Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Yahoo!

Yahoo Confirms Massive Data Breach, 500 Million Users Impacted [Updated] (recode.net) 169

Update: 09/22 18:47 GMT by M :Yahoo has confirmed the data breach, adding that about 500 million users are impacted. Yahoo said "a copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor." As Business Insider reports, this could be the largest data breach of all time. In a blog post, the company said:Yahoo is notifying potentially affected users and has taken steps to secure their accounts. These steps include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords. Yahoo is also recommending that users who haven't changed their passwords since 2014 do so. The Intercept reporter Sam Biddle commented, "It took Yahoo two years to announce that info on half a billion user accounts was stolen." Amid its talks with Verizon for a possible acquisition -- which did happen -- Yahoo knew about the attack, but didn't inform Verizon about it, Business Insider reports. Original story, from earlier today, follows.

Last month, it was reported that a hacker was selling account details of at least 200 million Yahoo users. The company's service had apparently been hacked, putting several hundred million users accounts at risk. Since then Yahoo has remained tight-lipped on the matter, but that could change very soon. Kara Swisher of Recode is reporting that Yahoo is poised to confirm that massive data breach of its service. From the report: While sources were unspecific about the extent of the incursion, since there is the likelihood of government investigations and legal action related to the breach, they noted that it is widespread and serious. Earlier this summer, Yahoo said it was investigating a data breach in which hackers claimed to have access to 200 million user accounts and was selling them online. "It's as bad as that," said one source. "Worse, really." The announcement, which is expected to come this week, also possible larger implications on the $4.8 billion sale of Yahoo's core business -- which is at the core of this hack -- to Verizon. The scale of the liability could be large and bring untold headaches to the new owners. Shareholders are likely to worry that it could lead to an adjustment in the price of the transaction.
This discussion has been archived. No new comments can be posted.

Yahoo Confirms Massive Data Breach, 500 Million Users Impacted [Updated]

Comments Filter:
  • Great News (Score:5, Funny)

    by Anonymous Coward on Thursday September 22, 2016 @09:44AM (#52938709)

    That means I can finally get my account details back. I've been trying to find out my password for years!

    • Re: (Score:1, Funny)

      by Tablizer ( 95088 )

      ...finally get my account details back. I've been trying to find out my password for years!

      Found it for you: dum6@ssTr011

  • Not, one assumes, active accounts.
    • by elrous0 ( 869638 )

      Ain't that the luck...and just when Marissa was on the verge of turning that company back into a powerhouse again.

  • by OffTheLip ( 636691 ) on Thursday September 22, 2016 @09:49AM (#52938753)
    I have this premonition my Verizon wireless bill is about to go up (again). Yahoo!
  • In related news... (Score:4, Informative)

    by bradley13 ( 1118935 ) on Thursday September 22, 2016 @09:51AM (#52938769) Homepage

    When you now download Java from Oracle, it comes bundled with some sort of crapware from Yahoo.

    AFAIK this is very recent. I'm pretty sure it wasn't there even two weeks ago. Perhaps a last-ditch attempt to improve their numbers before the sale?

    • Comment removed based on user account deletion
    • by Mashiki ( 184564 )

      Can confirm. They're trying to change browser settings in the installer. It wasn't there last week when I did an install on my work machines.

    • by Anonymous Coward

      There is a corporate and home version of JRE to download, the home version contains the crapware. It's been there for years and years, you may have just accidentally been downloading the right version.

  • Darn... (Score:5, Funny)

    by __aaclcg7560 ( 824291 ) on Thursday September 22, 2016 @09:53AM (#52938781)
    You mean I have to change my 20+ year old password on my Yahoo account?
    • Re:Darn... (Score:5, Funny)

      by 93 Escort Wagon ( 326346 ) on Thursday September 22, 2016 @10:06AM (#52938897)

      In related news, this served to remind me that I actually have a Yahoo account.

    • by CODiNE ( 27417 )

      Mine was previously:
      password
      As 8 characters was considered safe back in the day. Now 20-30 is the standard so I've just upped it to:
      passwordpasswordpasswordpassword
      Should last me the next decade or so.

      (Note: it's perfectly safe to post this as nobody knows my email address)

    • No, it means you have to change your security questions on all of your other accounts (even if you told them you grew up in Mordor and your favorite color is octarine.)
  • Relax (Score:4, Funny)

    by JustAnotherOldGuy ( 4145623 ) on Thursday September 22, 2016 @09:55AM (#52938801) Journal

    Relax...it's part of Yahoo's "Value Added" program where your sensitive account details are safely stored where everyone can freely access them. Just be glad they aren't charging extra for this feature.

