Half! a! billion! Yahoo! email! accounts! raided! by! 'state! hackers!' Hackers strongly believed to be state-sponsored swiped account records for 500 million or more Yahoo! webmail users. And who knew there were that many people using its email? The troubled online giant said on Thursday that the break-in occurred in late 2014, and that names, email addresses, telephone numbers, dates of birth, …
But Google also don't ever require a phone number:
Proof:
Your new email address is [email protected]
No number given (I just ignored that field). No previous email. Fake personal data. Incognito window.
Just made it just now.
Google accounts:
1. It depends on where you are on this planet, different rules, different places.
2. Don't create an account on a machine that already has an account or one where you have tried and failed previously.
3. If Google is already chasing you for a phone number, use another machine and IP address.
4. It's often best to use a new/clean machine every time.
5. If you are at the point that Google wants a phone number do not attempt to use the same email address that you attempted to use earlier, always do things anew.
6. After getting the phone number problem, also I found leaving it for a few days then using a colleague's machine (whose ISP and IP are different) together with a completely different/new username then it worked OK.
I'm in the UK.
I was on a school connection (so thousands of Google users, and all kinds) on the guest wifi (i.e. about as anonymous as you can get and the equivalent to doing it at a library or a cyber-cafe).
You DON'T need a mobile to sign up for a Google account. It might pressure you for one, but it's not required.
And if you live in a country where Google require it, you have no Internet freedom anyway because Google only do it where they are made to do it.
But the premise that you need to give a phone number to get a Google account is nonsense - and you could use a proxy or public wifi to sign up for one in seconds. In fact, if that proxy or wifi is tied to ten thousand other Google accounts, it actually HELPS your anonymity if you wish to retain that, surely?
"You DON'T need a mobile to sign up for a Google account. It might pressure you for one, but it's not required."
Quite - and whenever I've logged in on a computer (not often, but often enough for this to be noticeable) if I've seen the prompt to add my phone number, I've always skipped it. However, somewhere down the line I stopped seeing that prompt my number - and I also noticed receiving text messages from Google reporting log-ins on a "new" device whenever I logged in on my computer (it's always "new" when cookies don't survive beyond the session).
I looked in my account settings and my number was there.
Probably picked up from my phone at some point.
I agree but then I thought about it from another perspective.
If you were hacked for data how would you know?
A. It starts appearing on the net.
B. You discover the breach yourself.
If A didn't happen and if it did we would have found out about this a lot sooner then it's either people that want to keep it a secret and use it for themselves which means it could in fact be state sponsored.
If B didn't happen straight away how is it that 2 years later they find out? That doesn't make any sense, why would you audit 2 year old logs?
I think they did. I have a Yahoo account for posting to a mailing list, and I changed passwords recently. There was nothing in the emails I got, but I had to change when I logged in recently to post something. There must be a lot of dormant accounts, and they must know it, but that huge total looks impressive.
I know other companies which pull that trick of never deleting an account, possibly to mask a falling customer base.
Apparently not. According to the "activity log" or whatever they call it my password was last changed over two years ago. Just changed it again, and I guess there was a point to not associating any personal info whatsoever with that account after all...
The part that’s missing from their FAQ is when (and how) it was discovered. Perhaps this is how:
"Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account. Since the inception of Yahoo's program in December 2015, …"
Sysadmin #1: “We got the new government hacking detection tool running and we’re already getting hits!”
Sysadmin #2: “Ummm…”
...have launched programs to detect and notify users when a company strongly suspects that...
Sounds like a natural-language-processing program that listens in to the daily boss-level meeting and tries to detect "strong suspicion". Once matching criterion 0.95 is reached, it automatically fires off mails!
To the best of my knowledge, a Yahoo account is all of the above anyway.
I know my old Geocities account that became a Yahoo account also logs me in over Yahoo Messenger (who uses that nowadays?!), Yahoo webmail, Yahoo groups, etc.
Yahoo accounts are therefore likely centralised and if you have the details of one, you have them all (I doubt there are 500m Messenger usages, or 500m Groups users, or 500m old Geocities users!). I haven't logged in via Yahoo Mail for several years (2009 by the inbox I just looked at), so it's stupid if my credentials are lying around only on Yahoo Mail, and incredibly unlikely that only a single Yahoo service was hacked.
