Yahoo: information on at least 500 million accounts stolen
Yahoo released an important message about Yahoo User Security on the official company blog a moment ago confirming that information on at least 500 million Yahoo accounts was stolen in late 2014.
The company believes that a state-sponsored actor is behind the attack. According to the blog post, names, email addresses, telephone numbers, birth dates, hashed passwords, and in some cases encrypted or unencrypted security questions and answers were stolen.
Yahoo states that there is no evidence currently that unprotected passwords, payment card data, bank account information or other financial information were among the stolen data.
Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.
Yahoo plans to inform affected users starting doing. The message that the company plans to send out may differ from region to region. You can check the U.S. message here (PDF document).
The email includes information on what happened, what information was involved, what Yahoo is doing, and what individual users can do about it.
Yahoo will ask users that are affected to change their passwords and add alternate means of account verification to the account. The company has invalidated any unencrypted security questions and answers, and recommends that users who have not changed their Yahoo passwords since 2014 to do so immediately.
To change the Yahoo password, do the following:
- Load the Yahoo Account page.
- Click Account Security, and then on change password.
- Enter and confirm your new password.
- Click on continue, and then on continue again to complete the process.
Yahoo asks users furthermore to change account passwords and security questions/answers for any other account that has been associated with the Yahoo account, or where the same email address and password were used.
Yahoo users should expect to get spam communications and emails that may be personalized.
One option to strengthen the security of the Yahoo account is to use Yahoo Account Key. This is an authentication tool that is integrated into the Yahoo application for Android and iOS, and available for set up from a web browser as well.
Additional information about Yahoo Account Access are available here.
Closing Words
It is rather frightening that information about year-old hacks that dumped millions of user account information come to light years later only, if at all.
It is clear that anyone with access to the data had years to exploit the information and decrypt passwords. While it makes sense for Yahoo to inform users now that they need to change passwords on Yahoo and on third-party sites if username and password was shared, it may very well be too late for a lot of accounts.
Now You: Are you affected by the security breach?
I am sure there will be more of “use 2FA, keys, etc.” stories but the reality is world needs something better than passwords, like the occasional stories about password alternatives Google and others are working on. Info and passwords are stolen and we hear about them years later.
There is already an easy and elegant solution to the problem IMO: local storage of encryption keys on your own computer, rather than storage on the company servers. This makes it impossible for thieves to obtain massive numbers of usable passwords from a single hack attempt.
Some companies have already gone down this path, but sadly none of the major players do it. I would recommend services like Protonmail for email. It’s still not “perfect”, but it should be infinitely safer than the Google/Apple/Yahoo/Microsoft alternatives.
Very interesting timing on this announcement. On July 29 of this year I was prompted to change my Yahoo password as they had (recently?) increased the password strength requirements – longer, mixed number / letter, very strict dictionary checking.
Today’s login page has links to ‘account security issue’ but they are being hammered and thus unresponsive.
Previously being a customer of Yahoo! for their email product, here is my experience:
I found it very buggy, so I was frequently in contact with their support techs. They were often immature and unprofessional. They made it clear that they could see the contents of my inbox. I sent a letter to the CEO of Yahoo regarding this issue, but never received any reply.
Once I realized that their support techs could gain access to my account without my consent, I realized that Yahoo didn’t take security seriously.
I left them and switched to Google. I found Google’s solution to security to be ridiculous and unworkable. Even with my password and username, it repeatedly locked me out. I looked up this issue online, and found that it is a common problem. Of course, I could give Google my phone number for 2FA, but you have to be crazy to give Google your phone number. So I left them as well.
Fortunately, the postal worker does not require passwords, does not open my letters, does not need my phone number, does not need my date of birth, does not need any security questions, and does not even need my name in order to deliver the mail. Funny how, once again, sending a physical letter has become a better choice than email.
It’s amazing with all the billions of dollars invested in overhyped high-tech companies like Yahoo and Google that they can’t get their systems to be as secure and non-invasive as the postal service.
I don’t think it’s crazy to give Google your phone number – if you have any friends or relatives using Android and you have a mobile phone yourself, they probably already have it. As well as your wi-fi password. ;-)
(Also, WhatsApp, Viber and Facebook probably already know it too.)
Haven’t you heard? Friends don’t let friends use Google. :)
@Chris: Friends help you move house. “REAL friends” help you move bodies :)
@Chris stated “Fortunately, the postal worker does not require passwords, does not open my letters”
Not if you live near Los Angeles: http://www.latimes.com/local/lanow/la-me-ln-usps-mail-theft-20160827-snap-story.html
Over the last several years I’ve reported missing bills and payments to the joke that USPS calls ‘customer service’, to no avail. They won’t even own up as to why outside drop boxes in several nearby cities (including mine in LA county) have been removed.
