The Journal, 23rd September
2016
YAHOO HAS SAID that a massive attack on
its network in 2014 allowed hackers to steal data from half a billion users and
may have been “state sponsored.”
The Data Protection Commissioner here
has been notified of the data breach by the multinational, which has its
European HQ based in Dublin.
“Yahoo
have notified us of the breach,” a spokeswoman told TheJournal.ie.
Our office has raised a number of issues for which
we’re seeking clarification on, and are waiting for a response from Yahoo.
Helen Dixon was appointed as Data Protection Commissioner
for Ireland in September 2014, heading up the office in Portharlington, Co
Laois.
Yahoo,
which confirmed details of the breach last
night, months after reports of a major hack, said its investigation concluded
that “certain user account information was stolen” and that the attack came
from “what it believes is a state-sponsored actor.”
“Based on the ongoing investigation,
Yahoo believes that information associated with at least 500 million user
accounts was stolen,” said a statement by the US internet giant in what is
likely the largest-ever breach for a single organization.
The
comments come after a report earlier this year quoted a security researcher
saying some 200 million accounts may have been accessed and that hacked data
was being offered for sale online.
Yahoo said the stolen information may
have included names, email addresses, birth dates, and scrambled passwords,
along with encrypted or unencrypted security questions and answers that could
help hackers break into victims’ other online accounts.
While there is no official record of
the largest breaches, many analysts have called the Myspace hack revealed
earlier this year as the largest to date, with 360 million users affected.law
Ammunition for hackers
Computer security analyst Graham Cluley
said the stolen Yahoo data “could be useful ammunition for any hacker
attempting to break into Yahoo accounts, or interested in exploring whether
users might have used the same security questions/answers to protect themselves
elsewhere on the web.”
He noted that while Yahoo said that it
believes the hack was state-sponsored, the company provided no details
regarding what makes them think that is the case.
“If I had to break the bad news that my
company had been hacked… I would feel much happier saying that the attackers
were ‘state-sponsored,’” rather than teen hackers, Cluley said in a blog post.
University of Notre Dame associate
teaching professor and data security specialist Timothy Carone told AFP that
the Yahoo hack fit the “big picture” when it comes to cyberattacks launched by
spy agencies in Russia, China, North Korea or other countries.
“It just smacks of traditional trade
craft,” Carone said.
It is a broad sweep of getting information on
people and building up profiles on those who may be of use to them.
Carone
described Russia, China and North Korea as the usual three suspects in
state-sponsored hacks, but cautioned that allies are not above cyber snooping
as well.
“People have to realize that anything
they put out there is fair game,” he said, stressing a need for internet users
to remain wary.
Unprotected passwords
It appeared that looted Yahoo data did
not include unprotected passwords or information associated with payments
or bank accounts, the Silicon Valley company said.
Yahoo is asking affected users to
change passwords, and recommending anyone who has not done so since 2014 to
take the same action as a precaution.
Users of Yahoo online services were
urged to review accounts for suspicious activity and change passwords and
security question information used to log in anywhere else if it matched that
at Yahoo.
“Online intrusions and thefts by
state-sponsored actors have become increasingly common across the technology
industry,” Yahoo said in a statement.
Yahoo and other companies have launched programs to
detect and notify users when a company strongly suspects that a state-sponsored
actor has targeted an account.
$4.8
billion
Confirmation of the major cyber breach
comes two months after Yahoo sealed a deal to sell its core internet business
to telecom giant Verizon for $4.8 billion, ending a two-decade run as an
independent company.
It was not immediately clear if the
data breach could impact the closing of the deal or the price agreed by
Verizon.
“Frankly, the timing couldn’t be worse
for Yahoo,” Cluley said.
The telecom firm said it was reviewing
the new information.
“Within the last two days, we were
notified of Yahoo’s security incident,” Verizon said in a statement.
“We will evaluate as the investigation
continues through the lens of overall Verizon interests, including consumers,
customers, shareholders and related communities.”