Yahoo’s data breach is much worse than expected. Reports emerged earlier this week that the company was preparing to confirm a hack attack that first came to light this past summer when certain credentials of about 200 million users were put up for sale online. Now, Yahoo has revealed that roughly half a billion accounts were compromised.
The hack attack took place in 2014, and Yahoo says it appears to have been conducted by a “state-sponsored actor”, suggesting the incident was a matter of political espionage. Yahoo also says that no bank or credit card information was compromised, but credentials including dates of birth, email addresses, phone numbers, and passwords were taken. Yahoo is advising users to change their passwords if they haven’t done so since 2014.
By now many users of other email services will have moved beyond mere password-based security, with Google now supporting two-factor authentication and many iPhone users locking their mobile email services with biometric security. Others in the digital security business will see in this incident a validation of the ‘on-device’ approach to authentication, which requires that key user credentials are stored on their own personal devices, rather than on external servers that could be hacked.