    • Just be glad they aren't charging extra for this feature.

      ...and now they are.

      Your tongue-in-cheek idea is at least as good as any Yahoo's executives have put forward in the last 5 years.

      • and now they are.

        Your tongue-in-cheek idea is at least as good as any Yahoo's executives have put forward in the last 5 years.

        Wait, wait- Yahoo executives have had ideas??

  • What is the root cause of most of these data breaches? I know in the Target and Home Depot cases, they hooked insecure embedded systems to their main network or enabled third party access for convenience that the hackers took advantage of. But what happens in cases like this? Does someone just exploit a security hole in a public facing service and go in from there? Or is it an inside job in most cases?

    • Comment removed based on user account deletion
    • Security is usually an afterthought for most technology implementations.
    • by gweihir ( 88907 )

      The root-cause is almost universally greed and stupidity among the higher-ups, leading to

      - IT security people that are overworked, unappreciated and came from the pool of "cheapest possible"
      (as a result, everybody hates them, because they do no good, but prevent people from doing their work)
      - Lack of IT security people
      - Developers of security-critical software being "cheapest possible" or outsources in the same quality-class
      - System-administration being outsourced or overworked, and ag

    • From what I understand, most problems of this "kind" are the result of social engineering. What that means can be anything from an email pretending to come from the CEO to a phone call that apes a desperate user trying to recover some information. And other possibilities.

      For this kind of a breech, I'd expect that there was a potential weakness, and social engineering was used to gather the information needed to exploit it. Actual holes are possible but less likely, and even then it's likely that social e

    • by AHuxley ( 892839 )
      It depends on the domestic, gov and legal media spin needed.
      Blame one or two distant nations seems to play well to the domestic press.
      Nations that can get in, stay in, move data but are so easy to detect just after an event...
      The insider threat just seems to be in the too hard basket for most to even think to ask about.
      Recall some of the past news events surrounding security and later findings.
      New Research Blames Insiders, Not North Korea, for Sony Hack (Dec. 30, 2014)
      http://time.com/3649394/sony-h.. [time.com]
  • I wonder if my ancient yahoo account is even active...
  • by sandbagger ( 654585 ) on Thursday September 22, 2016 @10:25AM (#52939051)

    Yahoo never recovered from Google. (Who has?) This makes all of their side bets into creating a social media network out of Flickr, Tumblr starting with their purchase of EGroups ten or more years ago so interesting. They had enough stuff to make a critical mass of a social media platform but never had the vision to unify those disparate products into one single space.

    My guess is that there were a layer of vice presidents who each wanted to keep their own fifedoms and years of low level resistance prevented the 'Okay, let's turn this all into a single experience for the user'. They had a broad demographic spread over their different products but failed to reach ignition.

     

    • by Anonymous Coward

      I used to *love* Flickr. It was a vibrant community of photographers and photographs, and the tool worked, didn't get in the way, and facilitated the sharing. About 5 years ago Yahoo decided to "improve" the UI and made it unusable. They killed off a perfect property. Fuckers.

      • Flickr/Yahoo backtracked a bit after rolling out the new UI and removed the most egregious aspects, but the site is still a far cry from what it once was. The tone-deafness and technical incompetence from management has been breathtaking, as every new change they make (I assume in an attempt to woo new users) only hemorrhages more of their core userbase. As a longtime Pro member, it's an awful shame.
      • Flickr still has a vibrant community. Some people left over the UI range, but where would they really go? 500px? Don't make me laugh.

        I still prefer the UI Flickr has over any other site - for serious photography.

        Yahoo didn't kill off Flickr - and they are larger than they ever have been [expandedramblings.com].

    • Yahoo Finance is still the most popular in its category [npr.org] ...it's the one place where Yahoo still beats Google.

  • The biggest outcome from this will be all the people who look over the list and then say "What? I still have a yahoo account."
  • by jenningsthecat ( 1525947 ) on Thursday September 22, 2016 @10:53AM (#52939271)

    Just recently I was prompted to change passwords on my two Yahoo accounts. I've had both for about 10 years and this is the first time I've seen this, so yeah, they're visibly doing something about it. Unfortunately, they waited an unacceptably long time, and they still weren't forcing the password change. That's not surprising, given that it's Yahoo, but it's still kinda disappointing.

    • by jrumney ( 197329 )
      I'm curious, how exactly did they prompt you? I'm not sure the altavista.net email address I used to sign up with them is still valid, but I sure haven't checked it in 15 or more years.
      • I'm curious, how exactly did they prompt you?

