Slashdot Mirror
Yahoo's Delay in Reporting Hack 'Unacceptable', Say Senators (zdnet.com)
Yahoo won't be able to get away with its mega data breach from 2014 that it only reported this month. Six senior senators have said Yahoo's two-year delay in reporting the largest known data breach in history is unacceptable. The senators have asked Yahoo CEO Marissa Mayer to explain why the massive hack of more than 500 million accounts wasn't reported two years ago when the breach occurred. From a ZDNet report:The senators said they were "disturbed" that a breach of that size wasn't noticed at the time. "That means millions of Americans' data may have been compromised for two years. This is unacceptable. This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest," the letter wrote. Sens. Patrick Leahy, Al Franken, Elizabeth Warren, Richard Blumenthal, Roy Wyden, and Edward Markey signed the letter, dated Tuesday. The senators also requested a briefing to senate staffers on its incident response and how it intends to protect affected users.
Sources say nothing of value was lost, as the breach only impacts people who still use Yahoo.
They could start forcing password resets like ebay did.
That would be a start.
Minimum threshold fixed. Thanks!
The Senate has no authority over Yahoo. Why does the Senate care how long it takes to report a data breach?
If they want, they can write a law and grant that authority to an agency.
What exactly are they going to do besides hem and haw at this? Maybe force a hit to yahoo's stock by bad press? No one that should be punished for this will be, and I heavily doubt any laws will come out of it to actually protect the people rather than corporate interests.
With respect to the proposed sale of the company, it was out-and-out fraud.
But, in the good old U S of Kleptocracy, crooked CEOs don't get prosecuted, let alone convicted.
The ruination of Yahoo is going along pretty smoothly.
I asked the same question.....
Although my Y! account hasn't been in use for years and that would pose zero threat to me... I still asked the same question when I heard about the breach.... Why would such a large corporation do such a stupid thing? Now that they've been able to keep it under secrecy for two years, why announce it now?
Did Marissa think enforcing the password change now will some how fix something? The hackers had two years to go through every single piece of data... It doesn't matter if they enforce a password change now... the only difference this makes is that the entire upper management and the board look so stupid that after Y! goes bankrupt, none of them will ever get a management job anywhere else!!!
It took them 2 years to report the breach because they were using the Yahoo search engine to try and find the appropriate people to report the breach to.
"That's the way to do it" - Punch
I feel so sorry for John Doe who lives at 123 Main Street in Anytown USA. His life is probably being turned upside down.
Since Yahoo! didn't build that, Elizabeth Warren and the other advanced senators should just whip up their version of Yahoo!.
Also, they will be able to use the diversity of Senator Warren's rich and VERY REAL ancestry to make it happen. Harvard understood this and so should everyone else.
People will be jumping over each other to use gov Yahoo! just like healthcare.gov.
As it seems to be perfectly legit in the US for companies to sell data on their servers to anyone that wants to pay money for it, why are they now in trouble? They got robbed, why blame them?
If this slow reporting leads to a quicker death of Yahoo, I'm all for it.
It's stupid to expect companies to do what is right and ethical. This is why we have so many laws that mandate businesses do certain things. If they aren't legally required to do it and it won't make them money, they aren't going to do it until it becomes a problem for them.
Anons need not reply. Questions end with a question mark.
This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest,
No, it was actually one of the first really big breaches considering it happened two years ago rather than last week.
-=This sig has nothing to do with my comment. Move along now=-
So if they do notify users, then what? Say I have emails from Amazon, cc information, resumes in mail, tons of information stored at yahoo, now what? What good does it do alerting me, other than, change my Yahoo password.
Six senior senators who should swallow a sack of shit.
I'm having trouble finding specific timelines for this, but from the sounds of it the breach began two years ago and they only recently discovered and disclosed it.
So these esteemed *barf* senators are upset that it took so long to notice the breach? Were they that upset when it was discovered the the government run OPM database had been compromised for YEARS?
Political grandstanding by a bunch of useless dipshits.
Did Yahoo! intend for the breach to happen?
I've learned from the FBI that no crime, or prosecutable one anyways, can happen unless you can prove intent. This is especially true for computer security. Even if there was intent, Yahoo! can just delete the evidence and say they turned over everything because deleting evidence after a subpoena is also not prosecutable either.
