Yahoo has confirmed the accounts of 500 million people were stolen in 2014, in what the company has dubbed a “state sponsored attack” – meaning it believes another country’s government is behind the hack.
Sky customers and some BT customers’ email accounts could also be compromised. Yahoo is the provider behind Sky’s email systems, and it also manages some old BT email accounts.
The information stolen by hackers is understood to include names, email addresses, phone numbers, dates of birth, as well as passwords and security questions and answers.
Yahoo! says that the “vast majority” of passwords were encrypted, though admits some security questions and answers weren’t encrypted.
Yahoo says no payment or bank account information is thought to have been stolen as it is stored in a separate system.
The internet giant adds that the breach was discovered in a “recent” investigation..However, tech blog ‘Motherboard’ reported at the start of August that as many as 200 million Yahoo accounts had been stolen, and were for sale online for three bitcoins, which was worth around $1,800 at the time.
I have a Yahoo, BT or Sky email account – what should I do?
Yahoo is encouraging all of its account holders to sign up for its two-step verification service, which it claims will allow people to log in securely without using a password. Find out more information about this on Yahoo’s website.
It adds that users should also do the following – if you’re a BT or Sky customer it’s worth doing the same:
- Review all online accounts for suspicious activity.
- Change passwords, security questions and security answers on all sites and services where the same or similar passwords are used.
- Avoid clicking any links or opening attachments from suspicious looking emails, and be wary of any solicited requests for information.
All internet users should regularly change their passwords (at least once a year, though most experts recommend monthly), and you should never use the same login information on different websites.
Hard to guess passwords are more secure, so you should avoid obvious words and make your password as long as possible. Analysis of stolen passwords show that some of the most common passwords include “password”, “football”, “monkey” and “123123”.
Avoiding words from the dictionary also makes it harder for hackers to guess your password.
How can I check if I’m a victim of identity theft?
Personal information stolen by hackers can be used to fraudulently open credit cards, bank accounts and similar. If you’re worried this might have happened to you, it’s best to check your financial history information with the three main credit reference agencies, Experian, Equifax and CallCredit.
You can get a one-off report for £2, or sign up to monitoring services that cost £15 per month (per credit agency). These will allow you to see all of the credit agreements in your name, and most will also alert you when there are changes to your credit report.
You can also get limited information about your credit score using free services such as ClearScore and Experian’s Creditmatcher.
If you think your secure information might have been compromised, review your bank accounts and credit cards for suspicious activity and contact your bank or card provider immediately. Next you should report any financial fraud to Action Fraud.
How has Yahoo responded?
Yahoo says it is working with law enforcement agencies, and the FBI has confirmed it is investigating the breach.
The internet giant is also emailing all customers to warn them of the hack. Yahoo says its email to users includes no links or attachments, though a copy seen by Moneywise does include a secure link to a Yahoo page providing further information. This page requests no personal information.
The company launched a separate service to warn people of suspected hacks in December 2015, though that did not detect this breach from 2014. To date, Yahoo’s hack alerts have contacted around 10,000 people.
Yahoo has invalidated stolen security questions and answers that weren’t encrypted so that this data can’t be used to steal other information from Yahoo accounts. However, this information could potentially still be used to steal personal information from other sites where users have used the same questions and answers.
Its investigation continues.
What have Sky and BT said?
A spokesperson for BT says: ““A minority of BT Broadband customers have a legacy email product from Yahoo. We advise customers generally to reset their password regularly and we will be contacting affected customers specifically to help them keep their information safe.”
A Sky spokesperson referred us to Twitter, where it has tweeted the following: “If you have a Sky email account we recommend changing your password and security questions online.”
Are Yahoo’s servers still at risk?
All online companies are at risk from hackers, though Yahoo says that to date, its investigation has found “no evidence that the state-sponsored actor is currently in Yahoo!’s network.”
Is Tumblr affected by this breach?
No. Even though the service is owned by Yahoo, its records are stored separately.
Where can I find out more?
Yahoo and BT customers who think they have been affected can find more information at Yahoo.
Sky account holders can find out more information at Sky.