Business Insider reports that a compromise of Yahoo! that had been acknowledged to affect "at least 500 million" accounts may have affected significantly more. Citing an unnamed "former Yahoo executive familiar with its security practices," the story says that the company's "main user database, or UDB" which stores the details for users of several of the company's services, was compromised. If the entire database were copied, information on one to three billion accounts could have been stolen.
Previously:
Amid Fallout from Hack and Spying, Yahoo! Disables Email Forwarding
In Yahoo Breach, Hackers May Seek Intelligence, Not Riches
500 Million Yahoo Accounts Hacked
Related Stories
Reuters via Yahoo News reports on an announcement by Yahoo! that an attacker "may have stolen names, email addresses, telephone numbers, dates of birth and encrypted passwords" for 500 million accounts in 2014. According to the announcement, the FBI is looking into the matter and that "The investigation has found no evidence that the state-sponsored actor is currently in Yahoo's network".
Yahoo Inc said on Thursday that at least 500 million of its accounts were hacked in 2014 by what it believed was a state-sponsored actor, a theft that appeared to be the world's biggest known cyber breach by far. Cyber thieves may have stolen names, email addresses, telephone numbers, dates of birth and encrypted passwords, the company said. But unprotected passwords, payment card data and bank account information did not appear to have been compromised, signalling that some of the most valuable user data was not taken. The attack on Yahoo was unprecedented in size, more than triple other large attacks on sites such as eBay Inc , and it comes to light at a difficult time for Yahoo. Chief Executive Officer Marissa Mayer is under pressure to shore up the flagging fortunes of the site founded in 1994, and the company in July agreed to a $4.83 billion cash sale of its internet business to Verizon Communications Inc . "This is the biggest data breach ever," said well-known cryptologist Bruce Schneier, adding that the impact on Yahoo and its users remained unclear because many questions remain, including the identity of the state-sponsored hackers behind it. On its website on Thursday, Yahoo encouraged users to change their passwords but did not require it.
Also covered at:
Ars Technica
Computerworld
cnet
phuys.org
If a foreign government is behind the massive computer attack that compromised a half billion user accounts at Yahoo, as the company says, the breach could be part of a long-term strategy that's aimed at gathering intelligence rather than getting rich.
Yahoo says the breach involved users' email addresses, passwords and other information—including birthdates—but not payment card or bank account numbers. Although the stolen data could still be used in financial crimes, such as identity theft, experts say a foreign intelligence agency might combine the Yahoo files with information from other sources to build extensive dossiers on U.S. government or corporate officials in sensitive positions.
"With state-sponsored attacks, it's not just financial information that's of value," said Lance Hoffman, co-director of the Cyberspace Security and Privacy Institute at George Washington University. "In the long run, if the state accumulates a lot of information on you, and especially if it corroborates that with other sources, it can assemble a pretty good profile."
Governments have also been known to hack email accounts to keep tabs on their own citizens or dissidents. Experts believe that was one motive behind a 2010 hacking of Google Gmail accounts used by Chinese human rights activists.
Yahoo hasn't revealed the evidence that led it to blame a "state-sponsored actor" for the latest attack, which the Sunnyvale, California, company said occurred two years ago and was discovered only in recent weeks.
Some analysts warn that "state sponsored" can be a vague term. It might also be an easy excuse to deflect blame for a company's own security lapses, by suggesting it had no hope of defeating hackers who had all the resources of a government intelligence agency behind them, warned Gunter Ollmann, chief security officer at Vectra Networks, a San Jose, California, security firm.
We had two Soylentils write in to tell us this news.
Yahoo! Disables Automatic Email Forwarding
Yahoo! disabled automatic email forwarding around the beginning of the month:
As Yahoo's embattled email service suffers through a slew of bad news, some users are finding it hard to leave. Automatic email forwarding was disabled at the beginning of the month, several users told The Associated Press. While those who've set up forwarding in the past are unaffected, some who want to leave over recent hacking and surveillance revelations are struggling to switch to rival services. "This is all extremely suspicious timing," said Jason Danner, who runs an information technology business in Auckland, New Zealand, and is trying to quit Yahoo after 18 years with the email provider.
Yahoo Inc. declined to comment on the recent change beyond pointing to a three-line notice on Yahoo's help site which says that that the company temporarily disabled the feature "while we work to improve it."
Also at BBC, PC World, and TechCrunch.
Previously: 500 Million Yahoo Accounts Hacked
Yahoo "Secretly Scanned Emails for US Authorities"
Amid Fallout from Hack and Spying, Yahoo! Disables Email Forwarding
After back-to-back revelations that hackers had compromised a staggering 500 million Yahoo Mail accounts and that the company had complied with a US government request to open incoming emails for surveillance, some users are having a hard time switching to any of Yahoo's competitors.
While it remains unclear how many users intend to leave over the privacy concerns and bad publicity, several told the Associated Press that their ability to do so has been hampered since the beginning of the month, when Yahoo disabled its automated email-forwarding option.