It sounds like a central Yahoo database. But, nowadays, nobody uses any of that other junk and only Yahoo Mail is likely to be heard of, which is probably why the article says that.
"Sky use yahoo mail for their customers. What about that?"
Ah!
The penny now drops as to why, once in a blue moon, I get an occasional malware email that purports to come from my brother's ex. It doesn't come from her old Sky email address in full - but the left hand side of the address is hers. It's probably not an uncommon name, but when she signed up with Sky the person at the other end cocked up and spelt her name incorrectly - and that appears in the left hand side of these emails.
Just because a group of tech-savvy hacks in a developed country haven't used their Yahoo accounts for over a year doesn't mean that there aren't a lot of people using this service regularly. I have many African contacts for whom a Yahoo account (often french) is the only way to reliably contact them. These are often senior academics and government workers whose "work" email very often doesn't (work, that is).
There is more than half a world outside the US and western Europe that relies on the kind of technology and services you make fun of (that's why there is still a market in PCs despite their demise being regularly forecast in these pages). Whether this information breach is going to affect people significantly is hard to say (it was two years ago, after all), but it will concern a lot of real people who use their Yahoo accounts every day.
I use Yahoo. It supports IMAP so my phone/tablet can pick it up using a "real" mail program and not whatever GMail thinks it is. It is an address I can give out, without worrying too much if people are going to do idiotic things like group mail with my address (and all the others) in the To line.
I have a private email. Maybe ten people know the address. Accordingly, their messages to me get read quickly as I look there first/most often.
There is a point to having a third party deal with a mail service so people you don't necessarily want to hear from can attempt to contact you...
By the way, after this disclosure, what's Yahoo! going to be going for now? I'll put my offer on the table: a half-eaten pack of wasabi flavoured crisps. If you sell it to me quickly, I'll throw in some stale Lindt chocolates.
"Gmail has full imap support too."
Yes, and my "me" email address is a Gmail one; there's not much point in trying to hide from an online store you just bought something from who they need to ship it to. My Yahoo address is my "not me" email, for things that have no need or no business having any idea who I really am. Now, this may sound paranoid to you, but I don't find having both those accounts with a single provider such a great idea - hence Yahoo, the only _other_ free email provider I can still access via POP3 or IMAP.
I also use Yahool with POP access, it is OK for spammy stuff but it suffers a lot more spam than gmail seems to with a significant upsurge in the last month or so. Maybe this explains a bit?
No phone number with mine, but every (rare) time I use the web login it pesters for one. However if signing up now they demand on.
Gmail didn’t demand one at sign-up but the fskers blocked POP access when I went abroad for a trip and pestered for a phone number to unlock it, which it was simply not worth giving. Returned to operating again when back home.
Both are out to whore you.
Not sure what the beef is with spam (cue comments about pork). 99% of spam goes straight to the spam folder, leaving <10 messages a month in the inbox. I've been using Y! webmail for years, with Ublock Origin and Yahoo Mail Hide Ad Panel plugin, and it works great for me. I considering switching around the time that Marissa's minions fucked around with it for a few months, but they have left it alone since then.
I've looked at other webmail offerings (don't want POP3 or IMAP) and I haven't seen anything better so far. YMMV, of course.
Hackers strongly believed to be state-sponsored
What does that even mean!
I strongly believe Hillary will take the mic soon, having strongly detected an unholy alliance of Pepe the Sadfrog and the ever elusive all-powerful P.U.T.I.N. organization to ravage the purple yodeling cowboy, a strong symbol of Yankee Americanism, so as to have his star-spangled arse transformed into Cordon Bleu.
This comes after a miscreant calling themselves Peace was touting copies of the Yahoo! account database this summer.
Did you mean "corpses of the Yahoo! account database"?
Last Autumn I had the unpleasant experience of having to tell my boss to disregard an email from me as it contains a virus or some sort and was not sent by me.
