, a LinkedIn hack in 2012 affected 117 million accounts, and it was announced earlier this year that 360 million MySpace accounts were compromised.
The information obtained in the Yahoo hack may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers, according to a statement from Yahoo.
According to Norway-based cybersecurity advisor Per Thorsheim, the hack “will cause ripples online for years to come.”
He noted the potential impact should not to be overlooked even though bank account information or social security numbers weren’t included.
“The devil has tricked us into thinking your bank account is the most important piece of information on earth. It’s not,” Thorsheim said. “At least not in the case of security and privacy online. I’m more concerned about my Facebook account being hacked than my bank account, to be honest.”
He also called the Yahoo hack “a treasure trove of secrets.”
Even if there’s nothing interesting in the email account itself, “email can be used as a stepping stone to get assess to sensitive information through password resets,” he added.
Although Yahoo said a “state-sponsored actor” is behind the hack — a term used for an individual acting on behalf of a government — experts say the information obtained could be used for everything from blackmailing and spamming users to discovering their passwords on other services.
“It’s not yet clear what the motives were but it’s not to simply leak the credentials and call it a day,” said Michael Borohovski, CEO of Tinfoil Security.
Borohovski suggested there may have been some steps Yahoo could have taken to better protect its users. Not all personal information associated with accounts were encrypted, including some security questions which could be useful in hacking into a user’s other online accounts.
“I do think that was an oversight. There’s no reason not to encrypt that data,” said Borohovski. “The problem is not that [people] need to be concerned about their Yahoo account — its all the other accounts they use. I’m not entirely sure that the scale of this is going to be limited to Yahoo.”
Thorsheim also noted that because the breach happened just two years ago, there’s a high probability many of those impacted are still using the same passwords.
There are a number of steps people can take to protect themselves from hackers, like changing their email passwords often and having separate passwords for every account.
“It’s something that’s definitely going down in the history books,” said David Kennedy, founder of cybersecurity firm TrustedSec.
However, he warned headlines like this could be the “new norm.”
“This is what we should expect and continue to see as companies don’t protect information as much as they should,” he said.