Agree with a previous poster, use a professional third party email service that you will have to pay a modest amount for. Also search around for a credit union that lets you transfer payments for bill paying Free of charge – some charge a ridiculous fee.
To give your phone number is very crazy! Stupid.
Really? So those things called phone books (paper or online) are filled with crazy stupid people? That’s basically what you are saying. What about your address too? Like when you look up on say Whitepages.com, and you can view a person’s address, age, phone, etc.? Are you not listed anywhere? Do you live in a cave? How did you write your comment? On someone else’s computer/account? If not you can be found! Oh noes!!! :-)
An increasing number of people are starting to reserve their private information for those in whom they have full confidence. No later than yesterday I heard someone say, when giving his phone number “It’s called do not share” (paraphrasing “It’s called return” (in French “Ca s’appelle revient”), far from public indecency and stupidity when it comes to laying privacy with a total lack of responsibility, mainly on “social sites”. Phone books? Many users subscribe to the “red list” in order mainly to avoid phoned steps. People are getting fed up, it’s not paranoia (these people have normal social lives) but the conscious of a cause to consequence relationship.
So, yes, I agree with fena, at least I agree with being careful with whom you share your privacy, in particular phone numbers and snail, postal addresses. Use Disposable Email Addresses on the Web and keep a few for people you meet in parties … share with strangers what may be removed. Share with friends, life, true life, smiles and laughs. Two different worlds, unfortunately. Thanks who? Big Business which has trespassed the fundamentals of respect and consideration : they are breaking a system.
Wrong analogy Bobby, phone books don’t know everything else about you PLUS your phone number — only your phone number and name, and only if you allow your operator to make that information public.
I finally want the heck out of Yahoo!…
(they are a mess…).
Q:
Any way to export ALL my existing emails
and Contacts
FROM: YAHOO (free acct.),
TO: either –
a) my (free) Gmail acct
-AND / OR-
b) my Desktop PC as a file?
(explained in baby-steps, please…).
note:
– my PC: Ubuntu Linux 12.04 32 bits.
– I have nearly a 1000 old Yahoo emails
to move/export out of Yahoo…
There’s got to be a simple, easy solution.
Thanks!
http://www.scrubly.com/blog/how-to-gmail/how-to-painlessly-switch-from-yahoo-mail-to-gmail/
THANK YOU, @FURUHATA!
Transfer worked perfectly…
After about 2 days,
all my emails were transferred over to Gmail.
Ready to close
my old Yahoo acct.forever!.
+ this just in from CNET:
“Yahoo already hit with lawsuits over hack”.
https://www.cnet.com/news/yahoo-already-hit-with-lawsuits-over-massive-hack-seeking-class-action/#ftag=CAD590a51e
short URL: https://goo.gl/OY3kYn
Bye Yahoo!!
While I doubt that my cryptographically generated passphrase, saved by Yahoo using a bcrypt hash, may never be compromised, I will still change my password out of an abundance of caution. Question though, will I be forced to activate 2FA? I hope not. I refuse to use any 2FA in any of my accounts across all internet companies.
A (pseudo) randomly generated passphrase is good enough security as long as the site does not save the password in plain text. It is heartening to know, at least, that Yahoo saves the password hash using bcrypt. It sucks that the security questions may have been saved as plain text. I guess I’ll have to change all of it.
Dan, Yahoo will not let you change your security questions (or answers), to my knowledge. They will only let you delete all of them, without the option to create new ones. It’s a horrible system. If I’m in error, please correct.
I think Yahoo is supposed to advise you if your security questions were compromised, but from what I’ve heard, they are specifically not doing that. It’s a mess.
Yahoo will likely want you to give them your phone number as a type of 2FA. If you don’t, they will probably badger you for it at each login, indefinitely.
Google does something even more crappy if you don’t disclose your phone number to them. If Google decides you are not you, even though you know your username and password, they may simply lock you out of your account with no reasonable way to get back in.
Yeah, I deleted my security questions. My security questions were chosen at random and the answers are unrelated to the question, like:
What is your first pet’s name?
mdJPaUjT8KASDWLZ
Sometimes the security answers are more secure than my passwords!
But alas, people actually give truthful answers to security questions, which a simeple google or facebook search would be able to reveal. So I can understand why it had to be disabled.
I also gave them my phone number so that they won’t bother me anymore. At least it’s just for account retrieval if suddenly I got amnesia (or lost access to my regularly backed-up keepass database); and I don’t have to use 2FA.
