Slashdot Mirror
Yahoo Confirms Massive Data Breach, 500 Million Users Impacted [Updated] (recode.net)
Update: 09/22 18:47 GMT by M :Yahoo has confirmed the data breach, adding that about 500 million users are impacted. Yahoo said "a copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor." As Business Insider reports, this could be the largest data breach of all time. In a blog post, the company said:Yahoo is notifying potentially affected users and has taken steps to secure their accounts. These steps include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords. Yahoo is also recommending that users who haven't changed their passwords since 2014 do so. The Intercept reporter Sam Biddle commented, "It took Yahoo two years to announce that info on half a billion user accounts was stolen." Amid its talks with Verizon for a possible acquisition -- which did happen -- Yahoo knew about the attack, but didn't inform Verizon about it, Business Insider reports. Original story, from earlier today, follows.
Last month, it was reported that a hacker was selling account details of at least 200 million Yahoo users. The company's service had apparently been hacked, putting several hundred million users accounts at risk. Since then Yahoo has remained tight-lipped on the matter, but that could change very soon. Kara Swisher of Recode is reporting that Yahoo is poised to confirm that massive data breach of its service. From the report: While sources were unspecific about the extent of the incursion, since there is the likelihood of government investigations and legal action related to the breach, they noted that it is widespread and serious. Earlier this summer, Yahoo said it was investigating a data breach in which hackers claimed to have access to 200 million user accounts and was selling them online. "It's as bad as that," said one source. "Worse, really." The announcement, which is expected to come this week, also possible larger implications on the $4.8 billion sale of Yahoo's core business -- which is at the core of this hack -- to Verizon. The scale of the liability could be large and bring untold headaches to the new owners. Shareholders are likely to worry that it could lead to an adjustment in the price of the transaction.
Last month, it was reported that a hacker was selling account details of at least 200 million Yahoo users. The company's service had apparently been hacked, putting several hundred million users accounts at risk. Since then Yahoo has remained tight-lipped on the matter, but that could change very soon. Kara Swisher of Recode is reporting that Yahoo is poised to confirm that massive data breach of its service. From the report: While sources were unspecific about the extent of the incursion, since there is the likelihood of government investigations and legal action related to the breach, they noted that it is widespread and serious. Earlier this summer, Yahoo said it was investigating a data breach in which hackers claimed to have access to 200 million user accounts and was selling them online. "It's as bad as that," said one source. "Worse, really." The announcement, which is expected to come this week, also possible larger implications on the $4.8 billion sale of Yahoo's core business -- which is at the core of this hack -- to Verizon. The scale of the liability could be large and bring untold headaches to the new owners. Shareholders are likely to worry that it could lead to an adjustment in the price of the transaction.
That means I can finally get my account details back. I've been trying to find out my password for years!
I have this premonition my Verizon wireless bill is about to go up (again). Yahoo!
When you now download Java from Oracle, it comes bundled with some sort of crapware from Yahoo.
AFAIK this is very recent. I'm pretty sure it wasn't there even two weeks ago. Perhaps a last-ditch attempt to improve their numbers before the sale?
Enjoy life! This is not a dress rehearsal.
You mean I have to change my 20+ year old password on my Yahoo account?
Relax...it's part of Yahoo's "Value Added" program where your sensitive account details are safely stored where everyone can freely access them. Just be glad they aren't charging extra for this feature.
Just cruising through this digital world at 33 1/3 rpm...
until confirmation is out, you cannot be sure. But I put my money on also being part. One main perk of using a tech company for your services is they handle security. It is usually a requirement for the deal. Sometimes it might be the other way around but that depends on ATT's initial intentions (e.g. saving IT costs or keeping user data contained to themselves)... It also depends on privacy policies ATT may have made you abide to. If you want advanced details about a possible leak, you should probably read them agreements.
Its revenge for all the damage that 1st worlders inflicted on the world. Payback is a bitch.
Yahoo never recovered from Google. (Who has?) This makes all of their side bets into creating a social media network out of Flickr, Tumblr starting with their purchase of EGroups ten or more years ago so interesting. They had enough stuff to make a critical mass of a social media platform but never had the vision to unify those disparate products into one single space.
My guess is that there were a layer of vice presidents who each wanted to keep their own fifedoms and years of low level resistance prevented the 'Okay, let's turn this all into a single experience for the user'. They had a broad demographic spread over their different products but failed to reach ignition.
---- The above post was generated by the Turing Institute. Maybe.
There are a couple of yahoo groups I belong to that I still log into my yahoo account once or twice a week. Was going to switch one of them I moderate over to google groups, but google kill off the feature that allowed group members to upload a file to the group...
