[OUCH] One Billion Yahoo Accounts Hacked
On December 14, 2016, Yahoo revealed that over one billion (with a “b”) of its users’ accounts had been hacked, in August, 2013 (yes, with a “3”). That’s in addition to another 500 million breached accounts that were discovered separately in September. You might have a Yahoo account and not even know it. What should you do? Read on...
What Exactly Was Hacked?
The good news is, this newly-revealed hack was a record-setter -- one BILLION accounts were affected. Oh wait, that was the bad news. The even worse news is that thieves got “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers,” according to Yahoo.
If you have a Yahoo account, change your password right now. Yahoo also advises users to change or disable the security questions and answers for Yahoo accounts. You should also change the password and security answers on any other accounts where you used the same login credentials.
In addition to changing your password, I recommend that you go one step further: delete your Yahoo account, and switch to another service for your webmail. I've used Gmail since 2004, and can recommend it as an excellent alternative. If you decide to stick with Yahoo, despite their utter lack of competence in the areas of security and privacy protection, at the very least you should turn on two-step verification.
Yahoo only became aware of this Guinness Book of Records class breach in recent months, when law enforcement agencies brought to the company a sample of user data that the agencies found on a hacker site. The company admits that it still can’t figure out how the thieves got in.
You may choose to ignore the Yahoo flap entirely, but that could be a mistake. You might be thinking "It’s been so long since I logged in to Yahoo that I can’t recall my username, so I can’t even get started on a password reset. And I really don’t care if years-old email has been stolen." But here's an important point to consider...
Do You Have a Yahoo Account?
You might have a Yahoo account and not know it. Flickr and Tumblr are two popular online services owned by Yahoo. And according to security expert Brian Krebs, "British telecom giant BT uses Yahoo for their customer email, as did/do SBCGlobal, AT&T and BellSouth. Also, Verizon.net email addresses were serviced by Yahoo until AOL took over. Up in Canada, Rogers customers may also have Yahoo email addresses. I’m sure there are plenty of others I’m missing, but you get the point: Your Yahoo account may not include the word “yahoo” at all in the address." Krebs' article My Yahoo Account Was Hacked! Now What? goes into more technical details of the hack, and is a good read.
Why Yahoo's security questions were stored in unencrypted format is anyone’s guess, as is why Yahoo is still using the weak MD5 hashing technique that was cracked years ago. For all practical purposes, nothing the thieves got is protected effectively.
But wait, there’s more! Yahoo’s “outside forensic experts” have discovered that someone has hacked Yahoo’s proprietary code to learn how it creates cookies. That allowed “the creation of forged cookies that could allow an intruder to access users’ accounts without a password.” An unspecified number of users have been victims of such forged cookies, Yahoo admits.
It’s scandalous that Yahoo’s most critical asset - the code that is the gateway to all its other services - was vulnerable to hackers. It’s pitiful that the company required an outside forensics team; a firm Yahoo’s size should have sufficient security talent on its staff at all times. And who thought it was a good idea to let users bypass password protection with a cookie?
Even worse, the higher-ups at Yahoo didn't even tell their own security team about a hidden email monitoring program installed for the FBI. All of this is totally unacceptable. I definitely won’t be using anything that requires a Yahoo account, ever again. This company, or what’s left of it, cannot provide even the illusion of security.
Yahoo’s lack of transparency about data breaches is another reason I won’t go near Yahoo again. In a November SEC filing, the company admitted that its employees knew about the theft of 500 million users’ data in “late 2014,” but did not make that knowledge public for two years! The SEC filing also reveals that 23 consumer class action lawsuits have been filed as a result of that breach. Perhaps that record will be eclipsed by this new catastrophe.
Verizon may want to rethink its planned $4.83 billion purchase of Yahoo. At this time, I wouldn’t pay two cents for the company.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 19 Dec 2016
|For Fun: Buy Bob a Snickers.|
Tech That Spies On You
The Top Twenty
Danger Zone: Free Wifi Hotspots
There's more reader feedback... See all 26 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- [OUCH] One Billion Yahoo Accounts Hacked (Posted: 19 Dec 2016)
Copyright © 2005 - Bob Rankin - All Rights Reserved