Yahoo has confirmed at least 500 million user records have been hacked, in what is thought to be the largest data breach in history.
Hackers have stolen names, email addresses, telephone number, dates of birth and encrypted passwords, according to the company, with at least 200m already confirmed for sale on the Dark Web.
Yahoo, which was recently acquired by Verizon, said bank account and credit card details haven’t been stolen.
The company claims that an individual acting on behalf of the government was behind the data breach.
Jamie Graves Ph.D, co- founder and CEO of Cyber Security company, ZoneFox.com said: “This type of attack is often difficult to defend against, and a number of other well defended organisations have fallen victim to this type of attack.”
The security lapse was said to have occurred in late 2014, but Yahoo hasn’t explained why it has taken two years to uncover the breach.
Mr Graves added: “Although the size of the breach is staggering, what has stunned the industry most is the fact that it has taken Yahoo two years to disclose. In this time, a great deal of additional harm will have occurred to the comprised accounts ranging from account hijacking through to identity theft and fraud.
“The Yahoo attack highlights the reason why good detection capabilities, aligned with laws that force this form of disclosure in a short period, such as the GDPR, are crucial to help protect personal information.
“Organisations must not only have rigorous Cyber Security measures in place but also a disaster recovery plan to respond immediately to a breach if the, sometimes, inevitable occurs.”
The breach could cause issues with its sale of digital operations to Verizon, which is meant to close early next year.
Yahoo has recommended its users to change their passwords for their email account and any other website that uses the same password to prevent stolen information.
Kurt Baumgartner, principal security researcher, Kaspersky Lab said: “These types of breaches highlight why all companies need to be cybersecurity leaders, implementing best practices and available security technologies, such as the delay in encrypting IM communications, implementing https for its web properties and more.
“This situation reminds us of Google’s Aurora APT incident in 2009, announced in 2010. When we compare these two breaches, it is incredible that it’s 2016 and users are only being notified years after a major breach like this one, and only after another organisation made the issue public.”
Mr Baumgartner advised Yahoo account holders to “not fall for social engineering schemes that will follow this incident”.
He said: “Everyone should be aware that any breach notice that Yahoo! emails out will go only to their email service users, and it will not provide links to click on, include any attachments, and will not ask for personal information.”