        After entering user name and password there is a screen that says "Make sure your account is secure! To secure your account, change your password and update your mobile number", followed by a large blue button with "Yes, secure my account" and small grey text below that saying "I'll secure my account later". Clicking on the latter asks for a mobile number, (hell no), and then proceeds to the Yahoo main page, from whence I click on the email link. Clicking on the former presents the usual two-field password

        • by AHuxley ( 892839 )
          Thats more about getting a mobile number :)
          Wonder how long the ability just to click pass that request will last?
    • Hmmm.... I set up my current Yahoo account about 20 years ago, I think my most recent password change was about 2 years ago, I haven't received any notice of the breach from them... maybe it's in my Spam folder with 3,478,235 other messages.

      • by plover ( 150551 )

        I remember I also had to change passwords on Yahoo! about two years ago.

        I believe there's a clue in their "Breach FAQ" where they state "the vast majority of passwords were hashed with bcrypt". It could be that their old passwords were protected with a less-secure older salting-and-hashing system, (maybe something like the original crypt() ) and by 2014 they had replaced it with bcrypt.

        But even an old crypt() hash can't simply be broken on demand without a lot of CPU grinding for every password recovered.

  • My wife had Yahoo email a couple of years ago.

    One day all the parents of our child's soccer team got an email that appeared to be from her hawking some cheesy product. She had to send an apology, explaining her email account was breached.

    • by jrumney ( 197329 )
      My mother's ISP had just outsourced all their email to Yahoo a couple of months before that breach, a got a few spams from her address too. I think that was the beginning of the end for Yahoo. Until then, they were holding on, not really a big player anymore against Google, Microsoft and Amazon, but a few promising acquisitions like Flickr and del.icio.us showed they weren't ready to be written off. But since then, it has been all downhill, and the cynic in me wonders if there really was a hack this time, o
  • Old account. Got alert login from new device then password changed twice. They changed it back to the original. New password and turned on SMS auth so it won't happen again. Sucks it was an old account before I had started using random passwords per site so had to go through every site I use and verify it was not that password. Thankfully I use a password manager that makes that easy. Can't be lazy about passwords anymore.

  • Oh, absolutely; this will NEVER happen to gmail!
    • Oh, absolutely; this will NEVER happen to gmail!

      The price for this data is almost enough that it's worth bribing an insider for it.

  • It has always been my assumption that Yahoo accounts are compromised by default.

    This isn't news.

  • Who puts real information about yourself in your yahoo profile. I found the picture of some guy on the internet. The dates are all made up. I mean the only dumber thing is putting real information on that face-palm site.
    • people who were put in there as a result of deals between yahoo and some large ISP like SBC/AT&T, the customers name, address, phone number are there

  • by John Smith ( 4340437 ) on Thursday September 22, 2016 @01:58PM (#52940889)
    Definitely time to start dropping the Yahoo accounts, people.
    • Definitely time to start dropping the Yahoo accounts, people.

      Start?, Who has one?

      • I think I had one about a century ago. Haven't logged onto it since. If I did have anything on it, it's waay out of date.

        • I think I had one about a century ago. Haven't logged onto it since. If I did have anything on it, it's waay out of date.

          Most of us are in the same situation, had one centuries ago, haven't used it in years

  • This is easy to fix and there is Precedent*

    They will leave the terms of the sale as they are, but a an MoU saying that all costs (legal, fines, class actions, etc) and liabilities derived from THIS PARTICULAR BREACH will be borne by the Tracking company that will remain after the sale with Yahoo!'s holding of alibaba shares.

    That way the negotiation shall proceed and the shareholders receive the cash part of the deal...

    * The precedent: When Siemens was trying to get rid of their Telecoms Unit They first appr

  • AT&T oursources their email to Yahoo...

  • Maybe the hackers will draft a fantasy sports team that will actually win a league now.... can't do any worse than me.
  • This is horrible! Now hackers will have access to all my spam!

    Seriously, the only reason I even have/use the Yahoo email address is for websites that are so scummy I don't want to associate them with the /HOTMAIL/ account. Every now and then I take a peek and I don't think that account gets any email that /isn't/ virus-laden. Even if I wanted to use it, its interface is so ugly (with a stunning /purple/ color scheme) that my eyes were bleeding after just a few minutes. It's the cesspool of freemail provider

  • The account still exists and I was able to authenticate but the message says that they detected some unusual activity and they need to send a confirmation to a backup email account.

    That secondary email address I linked it to no longer works though, so I can't access it. ;(

God made the integers; all else is the work of Man. -- Kronecker

Working...