A hacker called Peace is claiming responsibility. The breach, which was first noticed in the summer, hasn’t been officially confirmed by Yahoo; however, if it is, it’ll sit alongside some of the largest breaches in recent times.
It comes at a sensitive time for Yahoo. The company is currently finalizing plans for its sale to telecom giant Verizon, so news like this won’t go over well. Until details are released about the breach, it will be difficult to see just how much data the hacker has.
Even though the breach is yet unconfirmed, we urge users to reset their passwords as soon as they can. You can learn how to create complex passwords by using our password checker, and as we always say: Make sure you enable two-step authentication!
Update: it’s confirmedYahoo says: “We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”
“First, do not fall for social engineering schemes that will follow this incident. Everyone should be aware that any breach notice that Yahoo! emails out will go only to their email service users, and it will not provide links to click on, include any attachments, and will NOT ask for personal information.”
In the meantime, if you are using a Yahoo! email account, it’s a good idea to set up a “Yahoo account key,” which removes the need to enter passwords and enables a level of two factor authentication,” says Kurt Baumgartner, principal security researcher, Kaspersky Lab.