Remember when the Target breach happened a few years ago, and we all thought it was huge? After all, it affected 70 million people, cost the company's CEO his job and wound up costing the company hundreds of millions.
Now imagine that, only much, much, much bigger. That's what Yahoo is dealing with right now, as the company revealed on Thursday that it was hacked all the way back in 2014, in an incident that affected " at least 500 million user accounts."
Yes, you read that right. This incident hit half a billion people. That's over seven percent of the Earth's entire 7.125 billion population in one single data breach. That's an absolutely staggering number.
Here are the details that Yahoo has released about what happened:
First, that the hack was done by "a state-sponsored actor," though which state that is, be it Russia, China or North Korea, is not named.
Second, the information that was stolen included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.
What wasn't stolen, at least there's no evidence yet to suggest that it was, includes unprotected passwords, payment card data, or bank account information. The system that has card data and bank account information was, thankfully, not among those hit. So at least there's that.
There is currently an ongoing investigation into the matter, and Yahoo says it is working closely with law enforcement. Whoever was hacking the system is no longer there, which may suggest that, whoever it was, they got everything they wanted and left.
Yahoo also says it is notifying users it think were affected, and is encouraging all of its users to change their passwords.
"An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries," the company wrote. "Through strategic proactive detection initiatives and active response to unauthorized access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure."
One entity that has to be really unhappy about all of this is Verizon, which bought Yahoo's assets, including Yahoo Mail, Flurry and Gemini, for $4.83 billion in cash in July. That's a lot of money for a company that just suffered what has to be one of, if not the largest security hacks ever.
A Verizon spokesperson told VatorNews that the company learned about the breach "within the last two days.
"We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact. We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment," the spokesperson said.
Cyber security incidents are on the rise, according to data from Statista, going up ever year from 2011 to 2015.
There were 419 incidents in 2011, then 447 in 2012. The number jumped to 614 in 2013 and then 783 in 2014. That's an 86 percent increase in only four years. They dipped every so slightly in 2015, down to 781, only the third time the number didn't rise in 10 years.
Even then, the number of records exposed during those breaches shot up, from 85.61 millionin 2014 to 169.07 million in 2015, an increase of 97.5 percent in just a year.
Back in 2005, there were only 157 incidents, and 66.9 million records exposed.
With numbers like that, it's no wonder that so many companies are stepping up their security.
Led by Uber, some of the most prominent names in tech, including Airbnb, Atlassian, Docker, Dropbox, GoDaddy, Palantir, Square, and Twitter, announced the launch of the Vendor Security Alliance, earlier this month.
Its a coalition of companies dedicated to fostering more cohesive, collaborative conversations and action around Internet security.
The VSA will regularly convene security experts and compliance officers to compile a yearly questionnaire, which companies can then use to analyze their own cybersecurity risk. The first questionnaire will be unveiled on October 1.
(Image source: technollama.co.uk)