It was, however, marked as coming from me, and sent to a large number of people. After scouring my machine to try to track down the addresses present in the mail (it was an odd assortment, mostly people I know but it wasn't any addressbook I could lay my hands upon). The more I puzzled over this, the more it looked like it was basically listing the history of messages sent from my Yahoo! account. I was aware of this as I send myself messages when testing stuff like the phone/tablet settings are correct.
How would this information be available if the account had not been compromised? That's a question we ought to be asking here. So either Yahoo! has yet another leak, or the passwords are being cracked. I don't know why they didn't hit the addressbook. Too obvious, maybe? It's rather clever to target those addresses a person has actually sent messages to.
At any rate - perhaps their entire client database got lifted and they took two years to notice? Nice work. {slow handclap}
Most websites handle websites wrong. Unless they are using a correct password has with a random per record salt, they can be cracked. If they are using any type of encryption or an unsalted hash, they might as well be plaintext.
So if a website you use is breached, consider everything (passwords, email, security questions, etc) you used there compromised.
No, the salt is just there to make the password guess-hash-compare attack impractical.
Not using salt:
1) Take list of known or possible passwords (use lists from previous breaches off the Internet)
2) Hash passwords in list, yielding a lookup table of hashes (rainbow table)
3) Check to see whether any of the hashes appear in the exfiled list of hashes password (bonus: you can see whether two entries use the same password directly as their hashes are identical)
+) Bonus points, if the hash algorithm used is "fast" or can be done in hardware (like MD5 can) then you can do brute-force too, but today these are eminently practical. Special hash algorithms that are unfeasible for brute-force attacks exist, so service providers should use these.
Using salt (which is stored generally right next to the hash and is thus not a secret), you can only do +) as every password becomes unique as it is effectively extended by the "salt" string.
Won't they just steal the salt, too, which MUST exist somewhere for them to be able to salt your entries? In which case, we're basically screwed no matter what?
Stealing the salt isn't really a problem; it's there to prevent collision attacks. That means your attacker cannot use a rainbow table because he needs a password/salt combination that no only hashes to the right value, but also starts with the salt specified.
Vic.
"The more I puzzled over this, the more it looked like it was basically listing the history of messages sent from my Yahoo! account."
Had something like that happen with two old Yahoo accounts too - spam sent to contacts in my history. Fortunately I mostly used those to mail myself rather than others. When I checked the connection log in Yahoo it showed that the accounts had been accessed by some app, quite a while before the spam. The odd thing is, Yahoo normally warns you when the account is accessed from a new device or region, but didn't raise a warning in this case.
“Hackers strongly believed to be state-sponsored swiped account records for 500 million Yahoo! webmail users”
Who is it that believes this and what evidence have they produced that the hack was state-sponsored?
--
you are now connected to the wireless network “WANK”
"Who is it that believes this and what evidence have they produced that the hack was state-sponsored?"
State sponsored is the new black. I suspect we'll see this line trotted out more and more - especially for larger companies and/or Overpuddlian ones (or those who are particularly significant or important over there).
Consider how it appears to the man in the street when a company's security gets breached, and lots of customer data is nabbed:
- If it's a lone spotty oik who has discovered they've left a gaping hole in their system, and exploited it, the company looks like it's run by idiots.
- If it's claimed that it was a state sponsored attack, all of a sudden it sounds like lots of resources were used in getting past the company's defences, and it doesn't look quite so bad on them.
(We, of course, realise that even if it is "state sponsored" it's probably still thanks to a gaping hole, and the company are run by idiots.)
And there may be a TLA agenda that could be helped along by supposedly state sponsored breaches.
See also: Sony and the Norks.
Over here, TalkTalk are so utterly incompetent they didn't even think of it.
Might explain emails titled from xxxxx where xxxxx is someone I know which contain not much more than a link to a compromised website and an [email protected] signature.
At a glance they look like a friend sending a web link. The from address was the xxxxx@ the domain where the spam came from. Said friend told me he hadn't used the yahoo address in years.
Seems his Yahoo address book or email history got leaked and was being used to lure his contacts to compromised web sites.
I have had 3 such emails from 'him' now although the two later ones were only signed xxxxx.