@Dan – I do the same thing. For accounts where I have no control over the questions (like what is your mothers maiden name), I just stick in gibberish as my answer – usually password generated strings like yours (everything is in KeePass). For sites where I do have control over the question, I ask myself things like “What soccer team did you play for in your first year at University?” and regardless of the answer, I have never actually played in a soccer team. Just my little trick to mess with social engineering. It reminds of all the weird OTR question/answer fingerprinting setups over the years. Man.. some of them were hilarious, well to me and the other person involved.
Yahoo’s information about two-step verification is out-of-date. It says that services like Outlook don’t support two-step verification while it actually does. I have it enabled and use it all the time when I log into a new browser.
If it hadn’t been a hacker trying to sell 200 million of these 500 million breached Yahoo accounts (for $2000 : like gold at the price of chocolate) the 2014 looting wouldn’t have been acknowledged? Information is really a very particular good, you can steal it without removing it physically, hence unless the thief leaves breaking in traces a robbery can remain unknown for… ages? Therefor who can tell if other accounts, wherever, haven’t as well been breached without anyone knowing it?
Of course other sites have been breached. Some will be unaware, others downplay the numbers, and others won’t disclose it – why ruin your brand name.
On the upside.. my rainbow tables have never look so good…
Since we have all our time — you, Pants I don’t know but me, today, definitely — can I ask you to translate “rainbow tables”, that is if understanding the translation itself doesn’t require a computing doctorate :)
https://en.wikipedia.org/wiki/Rainbow_tables
Just because you can say rainbow table doesn’t mean it’s any useful. What hash algos does your tables have? Up to how many hash iterations per algo?
Plus, rainbow tables are useless given the increasing use of salts.
Sorry script kiddy, but informed people are not impressed.
@Dan .. it was said tongue in cheek (I can’t think of the word right now, maybe anti-pathos – where in comedy you have serious, serious, and then utterly ridiculous .. and in this case also gloom gloom gloom and then something good). It’s a line I have used rarely in the past, very rarely – it clearly had more relevance back then. You are indeed correct – of course tech is constantly changing, so what was once useful may now not be quite so useful or even feasible. I have very little useful knowledge on encryption, and have never claimed to. I have no rainbow tables :) Next time, I’ll use a /s to make it a little clearer, Sorry for coming across like an ignorant twat (I may be, but that was not the intention).
I have a yahoo account only because it was my first e-mail addrress created, in 2002 or so, and there are people who only know that one. (Un)fortunately I could not use the same login on other sites as it was already taken, but yeah, I’ll change the Yahoo password just to be sure, even though I changed it last year I think for other reason.
@Chris: “Fortunately, the postal worker… does not open my letters, does not need my phone number, does not need my date of birth…. ”
______________________________________________
[“U.S. Postal Service Logging All Mail for Law Enforcement”]
(New York Times, JULY 3, 2013)
As the world focuses on the high-tech spying of the NSA… the seemingly low-tech but prevalent snooping of the United States Postal Service escapes notice.
The longtime USPS surveillance system called “Mail Covers” grew into a vastly more expansive effort– the “Mail Isolation Control and Tracking Program”, in which Postal Service computers photograph the full exterior of EVERY piece of paper mail processed in the United States — and maintains that database indefinitely. Mail addresses/Return-addresses are easily correlated with other government databases to fully identify/profile most mail users. U.S. postal mail is subject to the same kind of scrutiny that the National Security Agency has given to telephone calls and e-mail.
{reading the contents of ordinary paper mail, undetected, is a simple physical task for modern U.S. government technology, but cannot yet be done on the mass scale of email/phone snooping}
Damned!
Last resort : Pigeon post
…
Truly amazing, Mesner. I never would have imagined what your quote states.
This is definitely a mad, mad, mad world.
If you want to have fun send a snail mail to Bill Clinton with return-address named Monica Lewinsky.
@Tom Hawack:
really funny! :-)
@ Tom Hawack
Not funny at all!
@Billy, honey, now come on, a little smile for your Monica?!
@Pants
Ok. Sarcasm is indeed hard to determine online. But I have met serious people who made similar claims and you know they’re bullshitting. Rainbow tables were useful five years ago when developers merely used a few iterations of md5 to protect their users’ passwords, but now most are using salts.
I still think my passwords will be impossible to crack even if they have my password hash. I mean, it may look like this:
$2a$04$AXO6RMTkbG62kG4ZV69Wy.NwTfAfGhtQcmNnT5utTte92qRm3LQ.S
How in the world will they reverse that without spending millions of dollars on brute force attacks? I am not that special, and so are most people. At best, they’ll be able to crack the low-hanging fruits, those that still on using stupid passwords like password, monkey, and qwertyuiop. But if your password is mdJPaUjT8KASDWLZ, I bet there is no faster attack that brute force, and such passwords are not found in rainbow tables.
