BT and Sky subcribers may be hit by Yahoo hack

When outsourcing goes wrong...

Customers of BT and Sky, two of the biggest internet service providers in the UK, may have been affected by the mega-hack of Yahoo, disclosed this week.

Sky has admitted that its customers could be affected by the Yahoo hack as both it and BT have long outsourced their webmail services to Yahoo.

Sky has already advised its millions of customers to change their passwords as soon as possible, following Yahoo's admission on Thursday night that a data breach in 2014 exposed the details of 500,000 million users.

"At Sky, we take the security of our customers' data and information extremely seriously," the company wrote on the help page of its website.

"You may have seen that overnight Yahoo announced that a copy of certain user account information was stolen from its network in late 2014. Yahoo is the provider of sky.com email accounts.

"If you are a sky.com email holder, in line with the advice provided by Yahoo, we advise that you change your passwords online and follow good password management practices."

BT has been less vocal about the potential security problem, having merely set up a help page that advises: "If you haven't changed your password since 2014 we recommend you change it now."

Yahoo has confirmed that the company was breached in 2014, with 500 million user credentials compromised. It suggests that it was the victim of a nation-state attack - an attack by a country's security service.

When reports of a major hack on Yahoo in 2012 circulated earlier in the summer, the company provided us with a somewhat high-handed response: "We are aware of a claim. We are committed to protecting the security of our users' information and we take any such claim very seriously," said a spokesperson in a statement in August.

"Our security team is working to determine the facts. Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and to use different passwords for different platforms."

The company has now admitted the breach, doing so via a post on Tumblr.

"A recent investigation by Yahoo has confirmed that a copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor," said Yahoo CIO Bob Lord in a statement.

"The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers."

There is some good news relating to personal information, which is mostly secure. Still, this is only a slight positive when you consider what actually went down.

"The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data or bank account information. Payment card data and bank account information are not stored in the system that the investigation has found to be affected," added Lord.

"Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen, and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo's network. Yahoo is working closely with law enforcement on this matter."

The security community has not been slow in offering its opinions and advice.

"Hopefully, Yahoo will force password resets for all its users, even ones that it believes have not been affected. Users should also reset passwords for other accounts that share the same password as their Yahoo account and consider using a password manager," said David Gibson, vice president of strategy and market development at Varonis.

"It's hard to say for sure whether the breach will upset the pending acquisition by Verizon, but it certainly could. If a data breach capsizing a $4.8bn acquisition doesn't shock CEOs and chief security officers into investing more in security, what will?"