Reuters via Yahoo News reports on an announcement by Yahoo! that an attacker "may have stolen names, email addresses, telephone numbers, dates of birth and encrypted passwords" for 500 million accounts in 2014. According to the announcement, the FBI is looking into the matter and that "The investigation has found no evidence that the state-sponsored actor is currently in Yahoo's network".
Yahoo Inc said on Thursday that at least 500 million of its accounts were hacked in 2014 by what it believed was a state-sponsored actor, a theft that appeared to be the world's biggest known cyber breach by far. Cyber thieves may have stolen names, email addresses, telephone numbers, dates of birth and encrypted passwords, the company said. But unprotected passwords, payment card data and bank account information did not appear to have been compromised, signalling that some of the most valuable user data was not taken. The attack on Yahoo was unprecedented in size, more than triple other large attacks on sites such as eBay Inc , and it comes to light at a difficult time for Yahoo. Chief Executive Officer Marissa Mayer is under pressure to shore up the flagging fortunes of the site founded in 1994, and the company in July agreed to a $4.83 billion cash sale of its internet business to Verizon Communications Inc . "This is the biggest data breach ever," said well-known cryptologist Bruce Schneier, adding that the impact on Yahoo and its users remained unclear because many questions remain, including the identity of the state-sponsored hackers behind it. On its website on Thursday, Yahoo encouraged users to change their passwords but did not require it.
Also covered at:
Ars Technica
Computerworld
cnet
phuys.org
Related Stories
We had two Soylentils write in to tell us this news.
Yahoo! Disables Automatic Email Forwarding
Yahoo! disabled automatic email forwarding around the beginning of the month:
As Yahoo's embattled email service suffers through a slew of bad news, some users are finding it hard to leave. Automatic email forwarding was disabled at the beginning of the month, several users told The Associated Press. While those who've set up forwarding in the past are unaffected, some who want to leave over recent hacking and surveillance revelations are struggling to switch to rival services. "This is all extremely suspicious timing," said Jason Danner, who runs an information technology business in Auckland, New Zealand, and is trying to quit Yahoo after 18 years with the email provider.
Yahoo Inc. declined to comment on the recent change beyond pointing to a three-line notice on Yahoo's help site which says that that the company temporarily disabled the feature "while we work to improve it."
Also at BBC, PC World, and TechCrunch.
Previously: 500 Million Yahoo Accounts Hacked
Yahoo "Secretly Scanned Emails for US Authorities"
Amid Fallout from Hack and Spying, Yahoo! Disables Email Forwarding
After back-to-back revelations that hackers had compromised a staggering 500 million Yahoo Mail accounts and that the company had complied with a US government request to open incoming emails for surveillance, some users are having a hard time switching to any of Yahoo's competitors.
While it remains unclear how many users intend to leave over the privacy concerns and bad publicity, several told the Associated Press that their ability to do so has been hampered since the beginning of the month, when Yahoo disabled its automated email-forwarding option.
Those who had already set up their forwarding are unaffected, but those who wish to begin forwarding messages now are unable.
This ought to give pause to users who might one day want to get their data out of Facebook, too.
Business Insider reports that a compromise of Yahoo! that had been acknowledged to affect "at least 500 million" accounts may have affected significantly more. Citing an unnamed "former Yahoo executive familiar with its security practices," the story says that the company's "main user database, or UDB" which stores the details for users of several of the company's services, was compromised. If the entire database were copied, information on one to three billion accounts could have been stolen.
Previously:
Amid Fallout from Hack and Spying, Yahoo! Disables Email Forwarding
In Yahoo Breach, Hackers May Seek Intelligence, Not Riches
500 Million Yahoo Accounts Hacked
Yahoo has now reported every single account was affected by a data breach in 2013:
In 2016, Yahoo disclosed that more than one billion of about three billion accounts had likely been affected by the hack. In its disclosure Tuesday, the company said all accounts were likely victimized.
Yahoo included the finding in a recent update to its Account Security Update page, saying that it found out about the wider breach through new intelligence obtained during the company's integration into Verizon Communications. Outside forensic experts assisted in the discovery, the company said.
Related: Yahoo, Inc is No More
Two Russian FSB Officers Charged Over Yahoo! Hack
Yahoo! Discloses Second Hack of More Than a Billion Accounts
Anonymous Source: Yahoo! Breach May Have Affected 1 to 3 Billion Accounts
500 Million Yahoo Accounts Hacked
(Score: 4, Insightful) by Anonymous Coward on Friday September 23 2016, @01:56PM
And it only took 2 years to let us know.