@AC - Nope, just checked and the banner at the top says "BT Yahoo! Mail"
Nothing on the BT news site says anything about the Yahoo breach (quelle suprise) and I have had no email advising me whether I am affected. Obviously changed password anyway.
Feel very much like I am paying for my lazyness in getting off BT email.
BT still use Yahoo. Migration away stopped 2 years ago, with nothing to explain why. So half of the users are still with Yahoo, with the other half hosted with Openwave messaging - who themselves have a serious issue.
The advice given to change password is simply not good enough in this case. The advice should be to change password AND change security questions and answers. This is because those security answers are required when users have forgotten their password. So hackers could still access the account by "forgetting" the password, answer the security questions and getting a changed password. This will then cut off the account holder.
So all the stuff should be changed.
What also isn't mentioned is if any contacts have also been stolen. If so all those people will and have got even more spam, some pretending to come from the compromised Yahoo account. This is actually happening, but sometimes the email comes "from" the hacked user, but with a different domain than Yahoo.
I contacted BT Support to ask them how the Yahoo breach affected their email service. I wish I could say the reply was convincing.
Me: What are the implications for BT email of the massive Yahoo data breach? Your site claims my account uses BT Mail, but your web mail page is titled "BT Yahoo", and it is served from a Yahoo domain: https://us-mg42.mail.yahoo.com.
BT: Hello. I'm <name redacted>.Thanks for that information, I'll check it and get back to you in a moment.
Me: Thank you
BT: Your e-mail would be powered by Yahoo, so you have to use Yahoo page to login.
Me: So what are the implications of the Yahoo data breach for me?
BT: There is no data breach using Yahoo page, as it is secured.
Me: The page may be secured, but Yahoo has just admitted they have been hacked. What is BT's position on this?
BT: There is no such update for BT e-mails.
BT: If there would be any we will update you thorugh text
Me: What does that mean? Have BT Yahoo email accounts been hacked or not?
BT: No, they have been not. However, you can change your security question and answer, along with password for your e-mail.
Me: Thank you
As I was updating my security in Yahoo, it recommended I DISABLE the security questions as they are INSECURE. So I did, assuming I could come back later and change them. Wrong. the option to have security questions has now been disabled permanently. So the only reset option now is the alternate email address or a text to the phone. Puzzled.
Plus, I thought I might change my DOB to a different one, why give it away with my name & email address to future hackers? But Yahoo does not allow this. Is it permanently baked into your Yahoo account?
I've discovered that changing my @btinternet.com password generates a password change confirmation from [email protected] for the bt email address and states,
"You can always change your password by doing the following:
1. Sign in to your cobranded service
2. Go to your Member Center
3. Choose "Change Password""
My partner changed her @yahoo.co.uk password and got confirmation from [email protected], same domain. So BT Mail sounds like a white label service offered by yahoo and is very much at risk of being involved in the same hack, but I'm not an expert in such things and white label services could be segregated somehow but it's not worth taking a chance on my ignorance!
@AC "Yahoo had half a billion users ?"
If you count all the companies they run email for (at least Sky and BT here in the UK) then they might well run 500m *accounts*.
Naturally every account is assumed to be an active user because no one would have a redundant or dormant account.
"It was hot, the night we burned Yahoo. Out in the malls and plazas, moths were batting themselves to death against the neon, but in Bobby’s loft the only light came from a monitor screen and the green and red LEDs on the face of the matrix simulator. I knew every chip in Bobby’s simulator by heart; it..."
"But that was two years ago"
"Shut up an let me tell my story!"
As others observed elsewhere in the thread, claiming hacks must be "state sponsored" is the new black because obviously your security is so good that it could only have been cracked with the resources of a nation state.
And Yahoo!'s security can't *possibly* have been crappy enough to have been broken by regular, garden hackers from their bedrooms. No sir.
I'm sure not many people actually care about Yahoo email, but Yahoo also owns the popular Flickr photo-sharing site, and it is accessed with the same account! Hmm. Got to change my password there ASAP...
Aha, the Flicr sign in now even warns about it like this: Make sure your account is secure!
To secure your account, change your password and update your mobile number.
Everybody I know who had a Yahoo account got hacked in 2014/15; Yahoo kept claiming it was poor security at our end, and that nothing was wrong at their end.
