Stories
Slash Boxes
Comments

SoylentNews is people

500 Million Yahoo Accounts Hacked

posted by martyb on Friday September 23 2016, @01:14PM   Printer-friendly
from the ouch! dept.

butthurt writes:

Reuters via Yahoo News reports on an announcement by Yahoo! that an attacker "may have stolen names, email addresses, telephone numbers, dates of birth and encrypted passwords" for 500 million accounts in 2014. According to the announcement, the FBI is looking into the matter and that "The investigation has found no evidence that the state-sponsored actor is currently in Yahoo's network".

Yahoo Inc said on Thursday that at least 500 million of its accounts were hacked in 2014 by what it believed was a state-sponsored actor, a theft that appeared to be the world's biggest known cyber breach by far. Cyber thieves may have stolen names, email addresses, telephone numbers, dates of birth and encrypted passwords, the company said. But unprotected passwords, payment card data and bank account information did not appear to have been compromised, signalling that some of the most valuable user data was not taken. The attack on Yahoo was unprecedented in size, more than triple other large attacks on sites such as eBay Inc , and it comes to light at a difficult time for Yahoo. Chief Executive Officer Marissa Mayer is under pressure to shore up the flagging fortunes of the site founded in 1994, and the company in July agreed to a $4.83 billion cash sale of its internet business to Verizon Communications Inc . "This is the biggest data breach ever," said well-known cryptologist Bruce Schneier, adding that the impact on Yahoo and its users remained unclear because many questions remain, including the identity of the state-sponsored hackers behind it. On its website on Thursday, Yahoo encouraged users to change their passwords but did not require it.

Also covered at: Ars Technica
Computerworld
cnet
phuys.org

Original Submission

 
This discussion has been archived. No new comments can be posted.
500 Million Yahoo Accounts Hacked | Log In/Create an Account | Top | 45 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1) by WillR on Friday September 23 2016, @03:28PM

    by WillR (2012) on Friday September 23 2016, @03:28PM (#405571)
    Yeah. If they aren't storing plaintext then they would have to store hashes of substrings and compare those to hashed substrings of the new password. That sounds way less secure than storing one password hash. Cracking a good 10 character password on commodity GPUs would take centuries, but if you can attack it in 4 or 5 character chunks it would only take a few minutes!

  • (Score: 1, Interesting) by Anonymous Coward on Friday September 23 2016, @05:26PM

    by Anonymous Coward on Friday September 23 2016, @05:26PM (#405625)

    Not yahoo, but the way we test for that used to be to chop the last four characters, the last two characters and the last character and try those combinations. We would also started to brute the last character on both the single trim and no trim to check for suffix changes. So it would catch "oldpass" changed to "oldpass1" or "oldpass!" or "oldpas1" changes.