Not sure what the issue here is, unless intent can be proven.
"This is unacceptable"
But bank and auto-maker bailouts, government spying, and civil asset forfeiture are totally acceptable.
Dear Senators,
Yahoo is a privately owned business, it is not government, it is not beholden to you, it does not answer to you. Take your upcoming arbitrary multimillion dollar fine, that you will all gorge yourselves on like pigs at a trough, and shove it in your collective asses.
Fuck you very much,
Yahoo.
They will hold a senate investigation into the matter, which anyone in the right mind should be terrified of. They will start issuing subpoenas to people in charge at Yahoo, and start asking them questions on national t.v., (which will likely be embarrassing and detrimental to Yahoo's stock price and reputation). Provided that nobody tries to cover anything up (Federal prison time for lying under oath to a senate investigation), the company might get off with a reprimand, provided that there aren't any laws that were discovered to have been broken. But Senators aren't going to sign up for this investigation to NOT prosecute people for covering this up, so they will be out for blood. There is a good chance that something will have been done wrong, and some larges fines will be implemented.
I predict that there will be a number of c-level and VP early 'retirements', when yahoo's board of directors boots people for putting them in the spotlight like that. Following the investigation, expect a few new federal hacking disclosure laws to hit the books next year. This will probably not go well for Yahoo, short their stock now.
HA! I just wasted some of your bandwidth with a frivolous sig!
These senators have no clue how computers work. They probably think it's something akin to someone breaking a hole in a wall and stealing data for a long time, and that no security was hired.
With the large amount of servers Yahoo has, and the constant issues at their top level, they probably don't bother to keep up to date with security as much as they should. But anyone pulling off a data breach has usually been pretty crafty to get in, so chances are they're not going to leave much of a trace.
And that's what senators don't understand, because they refuse to learn about the technology they keep trying to pass laws on.
It's only a matter of time before we rip out the internet as we know it and migrate to version 2.0.
If I didn't have absolutely NOTHING to do, I wouldn't be here.
That means millions of Americans' data may have been compromised for two years.
Perhaps you and I have differing ideas of what constitutes "compromised." It seems you don't see it as compromising when the government does it - even without permission or oversight and with constant lies about it. Why is that? It's also the case that our data have been compromised for nearly two decades. Perhaps you should call for the end to the unethical, immoral, and unconstitutional spying instead - which you can actually do something about.
This isn't to absolve Yahoo! of its wrongdoing. It certainly should have been more diligent in disclosure. But to me, the differences are pretty clear. You could never have done business with Yahoo! and while it sucks a lot for the people harmed, you can not do business with Yahoo! in the future as well. Once the data's out there, the harm's pretty much been done. There's not a lot that anybody can do regardless of being notified or not. They can change their passwords and hope the effort is too much to make them interesting.
The NSA, on the other hand... you can't avoid "doing business" with them in the past or in the future, the data's been sucked up for decades (and this is going to start causing some serious shadow problems within the next 15-30 years as the previous generation(s) of lawmakers, law enforcers, and law upholders dies off - information never stopped being power and that means that the NSA has significant leverage on anyone and everyone), and no amount of anything you can personally do except go find a remote forest and forage out of it is going to protect you.
This idea that the government is going to save us from anything by forcing a company to be a bit swifter on the uptake is repugnant.
Yahoo can and should take fiscal responsibility for any users who suffered financial hardship as a result of not being informed their details have been out in the wild for over two years, I guess in addition to any international governments who have had to pay insurance on stolen funds etc.
Yahoo gives lots of money to the Democrat party. My prediction? This will be a complete farce with nothing of consequence coming from it. But Franken, et al will get tons of mileage from it by appearing to go after "big business". Nothing to see here. Thanks for playing.
They say the hack occured in late 2014 but I noticed that something very wrong happened with their YMessenger service at least since March. I was using pidgin and at some point between February and March pidgin refused to work. I traced the problem to gnutls for wich there was some vulnerability announced at the time. I gave up later after some printf debugging but left wondering why an older version of gnutls was working while newer, patched versions did not. I might be wrong but to me it seems like either sabotage or an inside job.