Yahoo! has disclosed another major breach of its users' data:
Yahoo! Inc. disclosed a second major security breach that may have affected more than 1 billion users, giving an update on its probe into hacks on its system before the sale of its main web businesses to Verizon Communications Inc. The company said in a statement that it hasn't been able to identify the "intrusion" associated with this theft by a third party in August 2013.
"Yahoo believes this incident is likely distinct from the incident the company disclosed" in September, according to the statement. The shares dropped as much as 2.6 percent in extended trading after the announcement. At that time, Yahoo said the personal information of at least 500 million users was stolen in an attack on its accounts in 2014, exposing a wide swath of its users ahead of the Verizon deal. The attacker was a "state-sponsored actor," and stolen information may have included names, e-mail addresses, phone numbers, dates of birth, encrypted passwords and, in some cases, unencrypted security questions and answers, Yahoo has said.
In the 2013 hack disclosed Wednesday, Yahoo said compromised user account information may have included names, e-mail addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.
The attackers might have gotten access to less info than Uncle Sam did.
Also at TechCrunch, WSJ, and Yahoo!'s Tumblr.
Related Stories
http://www.bbc.co.uk/news/technology-37551415
Yahoo secretly scanned millions of its users' email accounts on behalf of the US government, according to a report. Reuters news agency says the firm built special software last year to comply with a classified request.
"Yahoo is a law abiding company, and complies with the laws of the United States," the tech firm said in a statement provided to the BBC.
The allegation comes less than a fortnight after Yahoo said hackers had stolen data about many of its users. Yahoo is in the process of being taken over by Verizon Communications in a $4.8bn (£3.8bn) deal. The telecoms provider declined to comment on the report.
Yahoo has now reported every single account was affected by a data breach in 2013:
In 2016, Yahoo disclosed that more than one billion of about three billion accounts had likely been affected by the hack. In its disclosure Tuesday, the company said all accounts were likely victimized.
Yahoo included the finding in a recent update to its Account Security Update page, saying that it found out about the wider breach through new intelligence obtained during the company's integration into Verizon Communications. Outside forensic experts assisted in the discovery, the company said.
Related: Yahoo, Inc is No More
Two Russian FSB Officers Charged Over Yahoo! Hack
Yahoo! Discloses Second Hack of More Than a Billion Accounts
Anonymous Source: Yahoo! Breach May Have Affected 1 to 3 Billion Accounts
500 Million Yahoo Accounts Hacked
(Score: 3, Informative) by Anonymous Coward on Thursday December 15 2016, @11:39AM
The attacker was a "state-sponsored actor,"
I'd say that too. Surely a company cannot be expected to defend against state-sponsored hacking? That's the only possible answer. It couldn't be criminally negligent security practices!
(Score: 2) by GungnirSniper on Thursday December 15 2016, @12:59PM
That's why I post anti-* things, so I have a plausible defense when clicking those links Ethanol-fueled keeps sending me.
See? Perfect defense. Thanks Marissa!
Tips for better submissions to help our site grow. [soylentnews.org]
(Score: 2) by Scruffy Beard 2 on Thursday December 15 2016, @01:53PM
I find "state-sponsored actor" hard to believe because they were giving at least one state access on purpose.
So two of Russia, France, and China are supposed to have independently broken in?
Definitely possible, but it should not be your first conclusion.
(Score: 2) by Scruffy Beard 2 on Thursday December 15 2016, @01:56PM
On their tumbler post they say:
" We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016."
That is slightly more plausible.
(Score: 0) by Anonymous Coward on Thursday December 15 2016, @04:59PM
> Surely a company cannot be expected to defend against state-sponsored hacking?
Where did you get that from? I don't see even a hint of them trying to absolve themselves of blame based on that claim.
What I do see is a warning that if any country's government considers you interesting, then you should be extra concerned by this hack because your information may have been singled out for special attention by the hackers.
(Score: 2) by bob_super on Thursday December 15 2016, @06:25PM
> I don't see even a hint of them trying to absolve themselves of blame based on that claim.
It's implied. As others pointed out, it's the "we didn't fall for no script kiddies, honest, guv', but what could we possibly do against the power of Rogue states" defense.
I'm gonna get myself a Soylentnews email on of these days (any alias that would be easier to give to people?), not because SN systems are bulletproof, but because they're lower profile than all those corps who either mine your data themselves, or can't protect it anyway.
(Score: 0) by Anonymous Coward on Thursday December 15 2016, @07:57PM
> It's implied.
