The Information Commissioner’s Office(ICO) said the Yahoo data breach includes eight million user accounts in the UK.
ICO data regulator Steve Eckersley told the BBC that discussions with the internet firm revealed that “over eight million UK people had been affected” by the cyber attack, which compromised around 500 million Yahoo accounts globally.
Mr Eckersley called the figures “quite concerning”.
Earlier, Information Commissioner Elizabeth Denham said “serious questions” must be asked of Yahoo following the hack.
“The vast number of people affected by this cyber attack is staggering and demonstrates just how severe the consequences of a security hack can be,” she said.
“People’s personal information must be securely protected under lock and key – and that key must be impossible for hackers to find.”
Yahoo confirmed that while most user passwords were encrypted and not visible to hackers, many security questions and answers linked to accounts were. This has led to criticism from analysts over Yahoo’s security set-up and failure to report the breach.
Alex Mathews, from online security firm Positive Technologies, said: “The elephant in the room is Yahoo’s admission that ‘encrypted or unencrypted security questions and answers’ might be amongst the hackers’ haul.
“If the investigation determines that this extremely sensitive information were stored unencrypted, then serious questions need to be answered as this lack of security will highlight serious failings by Yahoo in its responsibility to protect customers.”
Yahoo has urged all users to change their passwords and security questions in wake of the breach.
What does this mean for you?
For Yahoo users who may be worried about their personal data getting into the hands of cyber criminals, James Lyne, global head of security research at Sophos, offers the following advice:
- Change your Yahoo password immediately.
- Reset this password, if you’re reusing it on other online sites. Cybercriminals are now using tools that sniff out passwords reused on other, more valuable sites to make their work easier and to make the stolen passwords and other hacked data more lucrative on the dark web.
- Make all new passwords different and difficult to guess – yes, you need to create different passwords for every site you visit.
- Include upper and lower case letters, numbers and symbols to make passwords harder to crack – refer to the Sophos Password Quick Tips guide for creating stronger passwords.
- Don’t trust password strength meters – these are unreliable and inaccurate.
- In general, it’s always good practice to update your passwords, password manager and security questions, if you hear of a potential data breach that might affect you. Even data breaches from several years ago could still impact you today.