Written By ESR News Blog Editor Thomas Ahearn
Technology company Yahoo has confirmed user account information that may have included names, email addresses, phone numbers, dates of birth, passwords, and security questions was stolen from 500 million Yahoo user accounts by “a state-sponsored actor” in a massive data breach in late 2014. (UPDATE: Important Security Information for Yahoo Users – Yahoo believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. Yahoo believes this incident is likely distinct from the incident the company disclosed on September 22, 2016.)
A message about Yahoo user security posted by Yahoo Chief Information Security Officer Bob Lord indicates an ongoing investigation has found the stolen information did not include unprotected passwords, payment card data, or bank account information. Yahoo is taking these actions to protect users:
- Notifying potentially affected Yahoo users via email using content available at https://yahoo.com/security-notice-content.
- Asking potentially affected Yahoo users to promptly change their passwords and adopt alternate means of account verification.
- Invalidating unencrypted security questions and answers so they cannot be used to access a Yahoo account.
- Recommending that all Yahoo users who have not changed their passwords since 2014 do so.
- Continue to enhance systems that detect and prevent unauthorized access to Yahoo user accounts.
- Working closely with law enforcement on this matter.
The message stated that Yahoo will continue to strive to stay ahead of ever-evolving online threats and keep users and platforms secure with “strategic proactive detection initiatives and active response to unauthorized access of accounts.” Yahoo is also asking users to follow these security recommendations:
- Change passwords and security questions and answers for any other accounts which use the same or similar information used for the Yahoo account.
- Review accounts for suspicious activity.
- Be cautious of any unsolicited communications that ask for personal information or refer users to a web page asking for personal information.
- Avoid clicking on links or downloading attachments from suspicious emails.
In addition, Yahoo is asking users to consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password. The complete message from Yahoo about the data breach is at https://yahoo.tumblr.com/post/150781911849/an-important-message-about-yahoo-user-security.
A data breach can cost a company millions. In April 2016, Sony Pictures agreed to pay an estimated $15 million to settle a class action lawsuit stemming from a data breach suffered by the studio in November 2014. Sony was also required to provide identity theft protection that could cost an additional $4 million.
Yahoo Data Breach Puts Spotlight on Information Security
Information security is critical in today’s digital world. Employment Screening Resources® (ESR), a leading global background check firm, undergoes yearly SOC 2® (SSAE 16) audits to protect the privacy, security, and confidentiality of consumer information used for background checks. To learn more, visit www.esrcheck.com/SOC-2/.
NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.
© 2016 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.