Yahoo Confirms Massive Data Breach, 500 Million Users Impacted [Updated] (recode.net) 169
Update: 09/22 18:47 GMT by M :Yahoo has confirmed the data breach, adding that about 500 million users are impacted. Yahoo said "a copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor." As Business Insider reports, this could be the largest data breach of all time. In a blog post, the company said:Yahoo is notifying potentially affected users and has taken steps to secure their accounts. These steps include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords. Yahoo is also recommending that users who haven't changed their passwords since 2014 do so. The Intercept reporter Sam Biddle commented, "It took Yahoo two years to announce that info on half a billion user accounts was stolen." Amid its talks with Verizon for a possible acquisition -- which did happen -- Yahoo knew about the attack, but didn't inform Verizon about it, Business Insider reports. Original story, from earlier today, follows.
Last month, it was reported that a hacker was selling account details of at least 200 million Yahoo users. The company's service had apparently been hacked, putting several hundred million users accounts at risk. Since then Yahoo has remained tight-lipped on the matter, but that could change very soon. Kara Swisher of Recode is reporting that Yahoo is poised to confirm that massive data breach of its service. From the report: While sources were unspecific about the extent of the incursion, since there is the likelihood of government investigations and legal action related to the breach, they noted that it is widespread and serious. Earlier this summer, Yahoo said it was investigating a data breach in which hackers claimed to have access to 200 million user accounts and was selling them online. "It's as bad as that," said one source. "Worse, really." The announcement, which is expected to come this week, also possible larger implications on the $4.8 billion sale of Yahoo's core business -- which is at the core of this hack -- to Verizon. The scale of the liability could be large and bring untold headaches to the new owners. Shareholders are likely to worry that it could lead to an adjustment in the price of the transaction.
Last month, it was reported that a hacker was selling account details of at least 200 million Yahoo users. The company's service had apparently been hacked, putting several hundred million users accounts at risk. Since then Yahoo has remained tight-lipped on the matter, but that could change very soon. Kara Swisher of Recode is reporting that Yahoo is poised to confirm that massive data breach of its service. From the report: While sources were unspecific about the extent of the incursion, since there is the likelihood of government investigations and legal action related to the breach, they noted that it is widespread and serious. Earlier this summer, Yahoo said it was investigating a data breach in which hackers claimed to have access to 200 million user accounts and was selling them online. "It's as bad as that," said one source. "Worse, really." The announcement, which is expected to come this week, also possible larger implications on the $4.8 billion sale of Yahoo's core business -- which is at the core of this hack -- to Verizon. The scale of the liability could be large and bring untold headaches to the new owners. Shareholders are likely to worry that it could lead to an adjustment in the price of the transaction.
Great News (Score:5, Funny)
That means I can finally get my account details back. I've been trying to find out my password for years!
Re: (Score:1, Funny)
Found it for you: dum6@ssTr011
200 Million Yahoo "Users" (Score:1)
Re: (Score:3)
Ain't that the luck...and just when Marissa was on the verge of turning that company back into a powerhouse again.
Re: (Score:2, Informative)
200m user details stored in one place that can get hacked?
I wouldn't hold your breath here.
At most, you'd expect some kind of isolated authentication service, separate from the rest of their servers but I doubt it.
If someone has just sucked it out of a SQL table, the chances of it being properly hashed and salted are minimal. And the chances they used MD5 - which even hashed and salted is cracked beyond belief nowadays - rather than something sensible? Minimal.
Re: (Score:2)
And the chances they used MD5 - which even hashed and salted is cracked beyond belief nowadays - rather than something sensible? Minimal.
Can't re-hash an old password without forcing a reset or waiting until the user logs in. I would easily believe Yahoo probably has 500 million accounts that have been dormant since before MD5 was useless.
Re: (Score:2)
Definitely a sound technique, but even at the size of Yahoo, I'm not sure if this would have happened. The transition to something like SHA1 probably happened long enough ago, that MD5 was still relatively secure.
Re: (Score:2)
200m user details stored in one place that can get hacked?
I wouldn't hold your breath here.
At most, you'd expect some kind of isolated authentication service, separate from the rest of their servers but I doubt it.
If someone has just sucked it out of a SQL table, the chances of it being properly hashed and salted are minimal. And the chances they used MD5 - which even hashed and salted is cracked beyond belief nowadays - rather than something sensible? Minimal.