Even then, the whole planet knew this was bullshit; my account had been unused for over 10 years, yet it was STILL hacked, NO WAY my password leaked, as I hadnt logged in since about 2004; hell I couldnt even REMEMBER the password, it had been so long; if I could remember any of the details, I would close it, as it still faithfully forwards spam to one of my gmail accounts.
Use an online hosted email address or run your own server locally.
With the first you have a dedicated team of paid people to maintain the service, sell your data and lie to you and the second you may be on your own hoping the attacks on new exploits discovered while you are sleeping/on holiday are not used.
I can't help feeling there needs to be* a tiny mail proxy box that looks to the outside world like an email server but has extremely limited scope to data and zero access to address book or old email, that way you can get the email but a compromise doesn't give access to your stuff. The real email can be a a separate box/VM with limited access times and much handshaking.
I hate putting servers (or even private NAS) online to make use of some service, anything on the net is a target, not just that service all of it.
*I assume it exists but await the name(s)
The trouble is that it's a dilemma. With the first, you MAY have a crack team running the place...or you could have a bunch of idiots who couldn't be asked to fix a breach on a weekend. With the second, when something happens, you can nip on down yourself and work on it...if you have the time and wherewithal to do it.
As for limiting scope, guess what's one of the hottest things in the exploit trade? Privilege escalation. With them, it doesn't matter how limited the entry point is, it becomes like the proverbial foot in the door: all they need to bust the pinata wide open no matter how hard you set things up. Use a VM? Red Pill. Separated machines? Gather credentials then traverse the intranet. Quite simply, if there's a door, someone can kick it down, and because physical presence is not required unlike your front door, everyone's going to come knocking eventually.
I frankly think this'll come to a head and start asking existential questions about the Internet: questions about whether or not we need to start over using a whole different model of statefulness and (dis)trust. Kinda like how open season eventually gives way to necessary regulation.
"Use an online hosted email address or run your own server locally."
There's a range of options. One is to use a small, specialist hoster. Unless it's the sort of thing you do for a living yourself they're going to be better at securing things themselves (see Charles 9's post above) and small enough to care - it's their livelihood.
The Privilege escalation was part of my point, have something really simple at the gate so there are not two hundred libraries to secure, it does one thing, it buffers text files coming in and has no access to anything else most of the time, when you want to empty the buffer you open a link through a firewall to it and accept only specific email type stuff then send the clear flag.
Part of the reason escalation is worth using is that there will be routes to juicy stuff behind the first point of call, if the first point is really well stripped down and has no access further up the chain except in short well controlled (AV filtered) windows then it's less worth the hassle. Currently we are meant to hang windows servers out for email, really like all that complexity to do what is basically move text files from one IP to another. Want to update the server? without a mail fall-back you will bounce email but have a small buffer in front and things still get saved.
I know comments like this are pointless because 99% of replies on public forums are "we don't do it like that", the people embracing ideas are off doing other stuff.
I can't help feeling there needs to be* a tiny mail proxy box that looks to the outside world like an email server but has extremely limited scope to data and zero access to address book or old email
That rapidly becomes a spam sewer. If it has no access to anything else, it must accept any email that passes cursory checking - i.e. you can't test against valid addresses, context rule,s that sort of thing. Having accepted that mail, you then have to do something with it - so you either deliver spam to your users, or you bounce it. And that makes you a vector for a reflection attack...
Vic.
this seems like a perfect excuse these days: our valuable customers! We can protect you from teenage ninja hackers, but THAT is believed to be a work of a State-Aponsored Agency, and as you know, some World-Renowned Agencies can go to ANY lenghts. We can not name them at this stage, nudge-nudge, wink-wink, but we're awfully sorry we couldn't protect your details as we promised, sorry! No, really, we ARE sorry, and now f... off!
I was surprised to find I had a Yahoo account - it looks like it went over when I registered for flickr years ago.
Logged in to find an inbox that was full of nothing but incredibly-obvious spam. So their spam filters suck for sure. Oh, and the page design... it was like a teenagers Myspace page.. :(
1. Why are you all bitching about people who sign up for a freebie webmail account having to provide an actual phone number? Surely by doing so, that prevents spammers and scammers from creating countless accounts?
