The breach at Yahoo (YHOO) in 2014 is likely the largest hacking incident to occur to date as the company confirmed today that it affected 500 million users when a state-sponsored actor who was able to infiltrate their network.
The company did not name the country, but said personal details which were stolen included names, telephone numbers, email address, dates of birth and hashed passwords. In some instances, encrypted or unencrypted security questions and answers were also breached.
Yahoo said it is working with law enforcement. The attack to the company did not include unprotected passwords or personal financial information such as payment card data or bank account information, because neither payment card data and bank account information is stored in their system, the company said in a statement.
While this is a major breach, the fact that it occurred two years ago means that cyber criminals are likely using more current stolen personal information, said Joram Borenstein, a vice president of marketing of NICE Actimize, a New York-based financial crimes software solutions provider.
"Cyber criminals don't tend to wait around and prefer to use fresh credentials and information as rapidly as possible before they no longer work," he said. "Some reports indicate that many of these accounts are old and thereby less useful to criminals intent on using the information to access other consumer brand accounts such as Uber or Netflix.
The impact of the data in the emails could be widespread since many people save important work details in them.
"There can be juicy information in people's email accounts - some of it is helpful for synthetic identity theft and some of it is relevant for corporate espionage in cases in which people store work credentials in personal email accounts," Borenstein said.
This breach will most likely impact Yahoo's pending sale to Verizon (VZ) - Get Report , said Joseph Carson, head of global strategic alliances at Thycotic, a Washington D.C.- based provider of privileged account management (PAM) solutions. Rumors of this hack have been circulating for the past several months, as Yahoo completed its investigation to disclose the scope of the cyber incident.
Users of Yahoo should change their passwords and add multi-factor authentication immediately.
"If you have any accounts linked to your Yahoo account, you should immediately change those passwords as well," he said. "This will be one of several major technology companies this year that have been the victim of a cyber crime and a significant year for data breaches which has seen more than 1 billion records stolen this year to date."
Yahoo's breach will have wide ranging ramifications since many people reuse their user names and passwords on many websites, said Nathan Wenzler, principal security architect at AsTech Consulting, a San Francisco-based independent security consulting company.
"Even if a tiny percentage of the people involved in this Yahoo breach did that, we could potentially see identity theft at a scale previously unheard of and it could easily cause compromises to customer's bank accounts, credit card accounts, loan services, shopping accounts and any other web site or service where those credentials are used," he said.
This breach serves as a good reminder to consumers to never use the same password for their accounts.
"More fallout will likely come from this as time goes on, but changing passwords is a good immediate step until the rest becomes known," Wenzler said.