Rubbish! Google never killed off any products or features! That's heresy, I tell you!
Just recently I was prompted to change passwords on my two Yahoo accounts. I've had both for about 10 years and this is the first time I've seen this, so yeah, they're visibly doing something about it. Unfortunately, they waited an unacceptably long time, and they still weren't forcing the password change. That's not surprising, given that it's Yahoo, but it's still kinda disappointing.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
If AT&T is part of the breach, it won't do any good changing your AT&T password as the old password will still work when accessed through Yahoo. I brought that problem up about 5 years ago, don't know if it was fixed yet and doubt if it was.
Yahoo has been running for decades now. Even if in recent years they'd been salting and using key stretching / slow hashes to protect new users it might not necessarily protect somebody who created their account in 1999. The only way Yahoo could improve the security of these accounts is a mandatory password change at the next login, nag active users to change their passwords, or wait for users to change the password themselves. At present Yahoo are nagging users to change their password.
I'm very inclined to believe that yes, anyone whose mail is hosted by Yahoo is part of the breach. That includes the bells (ATT, SBC, PacBell, BellSouth, etc). Anecdotally I'm confident that the address books and recent contacts of Yahoo Mail users have been compromised for years through some type of exploit. There are spam campaigns that specifically target these accounts in this way, forging the "From" address as someone you have recently communicated with.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Definitely time to start dropping the Yahoo accounts, people.
173 million people in Nigeria. Assuming each of them has 2 e-mail accounts set up for 419 scaming, I would say Yahoo having 200million accounts is believable.
"That's the way to do it" - Punch
Well, this time, in the case of yahoo mail, probably its the same thing. Additionally, their persistent security issues over the years and especially the TYPE of security issues they seem to keep having has lead me to the conclusion there must be inside actors assisting.
Yahoo started out being an index instead of a search engine. Even in those early days of AltaVista and Lycos I can't ever recall using Yahoo.
Only the State obtains its revenue by coercion. - Murray Rothbard
Ain't that the luck...and just when Marissa was on the verge of turning that company back into a powerhouse again.
SJW: Someone who has run out of real oppression, and has to fake it.
200m user details stored in one place that can get hacked?
I wouldn't hold your breath here.
At most, you'd expect some kind of isolated authentication service, separate from the rest of their servers but I doubt it.
If someone has just sucked it out of a SQL table, the chances of it being properly hashed and salted are minimal. And the chances they used MD5 - which even hashed and salted is cracked beyond belief nowadays - rather than something sensible? Minimal.
The notice from Yahoo claims that the passwords are hashed with bcrypt.
Slashdot your i and slashcross your t.
But apparently the security questions and answers were stored in plain text. That's like locking your front door with a triple lock, a fingerprint reader and iron bars but then leaving the ground floor window wide open with a neon sign "enter here" pointing to it. And then claiming that you take security seriously. And when someone enters, you don't tell anyone for two years because you're afraid your parents will find out.
They should.
It's literally best practice and the way any sensible organistion should do it. An authentication server is just that - it authenticates. Whether that's RADIUS or whatever else, it should do one job and do it well and have the minimum amount of access necessary to do that job.
With someone like Yahoo's money and resources there is no excuse.
And with an auth server farm, how do you get hacked? It has to be deliberate insider intrusion (i.e. someone who works on those machines). Done properly, even sniffing the entire network around it wouldn't do much and certainly wouldn't be able to affect older logons.
If the auth servers were just doing auth, and nothing else, and isolated, and had a single "auth" port exposed that ran a limited-scope protocol that only returns the bare minimum of data, the scope for attack is almost zero. And you literally lock them away and don't let anyone but your most trusted engineers touch them.
So it's quite obvious that all these places that do get hacked AREN'T running proper auth servers at all.
Even Steam, when it had credit card data stolen, the data was encrypted (so nothing ever came of the data leak) but... how did they get that? Why is that not stored on a completely isolated system? Why were they able to get historical records rather than only those flying over the live network (which is, I admit, harder to secure)? It means it wasn't isolated and secured.
Even CA's have had their root certificates compromised and you'd expect that to be the most secure thing in the world. Literally, make them on an offline computer, generate and sign some other root certs that you actually use, and then switch that thing off and never turn it on again unless you need it.
But, in real life, despite all the posturing about security, none of this ever happens.
The curse of general-purpose operating systems, general-purpose computers and even - as could happen in real life if people took your suggestion - using VM hypervisors as the gateway between your data and the VMs running the outside services (nothing wrong with VMs themselves, so long as the entire server farm was completely isolated from all the others - personally, for an auth farm, I'd use physical servers only to reduce the attack area even more).