Yahoo is getting ready to confirm a historic hack affecting 200 million users
Back in August, Motherboard's Joseph Cox reported that 200 million apparent Yahoo user credentials were being sold on the dark web. At the time, the company's response was only that it was "aware of [the] claim."
But now Kara Swisher, one of the tech industry's most-respected journalists, is reporting for Recode that Yahoo sources tell her the company is preparing to publicly confirm its existence. (Her sources did not confirm its exact size, only that it was "widespread" and serious.")
Yahoo did not immediately respond to Business Insider's request for comment.
Motherboard was told by the hacker who held the data (and was selling it for 3 bitcoins, worth $1,860 at the time) that the breach was back in 2012 - but it was never made public. Data included usernames, encrypted passwords, date-of-births, and some email addresses.
Recently, there has been a spate of historic data breaches affecting millions of users coming to light - including LinkedIn, MySpace, and Tumblr. If user passwords are unencrypted (or not encrypted properly), hackers can then use this login data to break into individual user accounts - and often, because people re-use passwords across multiple sites, they can use it to break into their accounts on other sites as well.
We saw multiple high-profile demonstrations of this problem this summer, as celebrities and public figures including Mark Zuckerberg and Drake had their Twitter accounts broken into. Twitter wasn't hacked - but the victims had re-used passwords they had also used on websites that were.
This new attention on the alleged breach comes at an awkward time for Yahoo. The tech company is in the process of a $4.8 billion (£3.7 billion) sale of its core business to Verizon, after years of flagging fortunes.
There's nothing ordinary users can do to prevent these kinds of breaches - but by using a strong, unique password on each site or service you have an account on (managing those passwords with a password manager app if necessary), then it means that if one of your account is breached, the rest aren't too.