2. Why use a crappy free webmail service anyway? I pay $3.33 a month for a proper service, which includes 4 GB of email space, 8GB document storage and IMAP.
What's really frustrating is the inability to delete user accounts on sites. Generally, there's no way to delete your online account from a system.
Modaco were breached, and I was notified earlier this week from haveibeenpwned.
I've not logged-on/used their forums for a good few years so had forgotten about the account - again, there's no way to remove the account, (though they did state in an informational post that you could email them to ask them to delete it).
Local Freegle and Freecycle groups do a grand job of recycling a whole lot of unwanted kit, thus steering lots of items towards further use rather than landfill. Although not perfect, Yahoo Groups hosts them both and it would be a shame if this hacking were to put people off using them.
just over half of Vulture West staff have a Yahoo! account but [...] none of us have used it in the last year
Abandoned and disused accounts can still be valuable to hackers -- maybe more valuable than active ones, since no one is paying attention to them. They're chock full of contact lists, website registrations, bank alerts (you might not use Yahoo anymore, but probably still use the same bank), etc.
That dusty old Yahoo address might be the recovery email for your Gmail account. It might have new-account confirmation emails that contain passwords and security questions/answers that you've re-used on multiple sites. Or the sexy emails from that person you "met" at that trade show in 2012, but somehow forgot to mention to your spouse. The list could go on.
As has been mentioned above, some ISPs outsource their email to Yahoo. Cracking those hashed Yahoo passwords could get hackers into those users' ISP accounts, which contain real PII.
So don't be too smug, ex-Yahoo users. This could still bite you in the ass.
"names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers, were lifted."
Hmm, my yahoo e-mail address is already in the public domain on account of me giving it to other people so that they can e-mail me. If you know my name (which is in my e-mail address), then getting my DOB isn't too difficult; but that was my bad, not Yahoo's
Are anybody's e-mail providers safe? Fact is, if you want to do anything online you need e-mail, and I think yahoo are as on the ball as anyone when it comes to security, so I'm staying with them.
Having seen this on the news I logged into yahoo.co.uk to change my password, to be told by the ever helpful Firefox that they don't have a valid certificate for https://uk.mg40.mail.yahoo.com. Fortunately I only use it to soak up junk mail from Facebook and Linkedin, so I guess it doesn't matter that much.
Didn't yahoo make everyone change their password in the past year?
I copied and pasted my old password into the New Password box and Yahoo email was quite happy to accept it. Wonderful security. My Yahoo account is 20 years old and while I don't use if much I do prefer their interface to that abortion Gmail uses.
Guess I really should change the password to something different, after all a password should not be 20 years old too. But then again, I only use that password on that site, in fact every site I logon to has a unique password. I'm old so I have an excuse to be stupid and lazy.
Apart from the huge list of "compliments" - including destroying a bunch of other working companies and giving it's failure of a CEO the biggest bonus of her lifetime... Notice how this came to light AFTER the Verizon deal.
Naturally if it did come out before, V would have bought them for nothing more than 25 cents. And who wants a 25 cent company that pays 40 million $ to its CEO???
Ans: Verizon!! (you thought this was gonna be "Yahoo" didnt you :P
Thing is, the deal wasn't CLOSED yet (the deal been declared but not tendered), so by doing this now they've practically torpedoed the deal, as Verizon IINM is still in a position to back out. Because both companies are public, the deal also has to be cleared by the SEC as well. Indeed, withholding the breach for as long as this could run afoul of disclosure and fiduciary duty laws.
At the risk of beating a dead horse, BT has posted this on their website,
" At BT, we take the security of our customers’ data and information extremely seriously.
You may have seen that overnight Yahoo! announced that a copy of certain user account information was stolen from its company’s network in late 2014. Yahoo! is the provider of some of BT’s customers email accounts and we are urgently investigating this with them.
If you were a BT Yahoo email account holder in 2014 and haven’t reset your password since then, as a precaution we advise that you change your passwords online and follow good password management practices."
So most likely BT's yahoo provided accounts are compromised too. I'm off to find someone else to host my email.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
