Slashdot Mirror
Yahoo Confirms Massive Data Breach, 500 Million Users Impacted [Updated] (recode.net)
Update: 09/22 18:47 GMT by M :Yahoo has confirmed the data breach, adding that about 500 million users are impacted. Yahoo said "a copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor." As Business Insider reports, this could be the largest data breach of all time. In a blog post, the company said:Yahoo is notifying potentially affected users and has taken steps to secure their accounts. These steps include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords. Yahoo is also recommending that users who haven't changed their passwords since 2014 do so. The Intercept reporter Sam Biddle commented, "It took Yahoo two years to announce that info on half a billion user accounts was stolen." Amid its talks with Verizon for a possible acquisition -- which did happen -- Yahoo knew about the attack, but didn't inform Verizon about it, Business Insider reports. Original story, from earlier today, follows.
Last month, it was reported that a hacker was selling account details of at least 200 million Yahoo users. The company's service had apparently been hacked, putting several hundred million users accounts at risk. Since then Yahoo has remained tight-lipped on the matter, but that could change very soon. Kara Swisher of Recode is reporting that Yahoo is poised to confirm that massive data breach of its service. From the report: While sources were unspecific about the extent of the incursion, since there is the likelihood of government investigations and legal action related to the breach, they noted that it is widespread and serious. Earlier this summer, Yahoo said it was investigating a data breach in which hackers claimed to have access to 200 million user accounts and was selling them online. "It's as bad as that," said one source. "Worse, really." The announcement, which is expected to come this week, also possible larger implications on the $4.8 billion sale of Yahoo's core business -- which is at the core of this hack -- to Verizon. The scale of the liability could be large and bring untold headaches to the new owners. Shareholders are likely to worry that it could lead to an adjustment in the price of the transaction.
Last month, it was reported that a hacker was selling account details of at least 200 million Yahoo users. The company's service had apparently been hacked, putting several hundred million users accounts at risk. Since then Yahoo has remained tight-lipped on the matter, but that could change very soon. Kara Swisher of Recode is reporting that Yahoo is poised to confirm that massive data breach of its service. From the report: While sources were unspecific about the extent of the incursion, since there is the likelihood of government investigations and legal action related to the breach, they noted that it is widespread and serious. Earlier this summer, Yahoo said it was investigating a data breach in which hackers claimed to have access to 200 million user accounts and was selling them online. "It's as bad as that," said one source. "Worse, really." The announcement, which is expected to come this week, also possible larger implications on the $4.8 billion sale of Yahoo's core business -- which is at the core of this hack -- to Verizon. The scale of the liability could be large and bring untold headaches to the new owners. Shareholders are likely to worry that it could lead to an adjustment in the price of the transaction.
That means I can finally get my account details back. I've been trying to find out my password for years!
Not, one assumes, active accounts.
does a hacker siphoning off data on TWO HUNDRED MILLION users go undetected? did part of that bing search deal involve yahoo using microsoft servers or something?
captcha: mistrust
At least in the EU there is a law that punishes not informing users of a breach of their personal data within 24 hours. Not sure if that exists in the US too?
200 Million users are on yahoo?
I have this premonition my Verizon wireless bill is about to go up (again). Yahoo!
When you now download Java from Oracle, it comes bundled with some sort of crapware from Yahoo.
AFAIK this is very recent. I'm pretty sure it wasn't there even two weeks ago. Perhaps a last-ditch attempt to improve their numbers before the sale?
Enjoy life! This is not a dress rehearsal.
Where do millions Yahoo accounts suddenly come from?
all AT&T email accounts are actually hosted by yahoo. Are they part of the breach as well?
You mean I have to change my 20+ year old password on my Yahoo account?
Relax...it's part of Yahoo's "Value Added" program where your sensitive account details are safely stored where everyone can freely access them. Just be glad they aren't charging extra for this feature.
Just cruising through this digital world at 33 1/3 rpm...
Maybe the last login date will be the 5th of March, 2001?
What is the root cause of most of these data breaches? I know in the Target and Home Depot cases, they hooked insecure embedded systems to their main network or enabled third party access for convenience that the hackers took advantage of. But what happens in cases like this? Does someone just exploit a security hole in a public facing service and go in from there? Or is it an inside job in most cases?
until confirmation is out, you cannot be sure. But I put my money on also being part. One main perk of using a tech company for your services is they handle security. It is usually a requirement for the deal. Sometimes it might be the other way around but that depends on ATT's initial intentions (e.g. saving IT costs or keeping user data contained to themselves)... It also depends on privacy policies ATT may have made you abide to. If you want advanced details about a possible leak, you should probably read them agreements.