(Score: 3, Funny) by Runaway1956 on Friday September 23 2016, @01:58PM
Was anything of value lost?
Forgive me, but I never did like or trust a company that uses "yahoo" for a name.
On second thought, don't forgive me. Yahoo sucks. It's your fault for trusting them with any personal data. You're (mostly) the same people who trust Mark Suckerberg with your personal data, after all.
(Score: 2) by richtopia on Friday September 23 2016, @02:10PM
I'm trying to think if anything of value was lost with my account... I started a yahoo.co.uk mail account when the 30 megs of storage was significantly more than yahoo.com (8megs I seem to remember). But haven't used it in years. I think I bought a domain name once with that user account but I don't know if I have any personal data of value there.
(Score: 0) by Anonymous Coward on Friday September 23 2016, @02:23PM
I use my yahoo account (under a fake name, of course) to register on sites like foxnews.com so I can troll in the forums along with everyone else. That's about it.
(Score: 5, Funny) by Anonymous Coward on Friday September 23 2016, @03:58PM
When one trolls on foxnews forums, is it still a troll? or are you posting rational and reasonable opinions there?
(Score: 2) by Gaaark on Friday September 23 2016, @04:08PM
When a bear shits in the woods, does it make a grunting sound?
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by bob_super on Friday September 23 2016, @04:34PM
That bear is nice enough to leave the woods and go shit at the dump.
(Score: 2) by Phoenix666 on Saturday September 24 2016, @11:33AM
Leave. jmorris. Alone.
Washington DC delenda est.
(Score: 2) by Thexalon on Friday September 23 2016, @02:35PM
See, your standards are looser than mine. I stop at "I never did like or trust a company".
Or more precisely, I trust them to do whatever they think will make themselves the most money, which includes: Skimping on security unless it's likely to become a PR problem, selling off targeting based on any of my personal data they can get hold of to advertisers, and selling off any of my personal data they can get hold of if the financial conditions become desperate.
And I don't see having any sort of emotional attachment to a for-profit corporation as a good idea. Not even the ones I work for or own.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Friday September 23 2016, @03:09PM
I doubt anything of value was lost. I'm very sure whomever has my data already had my name, email address, telephone number, and DOB from prior hacks. The loss of a password salt matters not; I'll just change my password - in fact, I think I have since the breach occurred.
Now, praytell indicate to me how you live in the modern world wihtout giving up your personal information to numerous parties via the internet. Or give it up to companies who then store said information in a way that is accessible via the internet. Or I'd be curious to know if there is additional space available in the cave you must live in.
And no, I don't use Facebook anymore. But really if you don't have friends who are likewise on FB and use that method to keep you apprised of what's up.... then you must not have many friends. Which isn't surprising, either.
(Score: 2) by Runaway1956 on Friday September 23 2016, @05:44PM
"Now, praytell indicate to me how you live in the modern world wihtout giving up your personal information"
It isn't possible to be on the internet without giving up information. But, one can be discriminatory about who, when, where, and why he gives up information. For instance, the big social media is blocked in most of my browsers. I've mentioned before that I actually have a Facebook account. That account is not even accessed with the same browser that I do online shopping with. I use multiple search engines - primarily Google, but duckduckgo and others.
Long story short, I use a number of prophylactics when I'm dipping my wick into the great data pool.
Does the NSA have a good dossier on me? Maybe, but I make it as tough as possible.
(Score: 5, Informative) by edIII on Friday September 23 2016, @07:53PM
Super. Fucking. Simple.
I have no: Twitter account, Facebook account, Pinterest account, Reddit account, etc.
You know how many accounts I have out there with my actual name and information? Four. All vendor accounts that are delivering services to me that I resell. The account here actually has my real email address, but then again, I'm not worried about the staff here selling our information or bringing on a c-suite that would tell them that. When you need to get accounts with utility companies there isn't much you can do since they nearly all know the service address, your name, and your phone number. Those fucking assholes demand your social too, so we're all equally fucked, unlesssss.... you have enough money for a corporate shell. Then your corporations own the property, and they have the utility accounts. Any useful personal information is abstracted away behind your corporate shell, and you can have that owned Mosseck-Fonseca style preventing even determined research from identifying where you live, and who you are.
