[OUCH] One Billion Yahoo Accounts Hacked

Category: Security

On December 14, 2016, Yahoo revealed that over one billion (with a “b”) of its users’ accounts had been hacked, in August, 2013 (yes, with a “3”). That’s in addition to another 500 million breached accounts that were discovered separately in September. You might have a Yahoo account and not even know it. What should you do? Read on...

What Exactly Was Hacked?

The good news is, this newly-revealed hack was a record-setter -- one BILLION accounts were affected. Oh wait, that was the bad news. The even worse news is that thieves got “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers,” according to Yahoo.

If you have a Yahoo account, change your password right now. Yahoo also advises users to change or disable the security questions and answers for Yahoo accounts. You should also change the password and security answers on any other accounts where you used the same login credentials.

In addition to changing your password, I recommend that you go one step further: delete your Yahoo account, and switch to another service for your webmail. I've used Gmail since 2004, and can recommend it as an excellent alternative. If you decide to stick with Yahoo, despite their utter lack of competence in the areas of security and privacy protection, at the very least you should turn on two-step verification.

Yahoo: Not quite evil enough

Yahoo only became aware of this Guinness Book of Records class breach in recent months, when law enforcement agencies brought to the company a sample of user data that the agencies found on a hacker site. The company admits that it still can’t figure out how the thieves got in.

You may choose to ignore the Yahoo flap entirely, but that could be a mistake. You might be thinking "It’s been so long since I logged in to Yahoo that I can’t recall my username, so I can’t even get started on a password reset. And I really don’t care if years-old email has been stolen." But here's an important point to consider...

Do You Have a Yahoo Account?

You might have a Yahoo account and not know it. Flickr and Tumblr are two popular online services owned by Yahoo. And according to security expert Brian Krebs, "British telecom giant BT uses Yahoo for their customer email, as did/do SBCGlobal, AT&T and BellSouth. Also, Verizon.net email addresses were serviced by Yahoo until AOL took over. Up in Canada, Rogers customers may also have Yahoo email addresses. I’m sure there are plenty of others I’m missing, but you get the point: Your Yahoo account may not include the word “yahoo” at all in the address." Krebs' article My Yahoo Account Was Hacked! Now What? goes into more technical details of the hack, and is a good read.

Why Yahoo's security questions were stored in unencrypted format is anyone’s guess, as is why Yahoo is still using the weak MD5 hashing technique that was cracked years ago. For all practical purposes, nothing the thieves got is protected effectively.

But wait, there’s more! Yahoo’s “outside forensic experts” have discovered that someone has hacked Yahoo’s proprietary code to learn how it creates cookies. That allowed “the creation of forged cookies that could allow an intruder to access users’ accounts without a password.” An unspecified number of users have been victims of such forged cookies, Yahoo admits.

It’s scandalous that Yahoo’s most critical asset - the code that is the gateway to all its other services - was vulnerable to hackers. It’s pitiful that the company required an outside forensics team; a firm Yahoo’s size should have sufficient security talent on its staff at all times. And who thought it was a good idea to let users bypass password protection with a cookie?

Even worse, the higher-ups at Yahoo didn't even tell their own security team about a hidden email monitoring program installed for the FBI. All of this is totally unacceptable. I definitely won’t be using anything that requires a Yahoo account, ever again. This company, or what’s left of it, cannot provide even the illusion of security.

Yahoo’s lack of transparency about data breaches is another reason I won’t go near Yahoo again. In a November SEC filing, the company admitted that its employees knew about the theft of 500 million users’ data in “late 2014,” but did not make that knowledge public for two years! The SEC filing also reveals that 23 consumer class action lawsuits have been filed as a result of that breach. Perhaps that record will be eclipsed by this new catastrophe.

Verizon may want to rethink its planned $4.83 billion purchase of Yahoo. At this time, I wouldn’t pay two cents for the company.

Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 19 Dec 2016

For Fun: Buy Bob a Snickers.

Prev Article:
Tech That Spies On You

The Top Twenty
Next Article:
Danger Zone: Free Wifi Hotspots

Most recent comments on "[OUCH] One Billion Yahoo Accounts Hacked"

(See all 24 comments for this article.)

Posted by:

Ray Mostell
19 Dec 2016

Thanks, Bob, for your always invaluable advice. I tried several times to change my Yahoo login but the service wasn't working. Will try again after reading this.

Stephanie, this is why we use Google:


Posted by:

Don MacDonald
19 Dec 2016

I tried to delete Yahoo account. It is impossible in my case. Every time I go into account I have to change password and get a new account key. I got as far as the Help page. To delete I had to use account key again which they said was invalid. Next step I had to copy about 8 numbers moving in a circle. That's the impossible part. I asked for an audio then they hid numbers in static sounds. I got the numbers and they invalidated my account key again. I gave up.

