CERT-UK is aware of reports of an attack on the technology firm Yahoo in which up to 500 million user accounts were breached.
In August 2016, a hacker known as “Peace” was reportedly attempting to sell information from 200 million Yahoo accounts breached in an attack from 2014. Initially believed to be speculation, Yahoo has now revealed that a breach did take place compromising the data of 500 million accounts. This is believed to be the biggest public breach of personal data known worldwide ahead of the MySpace hack of 360 million user details.
Yahoo has stated that the data includes names, email addresses, telephone numbers, dates of birth and passwords. However, while those passwords were reportedly encrypted, the method used was the MD5 algorithm that can be unencrypted using widely known techniques. Yahoo further stated that some of the most valuable personal data was not compromised, including unprotected passwords, payment card data and bank account information.
There is currently no detail on whether the data has actually been made available online, nor is there clarity on the perpetrators. Yahoo is however working closely with law enforcement on this matter.
Internet Service Providers Sky and BT have issued warnings for customers that may be affected by the breach as Yahoo provides email services for both organisations.
While data breaches of personally identifiable information are not uncommon, CERT-UK assesses that the sheer scale of this breach will have an impact on the UK. However, the risk can be reduced by following some basic mitigation advice.
Users of Yahoo services who have not reset their passwords since 2014 should do so immediately, and should do the same on other accounts where they have re-used the same password. Changed passwords should be sufficiently complex and strong using best password practices.
Additionally, users should remain vigilant of social engineering or fraud attempts that may occur as a result of this breach. This might include suspicious activity on their Yahoo or connected accounts, unsolicited contact which uses personal information to establish trust or to obtain further personal information, and unsolicited emails which encourage users to click on links.
Anyone who thinks they may have been subject to online fraud or attempted fraud should report this to Action Fraud at www.actionfraud.police.uk.