Yahoo has begun forcing users of its email service to reset their passwords as it prepares to confirm a massive breach of its security with up to 200 million users' details compromised.
Re/Code is reporting that the announcement will be made at some point this week but it is unclear why it has taken Yahoo so long to address this issue, given it was first made aware of the hack as far back as July.
While Yahoo has yet to respond officially to the report, some Yahoo Mail users on Thursday are being forced to reset their passwords with the message: "The security of your Yahoo account is important to us. We're taking this measure because we have detected suspicious activity on your account."
The hack comes at a sensitive time for Yahoo, which might explain the delay in disclosing it. The company is in the midst of a $4.8 billion acquisition by Verizon; a breach this size could lead to significant headaches for the new owners, as well as regulators and law enforcement. Yahoo did not respond to a request for comment.
Back in early August a hacker known only as Peace, who had previously sold dumps of customer information from MySpace and LinkedIn, listed a database containing 200 million Yahoo customer accounts on the dark web marketplace The Real Deal for 3 bitcoins (worth around $1,800 today). The hacker claimed the email record were dated as "2012 most likely."
Prior to posting the details on the dark web, in late July, the hacker gave Motherboard a sample of 5,000 records. These were shared with Yahoo who at the time would not confirm their legitimacy. Motherboard tested the emails and while they were found to be legitimate addresses, when the publication tried to send messages to the addresses, they bounced back suggesting they were no longer in use.
Motherboard reported that the database contains usernames, hashed passwords, dates of birth, and, in some cases, back-up email addresses.
If it turns out that the initial report was accurate, and that a database of 200 million Yahoo customers details were on sale on the dark web for under $2,000, the company will have to explain why it has taken them almost two months to publicly confirm the breach, potentially leaving customers open to attack from cybercriminals mining the data for useful information.
While the accounts may be dormant, hackers could use the personal details contained in the database to target other online accounts belonging to users. If passwords are not stored correctly and can be read, then criminals will quickly take advantage of the fact that people re-use passwords across multiple online services — something which was highlighted earlier this year with the high profile attack on Mark Zuckerberg's Twitter account.