Posted by:

michael mclaughlin
19 Dec 2016

If you think about it...the chances of someone using your information is slim to none. 1 BILLION to choose from and they go after you. You can buy insurance from me and I will cover any damages. Plus in three years MOST people have changed their passwords. But don't let me stop people from overreacting and going paranoid with fear.

Posted by:

john silberman
19 Dec 2016

Those asking about rule 41. See Bob's article at http://askbobrankin.com/the_noose_around_privacy_is_tightening.html
Much easier to understand than the Cornell version.

Posted by:

Jonathan Baker
19 Dec 2016

After reading the article, I made several attempts to terminate my Yahoo account, the last one being successful. However, I then discovered that Yahoo will keep the account open for up to 3 months in order to prevent malicious activity [sic, sic and sick].

Don't think bad things can't happen to you. I was notified that my charge card was used to make two purchases at Target.com today, without my consent, totaling close to $1,800. Luckily, I had set myself up for notification to my cell phone for charges without my card being present, so that I was able to nip this in the bud with a call to my credit card people. Now I have to wait for a new card.

Posted by:

Lloyd Collins
19 Dec 2016

The news that the Yahoos did a Trump was not bad for me, since my logon info was unique to Yahoo, so I lost nothing.

Posted by:

19 Dec 2016

I have both Yahoo and Gmail accounts. I haven't yet gotten rid of the horribly slow Yahoo account because there are hundreds of old e-mails on there (such as conversations with my late mother and photos sent to me for my web site) that I want to save. Is there a simple way to either download those or forward them in bulk to computer or my Gmail account? I only know how to send one at a time. Then, I could delete Yahoo which is all junk anyway.

Posted by:

19 Dec 2016

I deleted an account with Yahoo a couple of years ago and received an email indicating my account was breached. I'm trying to determine if it was this account that was supposed to be deleted or some other account and cannot find anyone at Yahoo to get a hold of. Is there an email address or phone number that I can contact Yahoo? I cannot find any phone number or email address and the email didn't give a phone number or email address I can use for further information.

Posted by:

Bob K
19 Dec 2016

You have a name like "Yahoo", and they don't have competent security people. Now, why am I not surprised?

Posted by:

Charles Schwab
19 Dec 2016

Thanks, Bob, for your thoughts on Yahoo email. My response, seeing I have a few Yahoo email accounts, is to change the passwords on each account and with a different one on each account, and to change the security questions. While other providers of free email may at this time have a better reputation than Yahoo, it may be that Yahoo will now become much more secure due to that public attention over this debacle.

Posted by:

Granville Alley
20 Dec 2016

You mean like they became more security minded after having 500 Million Accounts Hacked? What exactly are you smoking? It is apparently very powerful stuff.

Posted by:

Jillian S
20 Dec 2016

I've had my Yahoo account for 15 years. Yahoo (yes, I have also wondered about the name choice!) used to be more usable. I still like being able to change the background look. Yahoo Groups used to be marvelous...now they have just about died. Like Robyn, I have thousands of emails stored on Yahoo, even though I periodically try to tidy up. And like Mike McLaughlin, I sort of feel like if nothing awful happened in the past three and a half years, it probably won't. However, I guess I will just change my password and keep that Yahoo account for now. With all its faults, I actually like Yahoo just as much or more than my Hotmail, since MSN monkeyed around with Hotmail.

Posted by:

Donna Crane
20 Dec 2016

I tried to go to Yahoo and delete my account but I had just put Sticky Pass on and it had added every account ever used on my computer, including my deceased son's Yahoo account. Sticky Pass defaulted to my son's account and even when I would change it to my user name and password, when I clicked the button, Sticky Pass reverted it back to my son's name and then said the password was wrong. In frustration, I got signed into my son's account via having Yahoo send an email with security code to my email address which was the alternate for his account. Used that and figured out the horribly moving numbers and after two tries managed to delete my son's account. However, StickyPass still has his account listed and keeps defaulting to that so I can't sign into my Yahoo to delete it. I am not liking Sticky Pass at all, which I just bought using the special in your newletter. It's too intrusive and I can't make it stop when I don't want to use it. Am in contact with StickyPass to try to resolve this problem, but I've already had to remove it from my Samsung Phone because it was kept making me put in my Master Passord at every new internet page, after I'd already signed in, and then started constantly crashing. Woe is me.

Posted by:

20 Dec 2016

For Robyn ... take a look at Mozilla Thunderbird. It may fit your requirements.