Twenty years ago when Yahoo! was the biggest fish in the search pond before Google showed up?
I wonder if my ancient yahoo account is even active...
Its revenge for all the damage that 1st worlders inflicted on the world. Payback is a bitch.
The only thing she's done right at Yahoo is wearing a short skirt.
There are a couple of yahoo groups I belong to that I still log into my yahoo account once or twice a week. Was going to switch one of them I moderate over to google groups, but google kill off the feature that allowed group members to upload a file to the group...
Yahoo never recovered from Google. (Who has?) This makes all of their side bets into creating a social media network out of Flickr, Tumblr starting with their purchase of EGroups ten or more years ago so interesting. They had enough stuff to make a critical mass of a social media platform but never had the vision to unify those disparate products into one single space.
My guess is that there were a layer of vice presidents who each wanted to keep their own fifedoms and years of low level resistance prevented the 'Okay, let's turn this all into a single experience for the user'. They had a broad demographic spread over their different products but failed to reach ignition.
---- The above post was generated by the Turing Institute. Maybe.
Yahoo stopped trying like 10 years ago and seemed to rely on the AOL portal business model. Didn't go well for AOL. Their competitors had better features from day 1 what did they think was going to happen. Yahoo isn't one of those "too big to fail" companies. Long slow death knell from a company that took advantage of the tech bubble hype while not actually striving to pioneer. Anyone can make a search engine or spider. Hell, give most of us a week and we can make something better than Yahoo lol.
The biggest outcome from this will be all the people who look over the list and then say "What? I still have a yahoo account."
There are a couple of yahoo groups I belong to that I still log into my yahoo account once or twice a week. Was going to switch one of them I moderate over to google groups, but google kill off the feature that allowed group members to upload a file to the group...
Rubbish! Google never killed off any products or features! That's heresy, I tell you!
Just recently I was prompted to change passwords on my two Yahoo accounts. I've had both for about 10 years and this is the first time I've seen this, so yeah, they're visibly doing something about it. Unfortunately, they waited an unacceptably long time, and they still weren't forcing the password change. That's not surprising, given that it's Yahoo, but it's still kinda disappointing.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
My wife had Yahoo email a couple of years ago.
One day all the parents of our child's soccer team got an email that appeared to be from her hawking some cheesy product. She had to send an apology, explaining her email account was breached.
Table-ized A.I.
If AT&T is part of the breach, it won't do any good changing your AT&T password as the old password will still work when accessed through Yahoo. I brought that problem up about 5 years ago, don't know if it was fixed yet and doubt if it was.
Why is this modded down?? I'm with Trump-- I've had enough of this political correctness bullshit. I'm guessing you're upset because I singled out people from third world countries, even though that is where almost ALL the hackers reside? (not including Russia and China). When one speaks the truth now-a-days, it is considered a despicable act if it is about non-white people.
Nobody had better screw around with my FFL roster!
Old account. Got alert login from new device then password changed twice. They changed it back to the original. New password and turned on SMS auth so it won't happen again. Sucks it was an old account before I had started using random passwords per site so had to go through every site I use and verify it was not that password. Thankfully I use a password manager that makes that easy. Can't be lazy about passwords anymore.
There is a corporate and home version of JRE to download, the home version contains the crapware. It's been there for years and years, you may have just accidentally been downloading the right version.
Blaming 3rd world people for breaking into companies like Yahoo is buffoonery. Yahoo had, and has, bad security which resulted in a break in and massive data breach. They had, and have, bad practices so the issue sits for much longer than a month before being made public. Yahoo is concerned with it's share holders and executives, and how they can cash in. Yahoo is not concerned with their actual revenue source, customers. Surely two wrongs don't make a "right" but you should be directing your anger at Yahoo, not people making a few pennies to sell account data which should have been updated as soon as the breach was detected.
If there was a moderation titled "moronic" you would probably see that too, but we are limited in how we can moderate.
Oh, absolutely; this will NEVER happen to gmail!
You resort to posting as "Anonymous Coward" to personally attack someone? Why didn't you use your normal account? At least this guy didn't make it personal about anyone. He just blamed a 75% of the world's countries.
