Nearly everyone I know has either been hacked or has stopped an attempted hacking. In the past four or five years I’ve had my Facebook, two bank accounts, and PayPal hacked.
The sheer frequency of these attacks is exemplified by a statement Yahoo made in September: that 500 million user accounts were hacked in 2014. This Wednesday, the company admitted that a separate attack in 2013 compromised over 1 billion Yahoo email accounts.
These two incidents are the largest security breaches to occur within a single company – that we know of – and government employees are among the victims.
Yahoo is now forcing all affected users to reset their passwords, but the information exposed during the 2013 hack – names, dates of birth, phone numbers, passwords, and security questions – could be enough for hackers to change passwords on their own.
Yahoo has fallen behind competitors in terms of security, and critics slam the company for doing nothing after a smaller hacking incident in 2012 compromised over 450,000 accounts.
The 2013 and 2014 attacks were only discovered after close examination of a series of data files provided by law enforcement.
“What’s most troubling is that this occurred so long ago, in August 2013, and no one saw any indication of a breach occurring until law enforcement came forward,” said Chief Executive Jay Kaplan of Synack, a security company.
With help from federal authorities, Yahoo discovered that the hacker responsible for the 2014 attack was likely government-sponsored. Yahoo Chief Information Security Officer Bob Lord believes this high profile hacker was able to steal Yahoo’s proprietary source code, thus enabling him to “impersonate” real users and log in to accounts without using passwords.
Personal data from attacks like this is usually posted for sale online. We’ve seen nothing of the sort from this attack, which makes security experts believe the hacker was looking for specific people.
Most Yahoo users aren’t in danger, says JJ Thompson of Rook Security, but should still change the password for their Yahoo email account and any other accounts that used the same or a similar password.
The two massive breaches also endanger Yahoo’s recent deal with Verizon, in which it agreed to sell its core business to the telecom giant for $4.8 billion.
“As we’ve said all along we will evaluate the situation as Yahoo continues its investigation,” said Verizon spokesman Bob Varettoni. “We will review the impact of this new development before reaching any final conclusions.”
Yahoo is now struggling to shore up its defenses while designing new methods of security for the countless frustrated users who have already been hacked.
The repeated hackings are a black mark for Yahoo, says Ben Johnson, founder of security company Carbon Black. “It’s not just one sophisticated adversary that gets in. Typically companies get compromised multiple times due to the same vulnerability or employee culture.”
Editor’s note: Yahoo’s carelessness cost a lot in terms of privacy for its customers. And of course, we have no recourse whatsoever.