You can download all of your mail from Yahoo to your own computer.

Bob doesn't seem to have an article about it, but my other go to guy, Leo Notenboom does.


Posted by:

Rhonda Lea Fries
20 Dec 2016

Yahoo is hilarious.

I get repeated notices from Yahoo because I'm using "an outdated or less secure sign-in," i.e., Outlook 2016 with an app password.

Yahoo wants me to use its very own secure app for my mail.

I want Yahoo to get its act together.

Neither Yahoo nor I are likely to get what we want.

I have Yahoo's version of 2FA enabled, but I don't much care if the account is hacked. I have two or three advertising newsletters and one Yahoo group mailing that come to my Yahoo address. Indeed, the account does contain the minimum amount of personal information, but the privacy of that information is on the ship that sailed with Anthem, Home Depot, Target, and several other trustworthy--haha--sites that were breached in recent years.

My real mail goes elsewhere. I wouldn't entrust Yahoo with mail I care about if it were the last provider on the planet.

Posted by:

20 Dec 2016

That's why I always recommend using a email client to download all the emails, via POP3/IMAP (for example, using Thunderbird, like Jonathan said) with the setting to download and 'delete from server' all the messages. This applies even if you use Gmail, Outlook or any other service. And about this hack, I think all this it's only a "chess move" to discredit and make the Yahoo brand fail, and when they said that Yahoo had an email monitoring system installed, makes you believe or think Microsoft and Google are pure saints (and that they doesn't have the option to read your emails too). Wake up people, this "hack" or "leak" doesn't change anything for end-users. On the contrary, I think Yahoo made someone "upset" for something we don't know, and is now making the brand/company pay for that. And if you currently use Yahoo and want to close your account, don't desperately go to Gmail or Outlook, use another less known email provider. I don't believe a hack that happened 3 years ago, goes public today without a reason. IMHO, this makes me love Yahoo even more.

Posted by:

Bob Greene
20 Dec 2016

Thanks for the latest disaster news from Yahoo!, especially the link to the Krebs report. The bad news about horrifically slack industry security simply keeps coming.

Of course, industry has no excuse, and easily can find good security consultants. Attribute much of its failure to a cynical corporate cost/benefit analysis customarily substituted for actual due diligence with customer data.

Perhaps, now, we understand the shout of "Yahoo!" came from both Yahoo! managers anticipating even greater dollar returns from their refusal to invest in tight security, and from hackers anticipating the same.

In regard to Yahoo! and AT&T, I closed my own BellSouth account long ago, about one year after it was engulfed and devoured by AT&T. In that brief interval, AT&T demonstrated it had bitten off more than it could chew, and customer integration into the AT&T system using Yahoo! was a precarious process, even when it worked.

* A year after leaving AT&T, on reviewing my old AT&T email files for pruning and file management, I found my old AT&T email boxes were still active! They continued active for about one year after that.

Posted by:

20 Dec 2016

On April 21, 2014 AOL announced it got hacked. At least 2% of all email accounts seem to have been affected. On September 10, 2014, Gmail announced that at least 5 million of its accounts were hacked. And so on, and so on... It is common to listen to these announcements and people cancel their accounts here and there thinking that will solve the problem.

First of all, your account is never canceled, but deactivated, which means your data is still in their database. And hackers can still access it if they want to.

Second, the more you switch from one email to the other, there more you expose your information out there to become more available for hackers to find you.

Third, if it's not a hacker from another country, it's the company's themselves hacking each other to discredit their competitors.

The only thing to do is follow these steps if you think you're a victim of identity theft.


Posted by:

21 Dec 2016

Bob, _if_ you ever do a series of on-line videos (a la Leo Notenboom), please, please, please remember us deaf/hard of hearing folks and use captioning. My eyes 'hear' just fine, but my ears don't 'see' too well. Thanks very much for all that you do.

Posted by:

Bertram Lowi
22 Dec 2016

Thanks for the heads-up, Bob. Have let Yahoo linger as a stand-by web-link resource out of shear laziness but your horror story prompted me to give it an unceremonious heave-ho. Even as I did, I got a lock-up scare message to call some "microsoft" help number. The only way out was to ignore the"Do NOT shut down your computer" warning and shut down. Adios Yahoo.

There's more reader feedback... See all 24 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.

Article information: AskBobRankin -- [OUCH] One Billion Yahoo Accounts Hacked (Posted: 19 Dec 2016)
Source: http://askbobrankin.com/ouch_one_billion_yahoo_accounts_hacked.html
Copyright © 2005 - Bob Rankin - All Rights Reserved