I'm very inclined to believe that yes, anyone whose mail is hosted by Yahoo is part of the breach. That includes the bells (ATT, SBC, PacBell, BellSouth, etc). Anecdotally I'm confident that the address books and recent contacts of Yahoo Mail users have been compromised for years through some type of exploit. There are spam campaigns that specifically target these accounts in this way, forging the "From" address as someone you have recently communicated with.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
It has always been my assumption that Yahoo accounts are compromised by default.
This isn't news.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
I'm guessing it's because you're a fucking idiot.
Who puts real information about yourself in your yahoo profile. I found the picture of some guy on the internet. The dates are all made up. I mean the only dumber thing is putting real information on that face-palm site.
In case anyone else wants it, my password is C0wBoyNe1l!
I just did an image search on Marissa Mayer. Her skirts are not that short.
Click bait is always a let down.
Definitely time to start dropping the Yahoo accounts, people.
Asking for a friend.
Flickr still has a vibrant community. Some people left over the UI range, but where would they really go? 500px? Don't make me laugh.
I still prefer the UI Flickr has over any other site - for serious photography.
Yahoo didn't kill off Flickr - and they are larger than they ever have been.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
This is easy to fix and there is Precedent*
They will leave the terms of the sale as they are, but a an MoU saying that all costs (legal, fines, class actions, etc) and liabilities derived from THIS PARTICULAR BREACH will be borne by the Tracking company that will remain after the sale with Yahoo!'s holding of alibaba shares.
That way the negotiation shall proceed and the shareholders receive the cash part of the deal...
* The precedent: When Siemens was trying to get rid of their Telecoms Unit They first approached motorola about the Joint Venture. this would had been better, as there was very little product or geographic overlap. As part as their due diligence process, Motorola was told of ongoing corruption investigations in the larger Siemens (it was unclear at that time if the telecom unit was involved). Motorolla backed out.
Then Siemens approached Nokia, Quite bad, as there was a lot of overlap, both in product lines, and in Geography. Nokia accepted. They set a date. A few weeks before the date (IIRC it was near the MWC of '06) the corruption cases escalated, and the efective date of the JV was postponed, and rumour had it that the JV was falling appart. So, Siemens AG signed a MoU stating that any and all liabilities and fines derived from corruption cases from the telecom unit would be assumed by Siemens AG and not the JV.
Motorola should have done just that, would have been better for all involved!
In the end, there was no corruption on the Telecoms part (energy and transportation for sure, maybe others).
*** Suerte a todos y Feliz dia!
That's significant. Locking your door won't do you any good if an intruder has government provided tools to bypass locks. How can private protect themselves without running afoul of the law themselves? They certainly can't retaliate, at least not without Congressional oversight and the backing of the Executive.
173 million people in Nigeria. Assuming each of them has 2 e-mail accounts set up for 419 scaming, I would say Yahoo having 200million accounts is believable.
"That's the way to do it" - Punch
The only way to be safe is to require all fingerprints, plus a scan of the front page of the Calcutta Daily Register for your birthdate.
spoken like a true fucktard.
And free on top of that... yep thats what people get. If you are to cheap to pay or host your own then thats the price you pay, saying that most of normal people do not care.
Get your own damn email server, its not that actually hard and you always have something to do!
PEACE
If this keeps up, pretty soon we're all going to be Anonymous Coward!
[picture of man wearing a barrel]
My wife has a yahoo mail account. Just checked and there's no notification.
Yes, let's all quote a person who deserves a few months in an ISIS camp.
yahoo hehe
i also heard slashdot was breached any truth to the romur
AT&T oursources their email to Yahoo...
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
In all my Yahoo accounts(Around 20 acc) there was two security questions. 1 my own and 1 additional random security questions for every account, like: Check yours and then disable it.
Maybe the hackers will draft a fantasy sports team that will actually win a league now.... can't do any worse than me.
"Action without philosophy is a lethal weapon; philosophy without action is worthless."
They don't "suddenly come from", but Yahoo used to be a quite popular place to have an account, and since they don't charge you for the account, those accounts never went away, people just forgot about them.
Even if the accounts *did* go away, the records would still be there, and so if the passwords are used with the same account name on another site...
I think we've pushed this "anyone can grow up to be president" thing too far.
but the change password link in the yahoo web mail UI takes one to "my AT&T" account page for AT&T login and password
From what I understand, most problems of this "kind" are the result of social engineering. What that means can be anything from an email pretending to come from the CEO to a phone call that apes a desperate user trying to recover some information. And other possibilities.
