Oh boy…. they were hacked two years ago and they say it was a “state sponsored attack”.
What the hack is that ?!

How do you differentiate a hack done by an employee from a state sponsored attack?

Let’s take it step by step:

1. Yahoo has started to write to all affected customers this email: https://s.yimg.com/sf/support/en-us-security-notice-content.pdf

Below is the text of the email notice sent by Yahoo to potentially affected users. Please note that the email from Yahoo about this issue does not ask you to click on any links or contain attachments and does not request your personal information. If an email you receive about this issue prompts you to click on a link, download an attachment, or asks you for information, the email was not sent by Yahoo and may be an attempt to steal your personal information. Avoid clicking on links or downloading attachments from such suspicious emails.

Nice… considering that many fraudsters will make use of it.

This is what you get when you login:

First link is: https://help.yahoo.com/kb/account/SLN27925.html

Here are all details of the breach, or whatever this was.

Now the real stuff, observe the bold sentences:

Account Security Issue FAQs

We have confirmed, based on a recent investigation, that a copy of certain user account information was stolen from our network in late 2014 by what we believe is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.  The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.

“Certain information”, “we believe is”… hmmmmm… very vague.

Next step:

You can change password and recovery email address in this step.

Very strange things here….

I encourage all Yahoo users to follow these security recommendations:

• Change your password and security questions and answers for any other accounts on which you use the same or similar credentials as the ones used for your Yahoo Account.
• Review your accounts for suspicious activity.
• Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
• Avoid clicking on links or downloading attachments from suspicious emails.

Additionally, please consider using Yahoo’s Account Key, a simple authentication tool that eliminates the need to use a password altogether.