The notice from Yahoo claims that the passwords are hashed with bcrypt.
Re: (Score:2)
But apparently the security questions and answers were stored in plain text. That's like locking your front door with a triple lock, a fingerprint reader and iron bars but then leaving the ground floor window wide open with a neon sign "enter here" pointing to it. And then claiming that you take security seriously. And when someone enters, you don't tell anyone for two years because you're afraid your parents will find out.
Re: (Score:3)
They should.
It's literally best practice and the way any sensible organistion should do it. An authentication server is just that - it authenticates. Whether that's RADIUS or whatever else, it should do one job and do it well and have the minimum amount of access necessary to do that job.
With someone like Yahoo's money and resources there is no excuse.
And with an auth server farm, how do you get hacked? It has to be deliberate insider intrusion (i.e. someone who works on those machines). Done properly,
Re: (Score:1)
at least a child's level of competence
You are assuming a lot here. This is an internet company.
Re: (Score:3)
Re: (Score:1)
The only way Yahoo could improve the security of these accounts is a mandatory password change at the next login, nag active users to change their passwords, or wait for users to change the password themselves.
Or they could, you know, just stop hosting flash ads on the webmail page. At least then it would appear that they don't actually want user accounts to be easily harvested in an untraceable fashion by unknown unscrupulous parties.
Re: (Score:1)
Lately, Yahoo has been nagging me to not use anything but their official apps and web interface to access my email. I guess this news is why.
Screw that. I pay $20/yr for SMS/IMAP access to my email there. That means I get to use Thunderbird and iOS Mail, and they get to keep their servers secure.
I use Yahoo mail regularly, mostly for job search and other official biz. I joined years ago and was able to get [firstname].[lastname]@yahoo.com for each member of my family when they started allowing the dot t
Re: (Score:1)
Huh,
I don't pay and I access via pop when I get home and fire off my email.
Re: (Score:2)
Re: (Score:1)
Not sure about SMS mail, but Yahoo has opened up IMAP for quite a while -- about 5 years or so.
Mail Plus is gone and replace by "Yahoo Ad-Free Mail" which gives:
No text or graphical ads in Yahoo Mail on desktop browsers.
The account will not go inactive.
https://help.yahoo.com/kb/SLN3... [yahoo.com]
"The Yahoo Mail Plus premium service has been replaced by Ad Free Mail. If you're still subscribed to your original Yahoo Mail Plus account, here's what to expect when
Re: (Score:2)
How to move from a plaintext or otherwise insecure password storage system to a modern solution:
1) The user tries to log in.
2) Check if they've already had their password updated to your more secure solution. (Salt is the correct length? or similar)
3) Assuming they are using the old style, authenticate the user with the old style of authentication, keeping
Re: (Score:2)
"One hash can be wrapped inside another, ad infinitum"
Do you count how many times the hash has to be applied? And store that?
Or do you keep hashing and matching until you get a result? How many times do you do this before giving up?
Re: (Score:2)
According to their breach FAQ, the stolen data included "hashed passwords (the vast majority with bcrypt) ". I don't know what "the vast majority" means, nor do I know what alternate form of hashing may have been done prior to their adoption of bcrypt that they're still hanging on to.
I do know that the only reason I still have an active Yahoo! account is because of their OAuth support. Well that's pretty much in the crapper now, isn't it?
Verizon bill increase? (Score:5, Funny)
Re: (Score:2)
Of course the bill is going go up!
Simply because today is a day that ends in 'y'
In related news... (Score:4, Informative)
When you now download Java from Oracle, it comes bundled with some sort of crapware from Yahoo.
AFAIK this is very recent. I'm pretty sure it wasn't there even two weeks ago. Perhaps a last-ditch attempt to improve their numbers before the sale?
Re: (Score:2)
Re: (Score:2)
Can confirm. They're trying to change browser settings in the installer. It wasn't there last week when I did an install on my work machines.
Nothing new (Score:1)
There is a corporate and home version of JRE to download, the home version contains the crapware. It's been there for years and years, you may have just accidentally been downloading the right version.
Darn... (Score:5, Funny)
Re:Darn... (Score:5, Funny)
In related news, this served to remind me that I actually have a Yahoo account.
