UPDATE2 BT and Sky Broadband Warn UK ISP Customers After Yahoo! Hack

Customers of Sky Broadband and BT have been warned that some of them may have been affected after Internet giant Yahoo! confirmed that at least 500 million of its accounts were stolen in 2014 by “state-sponsored” hackers. Both ISPs make use of the company for their email platforms.

Apparently Yahoo! didn’t even realise that the event had happened until recently and then took a whole month to confirm it (good job there Yahoo!). It’s understood that the hackers stole names, email addresses, telephone numbers, dates of birth and passwords.

Yahoo! Statement by Bob Lord:

“A recent investigation by Yahoo has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.

The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.

Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.”

The problem represents an additional headache for BT and Sky Broadband since both ISPs have made use of or continue to use Yahoo!’s platform for their email services.

In BT’s case it’s merely a “legacy product used by some customers” and the provider states that a “minority of our customers are affected.”

A BT Spokesperson told ISPreview.co.uk:

“BT is currently investigating the Yahoo data breach. As a precaution for the minority of our customers who use Yahoo mail, we are advising those who haven’t changed their passwords post-December 2014 to change them.”

By comparison Sky Broadband’s Yahoo! based Sky Yahoo Mail service is still very much front and centre of their email platform, although the provider does not clarify how many of their subscribers might be affected.

A Sky Support Agent said:

“At Sky, we take the security of our customers’ data and information extremely seriously.

You may have seen that overnight Yahoo! announced that a copy of certain user account information was stolen from its company’s network in late 2014. Yahoo! is the provider of sky.com email accounts.

If you are a sky.com email holder, in line with the advice provided by Yahoo!, we advise that you change your passwords online and follow good password management practices. You can find more information and help here.”

Just because a password is encrypted doesn’t mean to say that a hacker can’t decrypt it in the space of a few seconds or minutes, depending upon the method of encryption, strength of the password itself and any available processing power at the hacker’s disposal. In other words, change your password!

Mind you the breach happened two years ago and so any damage may have already been done.

UPDATE 26th September 2016

According to the Information Commissioner’s Office (ICO), some 8 million Yahoo! linked accounts in the United Kingdom have been affected by the breach. Obviously this also includes accounts that were created separately from BT and Sky, although those two ISPs will still be responsible for a noticeable chunk of the figure.

ICO Statement

“The vast number of people affected by this cyber attack is staggering and demonstrates just how severe the consequences of a security hack can be. The US authorities will be looking to track down the hackers, but it is our job to ask serious questions of Yahoo on behalf of British citizens and I am doing that today.

We don’t yet know all the details of how this hack happened, but there is a sobering and important message here for companies that acquire and handle personal data. People’s personal information must be securely protected under lock and key – and that key must be impossible for hackers to find.”

UPDATE 28th September 2016

Sky has setup a useful information page HERE.