For this kind of a breech, I'd expect that there was a potential weakness, and social engineering was used to gather the information needed to exploit it. Actual holes are possible but less likely, and even then it's likely that social engineering was used to gather the information needed to know what holes to try for.
That said, a zero day is always a possibility to keep in mind. It's just not the approach I expect was used. Also possible is a strong misconfiguration such that social engineering wasn't needed to exploit it.
P.S.: It's my belief that most social engineering is never detected. People don't like to tell their boss that they've been fooled, and in a really good social engineering approach they would never even know that they had been fooled, and the event could only be revealed by reasoning backwards after the penetration was detected.
All that said, I'm no expert in this area. Most of my information comes from reading Slashdot and such over the years, and patterns of attach change over time. But this is my best guess at the answer to your question.
I think we've pushed this "anyone can grow up to be president" thing too far.
My throwaway porn e-mail.
It used to be that you could login on either the AT&T site or the Yahoo site with your (AT&T) username and password. The problem I discovered was when you changed your password at the AT&T account site, both your new and old password still worked fine at the Yahoo site. I'm no longer using either so I really don't care, but you should see if that still works.
Yahoo? Before Google, there was AltaVista. Yahoo was a rather lame index.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
Yahoo was a rather lame index.
That must have been the three years or so that Google provided search results for Yahoo under contract.
Yahoo started out being an index instead of a search engine. Even in those early days of AltaVista and Lycos I can't ever recall using Yahoo.
Only the State obtains its revenue by coercion. - Murray Rothbard
So I went to change my (never used) yahoo account.
They have my full birthday, and I no longer trust them with that information.
But I can't see how to remove it. There's no 'edit profile' button on the 'Personal Info' page - https://login.yahoo.com/account/personalinfo - at least in Chrome on MacOs. I don't want to login anywhere else, I don't trust them anymore.
I'm thinking to delete my account - but even that won't help - they apparently archive deleted accounts for 12 months (!)
Yahoo used to have a good MP3 search though. It was like Napster through a search engine.
This is horrible! Now hackers will have access to all my spam!
Seriously, the only reason I even have/use the Yahoo email address is for websites that are so scummy I don't want to associate them with the /HOTMAIL/ account. Every now and then I take a peek and I don't think that account gets any email that /isn't/ virus-laden. Even if I wanted to use it, its interface is so ugly (with a stunning /purple/ color scheme) that my eyes were bleeding after just a few minutes. It's the cesspool of freemail providers.
I just went through the password change process earlier today when this was first posted, and was redirected to the AT&T site to reset the password. I just tested now and my old password is not working to log into mail. I didn't think to try logging in with my old password again back then, maybe there's a delay in synchronizing the AT&T passwords to the email passwords or something (though my new password worked right away... weird)
The ability to create an account was as simple as thinking of a name and pw.
Domestic spying is now "Benign Information Gathering"
I am not sure if it was before the breach, or after.
Thankfully legacy accounts can just ignore the phone number demand, but creating a new account, inputting a phone number is mandatory and part of the verification process.
All seems rather fascist to me, and I have no doubt in a few years it will bit people in the ass.
Having said that: Did anyone actually USE real personal information on yahoo? I know every account I had with them had all that personal info faked for exactly this reason. Anyone who needed that information had it communicated to them at the time it was needed rather than left in a profile that might someday be accessed by all.
I am terrified that someone is going to be able to spoof being me in the 10 or so Yahoo groups I'm a member of. I'm assuming they will be bored out of their skulls long before their trolling ends up bothering anybody overly much. Fortunately, I haven't relied on Marissa and friends for anything else.
The 1st worlders only seem worse because we're better equipped. If Afghani tribes had nuclear weapons they would have killed us all over an arranged marriage to a 12-year-old girl.
The account still exists and I was able to authenticate but the message says that they detected some unusual activity and they need to send a confirmation to a backup email account.
That secondary email address I linked it to no longer works though, so I can't access it. ;(
Even in those early days of AltaVista and Lycos I can't ever recall using Yahoo.
I can't ever recall using AltaVista and Lycos. Of course, I came late to the Internet GUI scene. My first five years on the Internet was on a dial-up SLIP account into a UNIX box and using Lynx (text web browser) to browse the Internet.