Re: (Score:2)
I'm on several Yahoo groups, although the only ones formed in the past several years are obvious spam that someone enrolled me in.
Re: (Score:2)
Mine was previously:
password
As 8 characters was considered safe back in the day. Now 20-30 is the standard so I've just upped it to:
passwordpasswordpasswordpassword
Should last me the next decade or so.
(Note: it's perfectly safe to post this as nobody knows my email address)
Re: (Score:2)
Relax (Score:4, Funny)
Relax...it's part of Yahoo's "Value Added" program where your sensitive account details are safely stored where everyone can freely access them. Just be glad they aren't charging extra for this feature.
Re: (Score:1)
Just be glad they aren't charging extra for this feature.
...and now they are.
Your tongue-in-cheek idea is at least as good as any Yahoo's executives have put forward in the last 5 years.
Re: (Score:1)
and now they are.
Your tongue-in-cheek idea is at least as good as any Yahoo's executives have put forward in the last 5 years.
Wait, wait- Yahoo executives have had ideas??
Serious question about this (Score:2)
What is the root cause of most of these data breaches? I know in the Target and Home Depot cases, they hooked insecure embedded systems to their main network or enabled third party access for convenience that the hackers took advantage of. But what happens in cases like this? Does someone just exploit a security hole in a public facing service and go in from there? Or is it an inside job in most cases?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The root-cause is almost universally greed and stupidity among the higher-ups, leading to
- IT security people that are overworked, unappreciated and came from the pool of "cheapest possible"
(as a result, everybody hates them, because they do no good, but prevent people from doing their work)
- Lack of IT security people
- Developers of security-critical software being "cheapest possible" or outsources in the same quality-class
- System-administration being outsourced or overworked, and ag
FWIU: social engineering (Score:2)
From what I understand, most problems of this "kind" are the result of social engineering. What that means can be anything from an email pretending to come from the CEO to a phone call that apes a desperate user trying to recover some information. And other possibilities.
For this kind of a breech, I'd expect that there was a potential weakness, and social engineering was used to gather the information needed to exploit it. Actual holes are possible but less likely, and even then it's likely that social e
Re: (Score:2)
Blame one or two distant nations seems to play well to the domestic press.
Nations that can get in, stay in, move data but are so easy to detect just after an event...
The insider threat just seems to be in the too hard basket for most to even think to ask about.
Recall some of the past news events surrounding security and later findings.
New Research Blames Insiders, Not North Korea, for Sony Hack (Dec. 30, 2014)
http://time.com/3649394/sony-h.. [time.com]
Yahoops? (Score:1)
Fortunately nothing of value was lost (Score:5, Insightful)
Yahoo never recovered from Google. (Who has?) This makes all of their side bets into creating a social media network out of Flickr, Tumblr starting with their purchase of EGroups ten or more years ago so interesting. They had enough stuff to make a critical mass of a social media platform but never had the vision to unify those disparate products into one single space.
My guess is that there were a layer of vice presidents who each wanted to keep their own fifedoms and years of low level resistance prevented the 'Okay, let's turn this all into a single experience for the user'. They had a broad demographic spread over their different products but failed to reach ignition.
Re: (Score:1)
I used to *love* Flickr. It was a vibrant community of photographers and photographs, and the tool worked, didn't get in the way, and facilitated the sharing. About 5 years ago Yahoo decided to "improve" the UI and made it unusable. They killed off a perfect property. Fuckers.
Re: (Score:1)
Flickr is still better (Score:2, Interesting)
Flickr still has a vibrant community. Some people left over the UI range, but where would they really go? 500px? Don't make me laugh.
I still prefer the UI Flickr has over any other site - for serious photography.
Yahoo didn't kill off Flickr - and they are larger than they ever have been [expandedramblings.com].
Re: (Score:2)
Re: (Score:2)
Just curious. What don't you like about 500px?
I used to be a very active flickr user, and never really tried 500px.
Re: (Score:2)
Yahoo Finance is still the most popular in its category [npr.org] ...it's the one place where Yahoo still beats Google.