No. Its being read into the words. It isn't like this is the first publicly suspected state-sponsored hack.
Just because a lot of people are knee-jerking to it this time doesn't make that knee-jerking valid.
http://www.nydailynews.com/news/national/twitter-warning-targeted-users-state-sponsored-hackers-article-1.2465413 [nydailynews.com]
http://arstechnica.com/security/2012/06/google-state-sponsored-attack-warnings/ [arstechnica.com]
http://america.aljazeera.com/articles/2015/10/21/facebook-warns-users-of-state-sponsored-hacking.html [aljazeera.com]
http://www.businessinsider.com/microsoft-alert-email-users-of-government-hacks-2015-12 [businessinsider.com]
http://www.biztekmojo.com/001837/microsoft-did-not-inform-hotmail-hack-victims-regarding-china-sponsored-attack-years-ago [biztekmojo.com]
(Score: 0) by Anonymous Coward on Thursday December 15 2016, @11:56AM
"state sponsored" just means that they need to shield their computer engineers because "state actors"
are uber hackers. be afraid of hackers. be even MOER afraid of state sponsored hackers.
its sooo lame and implies that a regular user stands no snowball chance in hell surving on
the internet and that only good 'ol big brother the state has the means to protect you.
of course handing over your responsibility to secure your computer to your native state will
accomplish only the opposite ...
in german there is saying "he, also, only cooks with water". (as in: theres no special ingredient)
(Score: 2, Insightful) by Anonymous Coward on Thursday December 15 2016, @12:53PM
So, there are excuses now? "State sponsored" is now an excuse to "it wasn't our fault!". But it was - your internal network is not protected. It leaked all account information and no one noticed. Stop with the excuses.
(Score: 3, Informative) by AthanasiusKircher on Thursday December 15 2016, @02:27PM
I know this may sound a bit insulting, but should we really expect competent security practices from a company that takes its name from a fictional race of boorish idiots? (If you don't know what I'm talking about, see Jonathan Swift.)
Oh, I know it was probably named after the yell instead, but I'm not sure that's better. It's like expecting internet security from a bunch of guys yelling "TIE-YIE-YIPPIE-YIPPIE-YAY!!"
(Score: 0) by Anonymous Coward on Thursday December 15 2016, @04:54PM
Because "google" - an intentionally goofy mispelling of really big number - is so much better?
Nominative determinism makes for great jokes, like Anthony Weiner and his dick pics, but assuming causality is for fools.
(Score: 4, Insightful) by digitalaudiorock on Thursday December 15 2016, @02:46PM
I don't get it. Every news report I've seen on this just sort of glossed over the "2013" part, telling people to "change passwords" etc etc". WTF?...over three years ago? Call it a hunch, the damage is pretty much done at that point.
(Score: 1, Insightful) by Anonymous Coward on Thursday December 15 2016, @05:02PM
> Call it a hunch, the damage is pretty much done at that point.
Not if you are still using the same password on other sites. Just because your other accounts have not yet been hacked doesn't mean they still can't be hacked.
(Score: 5, Interesting) by takyon on Thursday December 15 2016, @05:31PM
Now that the breach has been disclosed, the attackers may accelerate their efforts to try Yahoo! passwords on other sites.
That's if anything was taken at all. Yahoo! certainly doesn't seem to know.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Thursday December 15 2016, @06:30PM
And they are not allowing users to change security questions. You can't even see them.
This might keep the same people from using your answers to get into your Yahoo account. But it seems to me that users should be able to see their own questions and answers in case they were also used on another site.
(Score: 2) by butthurt on Saturday December 17 2016, @04:07AM
The government accounts belong to current and former White House staff, U.S. congressmen and their aides, FBI agents, officials at the National Security Agency, the Central Intelligence Agency, the Office of the Director of National Intelligence, and each branch of the U.S. military. The list includes an FBI division chief and multiple special agents working around the U.S.; current and former diplomats in Pakistan, Syria and South Africa; a network administrator at NSA’s Fort Meade headquarters; the chief of an Air Force intelligence group; and a human resources manager for the CIA.
-- https://www.bloomberg.com/news/articles/2016-12-15/stolen-yahoo-data-includes-government-employee-information [bloomberg.com]
(Score: 0) by Anonymous Coward on Saturday December 17 2016, @04:09AM
The Washington Times also covered the same angle.
http://www.washingtontimes.com/news/2016/dec/15/yahoo-breach-exposes-details-150000-government-and/ [washingtontimes.com]