No cave required, and if rich enough, you can do it in plain sight of everyone else in a penthouse in New York.
What do you do with the rest of the accounts that you might want? LIE. For each and every website, use a randomly chosen name or phrase for your "handle", a throw-away email account (or just an alias on your domain), and a randomly chosen individualized password for that site. All other meta data requested are pure lies. Remembering lies can be quite difficult for the non-sociopaths, so my trick is to create a snapshot of the registration screen.
Of course, since we aren't addicted to oversharing our personal lives to make Mark Suckerburg rich, our personal information is fairly well locked up.
Uh, huh. Point of clarity here, are those real friends or just Facebook friends? There is a difference. I have zero Facebook friends, but I have plenty of friends otherwise. Most of them not on Facebook either, but still many are. Quite a number of my family members are.
Now real friends are much harder to cultivate and maintain. Beginning a friendship isn't as easy as clicking a like button, or "be-your-friend" button upon a shallow digital request. Real friends actually go out, engage in activities together.
My real friends and I can have a real conversation in public beyond 140-character sound bites and banal mostly-marketing-driven posts about what food we may be eating. They *call* me up and we actually *talk* about things that matter to us, share our pain, our fears, our joys, our laughter. What I don't receive are intellectually offensive and banal notifications that they just "ordered a rocking pizza from Dominos!", delivered by Dominos!, on behalf of my friend. Likewise I don't get useless short Twittered updates about their latest bowel movement. If they want to impress me, let me hear it from my seat in the restaurant.
Most rewardingly, my real friends can go out and be with each other and myself without phones ! That may quite a concept for you: Life without digital devices and Facebook/Twitter being your "3rd friend" in the group helping you deal with each other.
Yep, I'm fairly certain I'm much better off without Facebook friends and being forced to actually interact with them.
As smug as you are, I'm positive you have 4 digits worth of Facebook friends (it's easy too), but how many of them will go hiking with you? To the beach? Pick you at 3am when you're in trouble? Those are real friends; The ones who will deal with you without Facebook or Twitter.
(Score: 3, Insightful) by Leebert on Friday September 23 2016, @06:17PM
The crazy thing is that they're so old, they actually had a CHOICE, unlike today's world of "buzzrrrr.io" and similar nonsense.
(Score: 3, Informative) by PizzaRollPlinkett on Friday September 23 2016, @02:08PM
An easier way to do this would be to make a list of who has not gotten hacked. Every day there's a constant stream of sites that get hacked, to the point I can't keep up.
(E-mail me if you want a pizza roll!)
(Score: 0) by Anonymous Coward on Friday September 23 2016, @02:19PM
> An easier way to do this would be to make a list of who has not gotten hacked.
Nobody.
If it is online and is even remotely interesting to anyone anywhere in the world, its hacked.
The only modicum of safety is in offline storage and while that's no guarantee either, at least the effort required to hack it is magnified because either the attackers must capture data in transit which is a very small window or they must manually target each user individually which is a lot of overhead.
(Score: 2) by darkfeline on Friday September 23 2016, @05:34PM
>An easier way to do this would be to make a list of who has not gotten hacked.
Tentatively speaking, Google? I don't recall hearing anything about Google breaches, which is a good thing considering the amount of data they have.
Join the SDF Public Access UNIX System today!
(Score: 3, Informative) by butthurt on Saturday September 24 2016, @05:15AM
from a Google press release:
In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google.
--http://www.washingtonpost.com/wp-dyn/content/article/2010/01/12/AR2010011202903.html [washingtonpost.com]
report about the same incident:
Google’s crisis began in December 2009, when, several former government officials said, the firm discovered that Chinese hackers had penetrated its corporate networks through “spear phishing” — a technique in which an employee was effectively deceived into clicking a bogus link that downloads a malicious program. The hackers had been rooting around insider Google’s servers for at least a year.
--https://web.archive.org/web/20130521234237/http://www.washingtonpost.com/world/national-security/chinese-hackers-who-breached-google-gained-access-to-sensitive-data-us-officials-say/2013/05/20/51330428-be34-11e2-89c9-3be8095fe767_story_1.html [archive.org]
more about the same incident:
The breach appears to have been aimed at unearthing the identities of Chinese intelligence operatives in the United States who may have been under surveillance by American law enforcement agencies. [...] The database included information about court orders authorizing surveillance — orders that could have signaled active espionage investigations into Chinese agents who maintained e-mail accounts through Google’s Gmail service.