Thanks Dan :) I appreciate your insight and comments here. I’ve read some long long articles in the last few years about brute force attacks – about three or four in depth ones at ArsTechnica, and in reality, they’re mild, but still semi-confusing. I love that kind of stuff. I do know a little about it, and it’s very interesting. I thought around 15 years ago that this is the field I would get into – encryption. But I’m not cut out for it. I take my hat off to the mathematicians and security experts and everyone doing it, because it’s hard, and complex. It’s shame it takes massive data breaches and Ed Snowden like whistleblowing for things such as salting and encryption to become more mainstream.
PS: I once decoded a PGP signature from Tom Hawack as a gif, and it was an image of a nude redhead. True story :)
I’ll pose a NCND (neither confirm nor deny) :=)
I bet it was someone that lost their password and could not get in. They just hacked into Yahoo to get it. I mean its been almost 2 years! I am sure if there was some security issue it would be a problem by now from the hack.
I’m yet to find a free and proper email service provider that can be used casually with technically illiterate people and doesn’t sound stupid. (e.g. not [email protected])
You just can’t trust emails at all. It’s not feasible to go all Snowden and ask your correspondents to use something else than their current email to communicate with you, so you’re mostly stuck as a data cow for Microsoft and Google and Yahoo and anyone able to steal from them.
They push hard for HTTPS, but they’re way behind on mass security and secrecy of email communication.
*shrugs and moves along*
ProtonMail seems to be the current best solution.
It doesn’t provide Forward Secrecy for emails though, but I don’t think there’s any service that has it implemented currently. Anyone knows of one ?
What’s wrong with the other ones, or even Yahoo? If you used a strong password, chances are you will not be affected. Your email and name may have been compromised, but I hope you didn’t use your real name when registering for webmail, and most spammers now use automatically generated usernames and spam until they get the suckers to bite.
I used Lavabit before it was taken down by the Feebs. I even had onionmail before the Feebs took that down too. I have a riseup email address now. But for 99% of my correspondence, I still prefer to use plain old email from the biggies (Gmail, Yahoo, MS). As long as you know the limits of email security and privacy, those platforms are good enough.
There’s SMIME or GPG if you want content privacy. I don’t know how forward secrecy could work with traditional email security protocols. You can use bitmessage but I find it too cumbersome and slow. OTR is more of a messaging app.
Have you tried a recent bitmessage release (0.6.1) ?
There is nothing wrong with giving someone access to everyone’s identity, personal life, business secrets and bank account numbers if they can be trusted. But nothing can be mass-trusted, no matter what you do as long as there is access there is abuse. Seeing your comments I don’t think I need to elaborate here :)
The almost entire society is stuck with what the biggies provide them with, so they have public duty to propose easy end-to-end encryption. (Just like large web companies have a public duty to fix security issues, and many of them do.)
Facebook studied the mail encryption topic in 2014 along with forward secrecy for emails in transit: https://www.facebook.com/notes/protect-the-graph/the-current-state-of-smtp-starttls-deployment/1453015901605223
Google started working on an end-to-end encryption browser extension the same year.
I don’t know if and how they followed through these past two years.
I think forward secrecy for stored emails requires modifying PGP or changing protocol altogether.
But with forward secrecy in transit only, and end-to-end encryption, perhaps it is enough for everything but seizure, theft or hacking of user devices. (In which case mass surveillance of emails is defeated, whether by private companies or governments)
I have enabled 2fa (text message) sent to a cell phone though so I’m safe.
@Peter Å ursa
I must admit I have not. I used 0.3.5 to 0.4.2, but abandoned it afterwards. I will try the latest release to see what’s new. Does that mean I have to generate another set of keys, cause it’s a newer blockchain? Now what will I do with my 0.3.x and 0.4.x keys? :)
0.6.1 still uses the same address version and encryption as 0.4.4, so the keys still work. The wire protocol supports opportunistic TLS and tor hidden services, however these are all optional and all is still backwards compatible and independent of the message encryption. There should be new features in the future which aren’t backwards compatible (forward/backward secrecy), and for those you’ll have to create new keys.
If you happen to be in Prague next weekend at https://hcpp.cz/, you can check out my presentation about Bitmessage and have a chat.
Just wanted to share a funny thing about hacks/fraud and Ghacks. I am subscribed to comments, and was wondering why I wasn’t getting any emails (yes I made sure Notify me was checked), so I checked my Junk folder (using Outlook web), and they were all in there. When I opened one a red warning label at the top says: “This sender failed our fraud detection checks and may not be who they appear to be.” Really? I came to this comment section manually, and found the same exact comments as in the email, so I wonder why Outlook thinks Ghacks is sending fraud emails.