Those who had already set up their forwarding are unaffected, but those who wish to begin forwarding messages now are unable.
This ought to give pause to users who might one day want to get their data out of Facebook, too.
Yahoo has now reported every single account was affected by a data breach in 2013:
In 2016, Yahoo disclosed that more than one billion of about three billion accounts had likely been affected by the hack. In its disclosure Tuesday, the company said all accounts were likely victimized.
Yahoo included the finding in a recent update to its Account Security Update page, saying that it found out about the wider breach through new intelligence obtained during the company's integration into Verizon Communications. Outside forensic experts assisted in the discovery, the company said.
Related: Yahoo, Inc is No More
Two Russian FSB Officers Charged Over Yahoo! Hack
Yahoo! Discloses Second Hack of More Than a Billion Accounts
Anonymous Source: Yahoo! Breach May Have Affected 1 to 3 Billion Accounts
500 Million Yahoo Accounts Hacked
(Score: 2) by takyon on Thursday October 20 2016, @09:40PM
Even the spambots can't count on Yahoo!
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Friday October 21 2016, @02:22PM
How many people wondered:
1. How many of my accounts are affected by the compromise?
2. What percent of the compromised accounts are my accounts?
How many people in that situation have use any of those accounts in the last five years? Ten?
Disposable email is not needed so much now.
How many people think it was stupid that yahoo made it so easy to create large numbers of accounts? (Which can be abused if you think about it.)
(Score: 2) by PartTimeZombie on Thursday October 20 2016, @09:48PM
My (non-US) ISP began the process to ditch Yahoo as their email provider the minute this news hit the airwaves.
It was so fast it made me wonder if they knew something in advance.
(Score: 0) by Anonymous Coward on Thursday October 20 2016, @10:26PM
They have probably been considering it in the background for awhile due to a combination of the price, the liability of using Yahoo! due to the pending sale, and that Yahoo! doesn't play nice with mobile. In addition, many businesses change providers every other year behind the scenes. The last bit of news was, most likely, the proverbial last straw.
(Score: 2) by GungnirSniper on Thursday October 20 2016, @11:07PM
If Yahoo has any respect for their business partners they'll tell them before the media, and you.
Tips for better submissions to help our site grow. [soylentnews.org]
(Score: 2) by PartTimeZombie on Thursday October 20 2016, @11:46PM
If Yahoo has any respect for their business partners they'll tell them before the media, and you.
That could well be the case, and would be fair enough. I'm not convinced Yahoo! is well enough run to have that kind of respect though.
(Score: 1, Offtopic) by Bot on Friday October 21 2016, @12:03AM
pitiful sexist joke ahead, if sexism offends you stop reading, cover your ears and shout LALALALALA.
> If Yahoo has any respect for their business partners they'll tell them before the media, and you.
Dude, Yahoo CEO is a woman. So, expect the crisis to be managed in a feminine way:
"Dear valued customer, your password is about three days old, do you want to change it anyway? press button below, which also says you accept not to sue us, just in case. Thank you! :* :* :*"
Account abandoned.
(Score: 0) by Anonymous Coward on Thursday October 20 2016, @10:04PM
I have a free riseup email account and it's great. i would much rather donate to riseup than pay for another service. Works via Tor!
I have a free horsefucker.org email account. Again, free + appreciates donations. Works via Tor!
(Score: -1, Redundant) by Anonymous Coward on Thursday October 20 2016, @10:18PM
fuckin great!
(Score: 0) by Anonymous Coward on Thursday October 20 2016, @10:16PM
https://soylentnews.org/article.pl?sid=16/10/14/100205 [soylentnews.org]
(Score: 2, Interesting) by Sarasani on Friday October 21 2016, @02:36AM
Funny thing: the only times I have received clearly fake emails supposedly from friends it has been from a compromised Yahoo account. Apparently compromised because I noticed the names and email addresses of other friends in the addressee list (that kind of information is not easily pieced together from a regular spam list).
In my experience this only happened with Yahoo accounts. Not Gmail, not Hotmail, not any of the other major providers out there. So yes, personally I'm not surprised about hearing this.
(Score: 2) by Whoever on Friday October 21 2016, @06:05AM
I also have noticed this. I don't know if it says something about the kind of people who use Yahoo or about security at Yahoo.
(Score: 0) by Anonymous Coward on Friday October 21 2016, @11:48AM
I have a yahoo account - I have not heard anything from Yahoo about this. So I presume I was not in the 1-3 Billion accounts that were affected. In any case, I have not been advised to change my password or anything else.
Would someone at least be able to tell me if I should change password?
What potentially was leaked from my account? All emails? Password? Contacts?
(Score: 0) by Anonymous Coward on Friday October 21 2016, @07:25PM
What you should do is switch to a different email provider.
(Score: 2) by butthurt on Friday October 21 2016, @07:29PM
According to Yahoo!'s chief information security officer,
The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.
-- https://yahoo.tumblr.com/post/150781911849/an-important-message-about-yahoo-user-security [tumblr.com]