Yahoo: Dear, oh Dear!

Today Yahoo! finally confirmed what everybody expected, that they had a major security breach.

Many companies have had security breaches but I cannot think of many that have handled it as poorly as Yahoo!

The breach supposedly happened in 2014, 2 years ago, and it only comes out now. As a consumer, I can't wait for the EU General Data Protection Regulation to be in place - Yahoo would have been fined a nice 4% of its global revenue due to failing to promptly report the issue. And in this case, it's very, very likely that they would have gone for them, considering that it affects an estimated 500 million users.

There only was one announcement. On their Tumblr page. No announcement on the main Yahoo! site or Yahoo! Mail :

(if you squint and look carefully, notice that there is a mention of the hack on the trending news and, if you wait or are lucky, you will see it as one of the highlighted news). 
There are no emails sent to the users, at least, not to my old Yahoo account, which I do not use anymore but still gets emails and gets checked every so often, so it's still active. When you log in, you get the following welcome:

No mention of the breach. No mention of why you really, really, should change your password and security questions. No mention that you should change your password and security questions in any other system where you use the same information, just in case.

The announcement explains that 'The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers' - considering that the data seems to be available, a quick check against their systems should be able to confirm that this is the case, the 'may' here sounds like covering their backs.

Verizon, who are currently in the process of buying Yahoo!, mention that they only found out about the breach a couple of days ago and had 'limited information'. That should ring alarm bells everywhere and also makes me think that the only reason why the breach is coming out now is because Verizon are doing their due diligence and Yahoo!'s hand has been forced on this, otherwise it would have stayed hidden forever.

Finally, Yahoo mentions that the attack was 'state-sponsored'. If that's the case, why was the data available to buy in the market? Usually, states do not want to sell the data, they want to keep access running as long as possible.

All in all, this is one of the worst security breaches ever, even if it is just because of the number of users affected. The response from Yahoo! does nothing to help and inspires no confidence in their ability to handle security issues.

I know, for a fact, that I am deleting my account as soon as I find out how to do so and will make that I avoid using their services as much as possible.