Feeds

back to article Yahoo! Mail! users! change! your! passwords! NOW!

Yahoo! is urging users of its Mail service to change their passwords to something secure and unique to the web giant – after a security breach exposed account login details to theft. The company said that it has reset the passwords on accounts connected to what it termed a "third-party database compromise" – that database …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

Bet it was Sky. The email account security for them is the worst.

Having once worked for them, I had a customer who was complaining because when he logged int his account for the first time, he was forced to reset his password, and found 24,000 emails dating back several years. Which he had proceeded to delete.

He had been a sky customer for 10 days.

He had actually accidentally hacked another users account because they shared a name and taste in football teams.

He did not want to accept the fact that he had broken the law. He was also unhappy that some other person kept trying to change the password back again.

My forehead met the desk several times over that conversation before i passed the whole mess over to a manager to escalate to the appropriate people.

6
0
Bronze badge

He did not want to accept the fact that he had broken the law.

That's probably because based on the facts as you presented them he hadn't. There are no strict liability offences in the Computer Misuse Act so you have to establish mens rea (essentially deliberate intent) in order for it to be a crime. The scenario you describe falls far short of that.

9
0
Anonymous Coward

Oh well that's good. At least he wouldn't have had his evening ruined by a visit from the plods.

0
0

Re:

So far, it's all been BT customers that have been calling me

0
0

users should never use the same password on multiple sites or services," said Yahoo!

Try telling that to your partner!

6
0
Silver badge
Facepalm

Re: users should never use the same password on multiple sites or services," said Yahoo!

Users should never use Yahoo for anything serious, says common internet knowledge.

10
1
Silver badge

Re: users should never use the same password on multiple sites or services," said Yahoo!

"Users should never use Yahoo for anything serious, says common internet knowledge."

Try telling that to your partner!

4
0
Silver badge

Re: users should never use the same password on multiple sites or services," said Yahoo!

Try telling that to anyone who has 40-50 passwords to manage.

3
0

Re: users should never use the same password on multiple sites or services," said Yahoo!

I think the magic technology you're missing out on is called a "Password Manager"...

1
0
Anonymous Coward

Re: users should never use the same password on multiple sites or services," said Yahoo!

At the very least, surely your email password should be unique? And probably your Paypal account too...

0
0

Re: users should never use the same password on multiple sites or services," said Yahoo!

You should use a password manager to remember most of those account passwords (with long randomly generated passwords), then you only have to remember the important ones (online banking, etc) and the password for the password manager.

0
0
Anonymous Coward

Re: users should never use the same password on multiple sites or services," said Yahoo!

The way I deal with passwords is to treat them like nouns that describe a new thing. Like say, my (non-existent) ¡¡¡Yahoo!!! account is associated in my mind with the (pass)word "J8&都帶ѕ"É//rť|¹çሰS❦27" (without quotes).

Simple really. The only problem is I can never remember if the 'ѕ' is a Latin or Cyrillic one.

2
0
Bronze badge

Re: users should never use the same password on multiple sites or services," said Yahoo!

"Users should never use Yahoo for anything serious, says common internet knowledge."

Try telling that to your partner!

Try having to tell it to your BOSS!

0
0
Bronze badge

Password complexity

Doesn't make much difference if someone elses server is hacked and the user data is ransaked especially if its left in plain text.

2
1

Re: Password complexity

And https://xkcd.com/936/

enforcing rules to use 3 out of 4 (upper, lower, number, symbol) can be a real pain in the arse to people with very secure 20+ character passwords.

3
0
Silver badge

Re: Password complexity

Yes, I'm routinely forced to dumb down my passwords to accomodate for the dimwitsenforcing this kind of rules. Worst thing is, there is no chance in hell of me remembering the resulting mess of mixed-case number-and-symbols-containing nightmare, so I have to write it down somewhere, making it all the more, erm "secure". Not that it matters anyway, as any decent rig would crack it in roughly 12 seconds, due to these rules not being fit for secure password generation.

Not that anyone would want access to my Yahoo accounts of course: I give them away to spam-spaffing outfits exclusively. Interestingly, that includes the US' Customs and Border Protection (every once in a while you bump into a zealot deskjockey who insist the "email" field in these forms must be filled; invariably this is followed by a few hundred spam messages being sent to the addy over the next week. Not too bad, as spammers go, but you'd think the US government wouldn't sell their databases to penis enlargement pills outfits. And you'd be dead wrong).

3
0
Bronze badge

Re: Password complexity

The other problem with all these bloody passwords one has to manage is that the average phone keyboard is only marginally usable at best. Pressing extra alt and capital keys between numbers, letters and uppercase is a complete pain and hard to do accurately. Thank you Blackberry Torch with an onscreen keyboard incompatible with adult european male fingers -- or a tiny slide out one with a substantial ridge around it that makes number entry a contortion.

