Yahoo confirmed on Thursday that hackers stole personal information from at least 500 million accounts, in possibly the biggest such breach of an email provider in history.
"A copy of certain user account information was stolen from our network in late 2014 by what we believe is a state-sponsored actor," said the company in a message to its users. The stolen data included names, addresses, telephone numbers, dates of birth, passwords and some users' security questions, it added, though information about users’ credit cards or bank accounts did not appear to be part of the leaked data.
Yahoo went on to recommend that all users change their passwords if they have not done so since late 2014, when the hacks occurred.
The breach was discovered after reports in August of another attack on the company’s servers by a notorious hacker known by the handle Peace, who was attempting to sell information corresponding to 200 million Yahoo users on the dark web, a hidden area of the web frequented by criminals. And the nearly two-year lapse in time between the hack and the company’s announcement – and public recommendation about how users should respond – puts in doubt Yahoo’s ability to protect users’ security. Some experts suggest that on the heels of its sale to Verizon in July for $4.8 billion, it could even bring down the company.
"Yahoo may very well be facing an existential crisis," Corey Williams, senior director of products and marketing at computer security firm Centrify, told U.S. News and World Report.
Yahoo's confirmation of the data breach comes amid heightened concern about US cybersecurity. American officials and cybersecurity experts suspect Russian hackers are behind an ongoing effort to influence the US presidential election.
The company has blamed state-sponsored hackers for the breach but so far, the Yahoo hack has not been definitively connected to suspected Russian meddling in US politics.
But hackers forcing Yahoo to shutter, or otherwise precipitating its decline, would carve out a new precedent in what US officials and cybersecurity experts suspect is a campaign by Russia to undermine US political institutions. It also appears to highlight a new frontier in state-authored cyberattacks that has yet to be crossed.
Some of those earlier attacks, possibly Russian attacks may have exposed information belonging to private citizens. A breach of two states’ voter registration databases, officials say, may have allowed hackers to access data from as many as 200,000 voters. But that attack, like the one carried out against Yahoo, did not leak private financial information – although user data that was apparently being sold on the dark web could well be put to use by cyberthieves.
Three US intelligence officials speaking on condition of anonymity told Reuters that the attack resembled the breaches thought to be carried out by Russian state-sponsored hackers, given its similarity to earlier breaches thought to stem from Russian intelligence agencies. Those breaches of electoral infrastructure have sent US officials scrambling not just to shore up vulnerabilities, but to define their approach to cybersecurity.
And as The Christian Science Monitor reported in July after President Obama released a policy directive outlining how his administration would respond to major cyberattacks, many experts say that the government’s approach may not be as robustly modeled as they would hope.
To help determine whether a breach is significant, the administration released a color-coded system to rank their severity by measuring the potential consequences and the attackers’ suspected intent.
But prominent security experts are panning the directive – particularly the color-coded model similar to the Department of Homeland Security’s abandoned terror alerts – which they say does not properly take into account the complex nature of cyberthreats the country currently faces.
"The problem with these types of documents is that they have a certain type of attack envisioned, the classic, 'Here’s a cyberattack that destroys data or causes physical destruction' and there’s a huge scramble of a response," says Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations.
"But as the DNC hack shows, or the hack on Sony Pictures shows, there's a lot of hacks that, over time, seem to affect a national or foreign policy interest – and we’re going to have to be more flexible and creative about the way these agencies are going to be involved," Mr. Segal says. "I suspect that the future attacks we face will often not fit into plans."
Verizon, which purchased Yahoo in July, told the BBC it had "limited information" on the hack, of which it had only learned "within the last two days".
"Until then, we are not in position to further comment,” it said.