--https://www.washingtonpost.com/world/national-security/chinese-hackers-who-breached-google-gained-access-to-sensitive-data-us-officials-say/2013/05/20/51330428-be34-11e2-89c9-3be8095fe767_story.html: [washingtonpost.com]
(Score: 4, Interesting) by Anonymous Coward on Friday September 23 2016, @02:37PM
I have a yahoo account I use for spam etc. I got a notification to reset my password. Fine, fine. So it went like this:
Old password: blahblah@123
New password: blahblah@123! # note extra char - "!"
Yahoo! griped, "Your new password is too similar to a password you used before. Please try again."
Question: How would Yahoo! have known about the actual password characters? If they're using a standard one-way encryption mechanism, it seems like it would be impossible. Unless they're storing your password in plaintext somewhere?
Seems like an indictment of their security to me, but maybe there's some cleverness at work I'm not aware of?
(Score: 2, Interesting) by WillR on Friday September 23 2016, @02:54PM
(Score: 0) by Anonymous Coward on Friday September 23 2016, @03:08PM
Nope--just two blanks for the new password.
It seemed rather strange, if you ask me...
(Score: 1) by WillR on Friday September 23 2016, @03:28PM
(Score: 1, Interesting) by Anonymous Coward on Friday September 23 2016, @05:26PM
Not yahoo, but the way we test for that used to be to chop the last four characters, the last two characters and the last character and try those combinations. We would also started to brute the last character on both the single trim and no trim to check for suffix changes. So it would catch "oldpass" changed to "oldpass1" or "oldpass!" or "oldpas1" changes.
(Score: 0) by Anonymous Coward on Friday September 23 2016, @03:15PM
if you had to enter both your old password and new password in the same form, probably inline javascript. if not, then yeah it was stored in plaintext on their servers.
(Score: 3, Insightful) by tibman on Friday September 23 2016, @03:21PM
Probably javascript comparing the two plaintext passwords on your browser.
SN won't survive on lurkers alone. Write comments.
(Score: 2) by julian on Friday September 23 2016, @04:57PM
That's exactly how it's done although knowing Yahoo they probably found a way to leak information from that too
(Score: 0) by Anonymous Coward on Friday September 23 2016, @04:16PM
Yeah, if it never asked for your old password then indeed they are storing it plaintext. For shame.
It's scary how many sites do this, or even the better but still bad unsalted hashes. I even ran into a couple places who had forgot password forms that would actually email you your set password rather than generate a new one. Terrible.
(Score: 2) by Scruffy Beard 2 on Friday September 23 2016, @04:41PM
On possibility is that your old password was weak enough that they were able to crack it.
Sounds doubtful though.
(Score: 2) by bob_super on Friday September 23 2016, @04:51PM
My previous Fortune-500 company used to have this too. Apparently it's a feature.
They explicitly said that too many consecutive chars were similar. Interestingly, it was thoroughly defeated by changing a single char in the middle.
I'd really like to know how it works without being a major security hole.
(Score: 2) by Username on Friday September 23 2016, @05:26PM
Probably a common key on the server somewhere, and they just decrypt a hash. Assuming it’s this way otherwise you will lose all your email once you forget your password if they were encrypted with your password.
(Score: 3, Interesting) by Celestial on Friday September 23 2016, @02:52PM
What's much worse than stealing usernames and encrypted passwords... is that the hacker(s) stole "encrypted or unencrypted security questions and answers" [businessinsider.com]. Granted, it doesn't matter to me as I don't have a Yahoo! account, but I imagine quite a few people gave Yahoo! valuable security questions and answers.
(Score: 3, Insightful) by SrLnclt on Friday September 23 2016, @04:03PM
I never understood the supposed security of these questions and answers online. Maybe it worked for banks 25 years ago to ask for your mother's maiden name. Today people tweet about what they had for dinner last Tuesday night. Finding out where they went to high school and what the school's mascot was could be trivial, even without hacks like this. If you are under 25, the street you grew up on could be in public record databases. Then when there are hacks like this, it's not like you can change the truthful answer to some of these questions.
I rarely answer these questions truthfully, particularly for things that are not bank accounts. For the record, our high school mascot at Bayside is the Tigers - I had the locker next to Zack. The only problem is trying to remember your fake answers if you ever actually need to reset a password.