1
0
Silver badge

Re: Password complexity

I don't have a lot of trouble generating the passwords. Remembering them is a whole other story.

What I find more annoying is that some sites change the rules on what needs to be included, so my the passwords with that level of complexity which I routinely generate don't always work. Because some silly site (Yahoo!) won't allow you to use symbols in your password. The worst is WebEx where they have about 4 symbols that are allowed. So the resulting password is always complete jibberish. Also annoying in this story is that the third party is not named. They should be. I only use my Yahoo account for things I expect to be spammed on, so it isn't overly important to me. I did use the same password on a throwaway FB account just so I could keep track of the FB account pw. I don't actually care about the accounts per se. I just don't want them being used to hack other people.

0
0
Bronze badge

Re: Password complexity

"you'd think the US government wouldn't sell their databases to penis enlargement pills outfits"

Errm... large portions of the US Gov _are_ penis enlargement outfits. <exits, humming the :Marine Corps Hymn", especially the part about "If the Army and the Navy ever gaze on heaven's scenes, they'll find the streets are guarded by United States Marines". You can't make this stuff up.>

0
0

This post has been deleted by its author

Silver badge

So what about the username and password which is plainly still stored so that you can tell me that my old account got "deleted", with massive sarcasm quotes added for effect? You know, the one I can't change due to, well, the account being "deleted"?

1
0
Bronze badge

Would this be a recent breach??

Or the one that occurred 12 months ago finally being acknowledged??

3
0
Silver badge

While you're logged in...

... may as well delete your account.

Marissa will have to do better than her last "very sorry" pseudo-self-flagellation for the 4 day mail outage fiasco.

1
0
Bronze badge

Re: While you're logged in...

To be fair, marissa self-flagellation would satisfy me

1
0
Silver badge
Joke

Re: While you're logged in...

Surely it would be better to flagellate her (or whatever) yourself, after buying her dinner and discussing IT security with her?

(hey, I'm a classy guy)

Steven 'not had a date in a while' Raith.

3
0
Anonymous Coward

Re: While you're logged in...

@Steven Raith

The obvious solution to your dating problem is to store all your confidential data with Yahoo.

Hey presto! Instantly fucked.

1
0
Silver badge

Re: While you're logged in...

I'll read the Daily Mail by choice before I use Yahoo for...fucking anything, thankyouverymuch.

:-)

Steven R

(for our international commentards - the Daily Mail is like the Weekly World News, or other schlocky, lie-filled, made up tabloid rag in your locale, except it passes itself off as a real newspaper. And even more tragically, people actually take it seriously)

0
0
Bronze badge
WTF?

ThirdParty + PlainText Passwords ?

Hello, anybody read the article ?

>Yahoo! is urging users of its Mail service to change their passwords to something secure and unique to the web giant – after a security breach exposed account login details to theft.

>The company said that it has reset the passwords on accounts connected to what it termed a "third-party database compromise" – that database contained records on some of Yahoo!'s users.

This is so bad, really, soooo bad practice it beggars belief ...

1. What are clear text passwords doing in a database?

2. Worse, WTF is a third party doing with account details .... in clear text ???

As Linus says, the security guy at Yahoo should be shot.

9
1

Re: ThirdParty + PlainText Passwords ?

Doesn't sound like Yahoo did anything wrong. If anybody should be shot, it's the users who used the same password on multiple sites. And there's no evidence that clear-text passwords were stored anywhere. Software like John the Ripper and hashcat will make short work of salted and hashed password files.

2
3
Silver badge
Flame

Bad Register, bad...

A completely separate service to Yahoo has had their database hacked, Yahoo have obtained a copy and flagged the Yahoo mail accounts in the hacked database as accounts which must to change their password as many people use the same password for everything. If as soon as you log into Yahoo you are forced to change your password then you're affected otherwise you're not affected.

In other words the headline in El Reg is wrong and would be something much more serious.

As much as I like to stick the boot into Yahoo, they seem to have done things properly this time, apart from telling everyone via Tumblr when it should be via their login screen.

I still wouldn't trust Yahoo with my mobile number for 2FA though.

1
0
Bronze badge

Re: ThirdParty + PlainText Passwords ?

Er they won't. Use a 1Password (or whatever) password and watch either of those tools take longer than the age of the universe to crack a 23-character password.

0
0

Re: ThirdParty + PlainText Passwords ?

Even if the passwords were stored encrypted, what possible reason does Yahoo (as the service provider) have to share the *password*? Username, etc, makes some sense. Password sharing does not.

0
0
Silver badge
Unhappy

How about informing us properly, Yahoo?

