Welcome to WebmasterWorld Guest from 54.161.116.225

Forum Moderators: open

Message Too Old, No Replies

Yahoo Confirms 500 Million Accounts Hacked

     
4:07 am on Sep 23, 2016 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts: 15120
votes: 158


An Important Message to Yahoo Users on Security [investor.yahoo.net]

A recent investigation by Yahoo! Inc. (NASDAQ:YHOO) has confirmed that a copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo's network. Yahoo is working closely with law enforcement on this matter.


As earlier expected [webmasterworld.com...] Yahoo has confirmed that information from at least 500 million user accounts was stolen in 2014. The advice now, instead of waiting for an email from Yahoo to confirm your info was included in this breach, it’s best to change your password right now.
7:15 am on Sept 23, 2016 (gmt 0)

New User

joined:Sept 23, 2016
posts:1
votes: 0


I don't use to much yahoo email, but just got some message about this when I opened one mail today.
7:57 am on Sept 23, 2016 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:25609
votes: 773


This is a new record, 500-million accounts, and it's not a nice record to hold.

I'm also shocked that it has taken so long to come clean about this as it's gone back to 2014. Did they not know it had happened, and if they did, why was it not revealed.
8:08 am on Sept 23, 2016 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator mack is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:June 15, 2001
posts:7780
votes: 71


That's a horrendous record to hold. I am also amazed at just how long it has taken for users to be made aware, surely some users will already know? Are Yahoo! telling us that the data was stolen 2 years ago, yet was never used to try and gain access to an account?

Mack.
7:32 am on Sept 25, 2016 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:Mar 12, 2004
posts:509
votes: 22


I thought the data leak from Yahoo was common knowledge. Is this a different one?

I've been getting spam emails from Yahoo accounts for over a year. They are all the same format 'Hi Vordmeister then a link'. They have at least my friends' email addresses and their full names, also my email address and my name presumably from their address books.
9:46 am on Sept 26, 2016 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:25609
votes: 773


Yes, it's been known for a while, and that's the point, Yahoo didn't seem to come clean about it. Additionally, it was as many as half a billion records.
10:19 am on Sept 27, 2016 (gmt 0)

Preferred Member from BG 

Top Contributors Of The Month

joined:Aug 11, 2014
posts:546
votes: 173


While I can imagine a variety of doomsday scenarios, it is highly unlikely any of them will bare fruit. Put simply, I don't get the fuss about this. It sux, but for the vast majority of the yahoo mail owners, this will not impact their life in any way shape or form. I will be surprised if ANY user will be affected in any way from this leak.
2:36 pm on Sept 27, 2016 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts: 15120
votes: 158


I don't see how strongly these leaked passwords were protected. With a database this large you'll have people working to crack them. Even without the passwords they got the full name, e-mail and secret questions. You'd be surprised what can be done with that sort of information.

I will be surprised if ANY user will be affected in any way from this leak.

I'd have to respectfully disagree. This is a huge issue. It's a huge boon to the penetration testing community and hackers alike. For the users it's not just a matter of resetting their passwords and moving on. This information being available on the open market could jeopardize millions of accounts, not just at Yahoo, but all over the internet.

Remember the Mat Honan hack in 2012? [wired.com...]
They took over his entire life by social engineering Apple and then going on to take over the rest of his accounts. Just imagine what sort of social engineering could be undertaken with all of the Yahoo info.

It's a giant mistake to brush this under the carpet and continue in your complacent ways. You do so at your own peril.
5:24 pm on Sept 27, 2016 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:25609
votes: 773


Yes, even getting access to a live e-mail address is fodder for e-mail spammers, not to mention the possibility of the e-mail being used as a login on other sites.

I can tell you, from experience, the fresh meat alone in this incident is valuable to those wanting to take advantage.
8:05 am on Sept 28, 2016 (gmt 0)

Preferred Member from BG 

Top Contributors Of The Month

joined:Aug 11, 2014
posts:546
votes: 173


Don't get me wrong. I fully understand what is the meaning to be hacked. My Yahoo mail was hacked back in 2010 and was used as a gateway for spam mail. After two day talks with the support center I managed to retain and somewhat clean my account. But in the end the fault was with me for not taking advantage of the additional security measures offered by Yahoo and other third parties. So in a nutshell, yeah leaking of data is bad, but at the same time with no-brainer security best practices in place, this data is irrelevant. So to worry that people will get hacked because they have bad security is like worrying that people will get scammed over the phone. The problem is on them as much as it is on the provider.

I have a good analogy I teach my clients every time the conversation goes towards the "security mumbo-jumbo". I tell them this:

"If you have a service that offers you to store your 10 oz gold bar on the street, would you believe them? Even if they go in to full lengths explaining their next generation security cameras, personal guards? Of course not. You'd want a vault and you'd want a key that only you and the bank owner can have access to." Same thing with digital security. It is as much responsibility of Yahoo as it is of their users to keep their data safe from harm, because the Interenet is a a big street, with many people walking on it with only one thing in their minds : How can I get this guys' gold bar?!
3:20 pm on Sept 29, 2016 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:25609
votes: 773


10 oz gold bar on the street,

Not quite on the street, but in the premises of a business.

Now, if it were a tin-pot Net business with few resources, you'd take your chances. Yahoo is (was) one of the biggest on the Net.

Two factor authentication would not have stopped this, and the theft of credential might not stop at spamming.

According to reports, Yahoo did not take the advice of security experts with the attention and dedication that was deserved.
When Marissa Mayer took over as chief executive of the flailing company in mid-2012, security was one of many problems she inherited. With so many competing priorities, she emphasized creating a cleaner look for services like Yahoo Mail and developing new products over making security improvements, the Yahoo employees said.

The “Paranoids,” the internal name for Yahoo’s security team, often clashed with other parts of the business over security costs. And their requests were often overridden because of concerns that the inconvenience of added protection would make people stop using the company’s products. Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say [nytimes.com]
2:44 am on Oct 7, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:8684
votes: 693


Data which can be linked to any individual is gold to hackers and spammers. Why the COMPANY announcement took this long might relate to prior negotiations of selling the company "way back when" and other assorted financial concerns. One needs to keep these kind of things in mind when turning over your "data ... and life!" to others on the web. They are about them, not you.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members