Biggest outcome from this... (Score:2)
They've already tacitly admitted the breach (Score:4, Interesting)
Just recently I was prompted to change passwords on my two Yahoo accounts. I've had both for about 10 years and this is the first time I've seen this, so yeah, they're visibly doing something about it. Unfortunately, they waited an unacceptably long time, and they still weren't forcing the password change. That's not surprising, given that it's Yahoo, but it's still kinda disappointing.
Re: (Score:2)
Re: (Score:2)
I'm curious, how exactly did they prompt you?
After entering user name and password there is a screen that says "Make sure your account is secure! To secure your account, change your password and update your mobile number", followed by a large blue button with "Yes, secure my account" and small grey text below that saying "I'll secure my account later". Clicking on the latter asks for a mobile number, (hell no), and then proceeds to the Yahoo main page, from whence I click on the email link. Clicking on the former presents the usual two-field password
Re: (Score:2)
Wonder how long the ability just to click pass that request will last?
Re: (Score:2)
Hmmm.... I set up my current Yahoo account about 20 years ago, I think my most recent password change was about 2 years ago, I haven't received any notice of the breach from them... maybe it's in my Spam folder with 3,478,235 other messages.
Re: (Score:2)
I remember I also had to change passwords on Yahoo! about two years ago.
I believe there's a clue in their "Breach FAQ" where they state "the vast majority of passwords were hashed with bcrypt". It could be that their old passwords were protected with a less-secure older salting-and-hashing system, (maybe something like the original crypt() ) and by 2014 they had replaced it with bcrypt.
But even an old crypt() hash can't simply be broken on demand without a lot of CPU grinding for every password recovered.
Re: (Score:2)
I just got the recent breach notice this morning.
Re: (Score:2)
Two years ago was when the breach happened. Ergo, prompting a mandatory password change was the breach notification.
I just checked again, on a third Yahoo account I had almost forgotten about, and the password change is NOT mandatory. There may be a time-limited or login-limited period after which they force a password change, but for all I know users may be able to keep their compromised passwords until Yahoo implodes.
Personal anecdote (Score:1)
My wife had Yahoo email a couple of years ago.
One day all the parents of our child's soccer team got an email that appeared to be from her hawking some cheesy product. She had to send an apology, explaining her email account was breached.
Re: (Score:2)
Re: (Score:1)
No, you're not wrong to tell her that, but you should probably also caveat that someone she knows (or at least who has her email address in their history/addressbook) probably has been hacked. Those spoofed headers need to be populated with plausible looking content from somewhere.
Re: (Score:2)
Judging by some I get, no, they don't need to be populated with plausible looking content. But even if they did, a mail-server being hacked is at least as plausible as one of her friends being hacked. It probably happens a lot less often, but when it does happen the payoff list of associated names is a lot larger.
Re: (Score:2)
Well, this time, in the case of yahoo mail, probably its the same thing. Additionally, their persistent security issues over the years and especially the TYPE of security issues they seem to keep having has lead me to the conclusion there must be inside actors assisting.
Can validate this. (Score:2)
Old account. Got alert login from new device then password changed twice. They changed it back to the original. New password and turned on SMS auth so it won't happen again. Sucks it was an old account before I had started using random passwords per site so had to go through every site I use and verify it was not that password. Thankfully I use a password manager that makes that easy. Can't be lazy about passwords anymore.
Gloat past the graveyard (Score:2)
Re: (Score:1)
Oh, absolutely; this will NEVER happen to gmail!
The price for this data is almost enough that it's worth bribing an insider for it.
Any yahoo account s*not* hacked? (Score:2)
It has always been my assumption that Yahoo accounts are compromised by default.
This isn't news.
Re: (Score:2)
Yes, I would like a list of accounts that were NOT hacked.
No valid data on yahoo anyway. (Score:1)
Re: (Score:2)
people who were put in there as a result of deals between yahoo and some large ISP like SBC/AT&T, the customers name, address, phone number are there
Uh oh.... (Score:3)
Re: (Score:2)
Definitely time to start dropping the Yahoo accounts, people.
Start?, Who has one?
Re: (Score:2)
I think I had one about a century ago. Haven't logged onto it since. If I did have anything on it, it's waay out of date.
Re: (Score:2)
I think I had one about a century ago. Haven't logged onto it since. If I did have anything on it, it's waay out of date.