The link provided in the article is to a tumblr blog entry. I can find nothing on the Yahoo site (at least not as obvious as it needs to be), so how does Yahoo expect us to know about the problem if we don't subscribe to the likes of The Register?

Is it meant to be under the omg! menu?

1
0
Bronze badge
FAIL

Re: How about informing us properly, Yahoo?

Is it meant to be under the omg! menu?

In the 'states' there is a syndicated 'media show' (IIRC OMG! The Insider) that is partnered with yaHOO!, perhaps that is where they should have publicized it.

It is quite likely more important than the latest antics of Justin Bieber.

0
0
Silver badge
WTF?

Honest Question

I cant think of a single reason, why a third party firm should be given a list of Yahoo's users email addreses, let alone giving them the users email addresses PLUS the passwords. Honestly, can anyone tell me even a single reason that would happen? Anyone?

(and lets not go into the fact it seems to have been done in plain text, which is frankly gobsmacking!)

1
0

Re: Honest Question

Sally has an account with Yahoo. She doesn't have much of an imagination, and uses the name of her dog as a password. She then downloads a new version of some Adobe product, which requires registration. So she supplies her yahoo email address and, foolishly, the same password that she uses for that account. When the Adobe database is hacked, the attackers know that this sort of behaviour is rife and they use the Adobe details to try and break into the Yahoo account. Chances are good that they'll succeed with a moderately high proportion of users. Yahoo were not at fault in this scenario

5
0
Silver badge

@Zama

Yeah, but the wording from Yahoo! seems to imply a closer linkage, like somehow or other this third party was a partner for something. Which makes it all the more problematic that Yahoo! won't say who the third party is. Speculating further might lead deep into black helicopter territory.

0
0
Silver badge

@Zama

If what you say is true, then it won't be a Yahoo-only problem. The same issue would be faced by hotmail, Google etc.

It is rather unclear, but there do not seem to be reports of that happening.

If it is only Yahoo that are having the issue, then there is some smoke being blown up donkeys.

0
0

Re: @Zama

I agree on the implied linkage -- the end of the Tumbler message issues an apology. If this was a simple third-party compromise like the Adobe scenario that Zama gives, then Yahoo has no apology to make as they would be going above and beyond their responsibilities.

0
0
Silver badge
FAIL

Just tried to change my Sky password, the change password dialogue is doing sweet FA. Fantastic.

0
0
Silver badge

Re: the change password dialogue

Hey, at least you could FIND the change password dialogue. I spent five minutes hunting for the damn thing when I logged into Yahoo!

Who the f*ck HIDES the change password dialogue? That's like keeping a doomsday device secret!

0
0

Re: the change password dialogue

Hover over the cog on the right hand side | Settings | Change Password.

Just make sure you type it right - for some reason they don't make your confirm what you typed (though do let you show everybody your password if you want.

0
0

So their solution is to hand out your mobile number to all and sundry as well.

Is it just me, or is this "two factor" authentication just another data grab for Y! and the ilk to lose/get hacked/sell?

10
0
Bronze badge

@ Joe 37

See my other comment -- you don't have to give Yahoo your phone number when they ask for it. Just ignore the message and sign out.

0
0
Silver badge

It's not just you

I also immediately thought "hey, opportunity grab !".

It is telling that Yahoo! adopts the same strategy as Google for grabbing you phone number.

Unfortunately for them, I'm not giving Google my number because the less it knows about me the better I feel, and I certainly won't be giving it to Yahoo! because I find it even less trustworthy than Google.

Google may be an evil, all-watching Internet overlord, but at least it is an efficient one. Yahoo! just looks like a bunch of confused amateurs next to the Big G.

0
0

Complex password, simple user Id

We read so much about the importance of complex passwords. However I wonder how many times user IDs such as John.Smith, jsmith, user2, training, sysadmin and administrator are used. Making user IDs more complex but still meaningful will help increase security. Especially for sysadmins. I've long advocated this, but it is rarely mentioned.

1
0
Anonymous Coward

Yahoo!

Really is an appropriate choice of name for a company, isn't it. Gulliver would recognize them.

0
0
Bronze badge

My Yahoo account has no news of this in it.

Password changed anyway.

0
0
Bronze badge

Re: My Yahoo account has no news of this in it.

Nor mine but, like you, done it anyway.

Incidentally, after resetting password was asked to supply a mobile phone number. I refuse to do that on principal because these web firms have no hesitation in flogging details (or they get them stolen).

I ignored the demand for a mobile number and simply signed out of Yahoo. Had no problem signing in with the new password.

1
0

Improved password change security!

Please change your password with the form that won't let you change your password. One line asks for current password, second line asks for new password, then click Save. So sez the instructions.

Error pops up telling you the passwords don't match.

Seriously?

3
0

Page:

This topic is closed for new posts.