(Score: 2) by Scruffy Beard 2 on Friday September 23 2016, @04:43PM
I seen challenge questions as less secure secondary passwords.
They can effectively prevent account sharing though (I have run into the problem).
(Score: 0) by Anonymous Coward on Friday September 23 2016, @06:02PM
I used to think I was so clever by answering all those questions "fuck you". What was your mother's maiden name? Fuck you. Where were you born? Fuck you.
Then I realized someone could break into any of my accounts by just typing fuck you. Eh. Not so clever.
(Score: 3, Informative) by JNCF on Friday September 23 2016, @06:09PM
The only problem is trying to remember your fake answers if you ever actually need to reset a password.
It's especially bothersome when you don't need to reset your password, but a site decides that it wants you to give the made-up answers to your security questions anyway because you're logging in from a new device/location. These systems should have a "treat me like an adult who won't lose or share their password and let me suffer the consequences of incompetency if and when they arise" checkbox.
(Score: 0) by Anonymous Coward on Friday September 23 2016, @03:23PM
Time to find my 25+ Yahoo email accounts and update the passwords.
If this happens to Gmail I'm dead.
(Score: 0) by Anonymous Coward on Friday September 23 2016, @04:16PM
What do you do with all those accounts?
Just curious...
(Score: 0) by Anonymous Coward on Friday September 23 2016, @04:24PM
Separate account for each online identity, or one account for a small cluster of related site signups under a single identity.
(Score: 0) by Anonymous Coward on Friday September 23 2016, @05:35PM
Do you use the same phone number to get them all?
If not, how do you get accounts when a phone number is required?
(Score: 0) by Anonymous Coward on Friday September 23 2016, @06:20PM
I created a lot of accounts before phone number requirements became widespread. More recently, Gmail tries to look like it requires a phone number, but only really does it when you slip up and log on using a different IP or do something else "suspicious". Then you are locked out forever unless you give a phone number. Dozens of angry messages to "support" did nothing.
Now I say fuck it and just go to https://www.openmailbox.org/ [openmailbox.org] which is great so far.
(Score: 0) by Anonymous Coward on Friday September 23 2016, @07:58PM
Nice. Thanks!
(Score: 2) by Scruffy Beard 2 on Saturday September 24 2016, @02:45AM
I love my catch-all e-mail address on my own domain.
companyname@domain.ca
That way, you can find out when a site get hacked before it even hits the news (looking at you, dropbox).
(Score: 2) by http on Friday September 23 2016, @05:25PM
How the hell do they know who, if anyone, is paying the hackers?
I browse at -1 when I have mod points. It's unsettling.
(Score: 2) by Hyperturtle on Friday September 23 2016, @07:44PM
It is stated, like how other companies have also done, because it makes the layperson reading about this think it wasn't stoppable or preventable.
The commoner not in IT does not think of how Yahoo had known this, and really, Yahoo didn't come out and state that it was. They suggested it, they believe it to be... and provided it as the only suggestion. They don't seem to believe anyone else could do this. uh-huh.
It's a hand wave, and it is a really convenient one considering people have heard all about "state-sponsored actors" recently due to HRC's email server and so on. The truth of the matter is that they had an issue they knew about but were trying to dump and run and had to sit on the details until it couldn't be suppressed any longer--which appeared to fortunately be after they found someone to sell to.
The real question is if Yahoo's database is as riddled with crap details, like Radio Shack's. 500 million accounts sounds good, but I know I had 3 disposable ones that had dummy passwords and just got spam after the intended purpose was completed. Every security answer was the same. I dont even necessarily remember what the accounts were, but I did get emails recently asking for me to wake up and use the account or lose it -- and I received those on a secondary (disposable) non-yahoo account I have, since it seems in email providers lately, you need to have an email and phone already to get a disposable account...
(Score: 2) by bradley13 on Friday September 23 2016, @06:47PM
AFAIK I have never had a Yahoo account. Still, I receive a message that I need to reset my password. Entered the email address they sent the message to, but it is "unknown".
So: where did they get my email address? And why do they think I have a Yahoo account?
Everyone is somebody else's weirdo.
(Score: 0) by Anonymous Coward on Friday September 23 2016, @07:10PM
Maybe you had a Flickr account, or some other thing that Yahoo bought.