Most of us are in the same situation, had one centuries ago, haven't used it in years
Do not worry about the deal with Verizon. (Score:2)
This is easy to fix and there is Precedent*
They will leave the terms of the sale as they are, but a an MoU saying that all costs (legal, fines, class actions, etc) and liabilities derived from THIS PARTICULAR BREACH will be borne by the Tracking company that will remain after the sale with Yahoo!'s holding of alibaba shares.
That way the negotiation shall proceed and the shareholders receive the cash part of the deal...
* The precedent: When Siemens was trying to get rid of their Telecoms Unit They first appr
AT&T... (Score:2)
AT&T oursources their email to Yahoo...
Fantasy (Score:2)
Oh no! (Score:2)
This is horrible! Now hackers will have access to all my spam!
Seriously, the only reason I even have/use the Yahoo email address is for websites that are so scummy I don't want to associate them with the /HOTMAIL/ account. Every now and then I take a peek and I don't think that account gets any email that /isn't/ virus-laden. Even if I wanted to use it, its interface is so ugly (with a stunning /purple/ color scheme) that my eyes were bleeding after just a few minutes. It's the cesspool of freemail provider
I tried to login but... (Score:2)
The account still exists and I was able to authenticate but the message says that they detected some unusual activity and they need to send a confirmation to a backup email account.
That secondary email address I linked it to no longer works though, so I can't access it. ;(
Re: (Score:1)
Where do millions Yahoo accounts suddenly come from?
all AT&T email accounts are actually hosted by yahoo. Are they part of the breach as well?
Re:Yahoo has users? (Score:5, Informative)
Re: (Score:3, Interesting)
Re: (Score:2)
but the change password link in the yahoo web mail UI takes one to "my AT&T" account page for AT&T login and password
Re:Yahoo has users? (Score:4, Interesting)
I'm very inclined to believe that yes, anyone whose mail is hosted by Yahoo is part of the breach. That includes the bells (ATT, SBC, PacBell, BellSouth, etc). Anecdotally I'm confident that the address books and recent contacts of Yahoo Mail users have been compromised for years through some type of exploit. There are spam campaigns that specifically target these accounts in this way, forging the "From" address as someone you have recently communicated with.
Re: (Score:2)
Re: (Score:2)
There are a couple of yahoo groups I belong to that I still log into my yahoo account once or twice a week. Was going to switch one of them I moderate over to google groups, but google kill off the feature that allowed group members to upload a file to the group...
Re: (Score:2, Funny)
There are a couple of yahoo groups I belong to that I still log into my yahoo account once or twice a week. Was going to switch one of them I moderate over to google groups, but google kill off the feature that allowed group members to upload a file to the group...
Rubbish! Google never killed off any products or features! That's heresy, I tell you!
Re: (Score:2)
Re: (Score:2)
Yahoo was a rather lame index.
That must have been the three years or so that Google provided search results for Yahoo under contract.
Re: (Score:3)
Yahoo started out being an index instead of a search engine. Even in those early days of AltaVista and Lycos I can't ever recall using Yahoo.
Re: (Score:2)
Even in those early days of AltaVista and Lycos I can't ever recall using Yahoo.
I can't ever recall using AltaVista and Lycos. Of course, I came late to the Internet GUI scene. My first five years on the Internet was on a dial-up SLIP account into a UNIX box and using Lynx (text web browser) to browse the Internet.
Re:Yahoo has users? (Score:4, Funny)
173 million people in Nigeria. Assuming each of them has 2 e-mail accounts set up for 419 scaming, I would say Yahoo having 200million accounts is believable.
Re: (Score:2)
They don't "suddenly come from", but Yahoo used to be a quite popular place to have an account, and since they don't charge you for the account, those accounts never went away, people just forgot about them.
Even if the accounts *did* go away, the records would still be there, and so if the passwords are used with the same account name on another site...
Re: (Score:2)
Re: (Score:2)
There are notification requirements, yes.
But nowhere does it say 24 hours.
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
She obviously needs another raise for doing such a great job.
This is click-bait! (Score:1)
I just did an image search on Marissa Mayer. Her skirts are not that short.
Click bait is always a let down.
Re: (Score:1)
The backdoor is in the ad network where its always been. They never fix it they just keep saying they did.
Re: (Score:2)
one of their "co-branded" ISP deals was with AT&T (bought by SBC), and also "my AT&T" users were put into yahoo mail