back to article Half! a! billion! Yahoo! email! accounts! raided! by! 'state! hackers!'

Hackers strongly believed to be state-sponsored swiped account records for 500 million or more Yahoo! webmail users. And who knew there were that many people using its email? The troubled online giant said on Thursday that the break-in occurred in late 2014, and that names, email addresses, telephone numbers, dates of birth, …


  1. Anonymous Coward
    Anonymous Coward


    fucked em off when they demanded a legit mobile number....dunno if goggle still accept snide ones?

    1. Anonymous Coward
      Anonymous Coward

      Re: phew!

      Google have never accepted illegitimate mobile numbers (AFAIR). Tried making a new junk account recently; they don't even accept those free online SMS services.

      1. Lee D Silver badge

        Re: phew!

        But Google also don't ever require a phone number:


        Your new email address is

        No number given (I just ignored that field). No previous email. Fake personal data. Incognito window.

        Just made it just now.

        1. RobHib

          Re: phew! — It depends.

          Google accounts:

          1. It depends on where you are on this planet, different rules, different places.

          2. Don't create an account on a machine that already has an account or one where you have tried and failed previously.

          3. If Google is already chasing you for a phone number, use another machine and IP address.

          4. It's often best to use a new/clean machine every time.

          5. If you are at the point that Google wants a phone number do not attempt to use the same email address that you attempted to use earlier, always do things anew.

          6. After getting the phone number problem, also I found leaving it for a few days then using a colleague's machine (whose ISP and IP are different) together with a completely different/new username then it worked OK.

          1. Anonymous Coward
            Anonymous Coward

            Re: phew! — It depends.

            If you fancy a bit of mischief you can repeatedly try to create a google mail account and deliberately fail - google will then block the IP address for a while. Try it at work sometime...

        2. Mage Silver badge

          Re: don't ever require a phone number?

          I think they do if creating a new account on a tablet. They send SMS message key for next step!

        3. fedoraman

          Re: phew!

          Sorry - that email address is already taken.

        4. Lee D Silver badge

          Re: phew!

          I'm in the UK.

          I was on a school connection (so thousands of Google users, and all kinds) on the guest wifi (i.e. about as anonymous as you can get and the equivalent to doing it at a library or a cyber-cafe).

          You DON'T need a mobile to sign up for a Google account. It might pressure you for one, but it's not required.

          And if you live in a country where Google require it, you have no Internet freedom anyway because Google only do it where they are made to do it.

          But the premise that you need to give a phone number to get a Google account is nonsense - and you could use a proxy or public wifi to sign up for one in seconds. In fact, if that proxy or wifi is tied to ten thousand other Google accounts, it actually HELPS your anonymity if you wish to retain that, surely?

          1. VinceH Silver badge

            Re: phew!

            "You DON'T need a mobile to sign up for a Google account. It might pressure you for one, but it's not required."

            Quite - and whenever I've logged in on a computer (not often, but often enough for this to be noticeable) if I've seen the prompt to add my phone number, I've always skipped it. However, somewhere down the line I stopped seeing that prompt my number - and I also noticed receiving text messages from Google reporting log-ins on a "new" device whenever I logged in on my computer (it's always "new" when cookies don't survive beyond the session).

            I looked in my account settings and my number was there.

            Probably picked up from my phone at some point.

        5. Anonymous Coward
          Anonymous Coward

          Re: phew!

          Well thats Fucked Afdsadfafdgafd Gadgadfgadfgadf from getting his name @ you bastard!

    2. chivo243 Silver badge

      Re: phew!

      I've never given my number to either google or yahoo.. there is a skip button when they ask this nonsense, then a nag screen asking if you're sure.

    3. Anonymous Coward
      Anonymous Coward

      Re: phew!

      Ironic, as I wouldn't use anything that didn't use a phone number for TFA. All my yahoo accounts are TFA protected and don't have personally identifiable information, so I am sitting pretty..

  2. J. R. Hartley Silver badge

    Two fucking years, Yahoo!


    1. heyrick Silver badge

      Re: Two fucking years, Yahoo!

      Exactly. Should I bother to change my password? It's been changed since then...

    2. Anonymous Coward
      Anonymous Coward

      Re: Two fucking years, Yahoo!

      They needed that time to get rid of stock and complete the Verizon sale.

      And people cried about Sony and 2 days for initial disclosure and 6 days for full fact disclosure.... They are looking pretty dumb now.

    3. Anonymous Coward
      Anonymous Coward

      Re: Two fucking years, Yahoo!

      I agree but then I thought about it from another perspective.

      If you were hacked for data how would you know?

      A. It starts appearing on the net.

      B. You discover the breach yourself.

      If A didn't happen and if it did we would have found out about this a lot sooner then it's either people that want to keep it a secret and use it for themselves which means it could in fact be state sponsored.

      If B didn't happen straight away how is it that 2 years later they find out? That doesn't make any sense, why would you audit 2 year old logs?

  3. Keef

    I have a Yahoo! account because...

    I have Sky UK as a provider of my internet services and with that comes the account with Yahoo! I don't want or need.

    Maybe I could go elsewhere but I doubt the situation would be better anywhere else in the long term.

  4. Anonymous Coward
    Anonymous Coward

    I always thought yahoo accounts where used by spammers..............a lot I get are

    1. Pen-y-gors Silver badge

      I always thought...

      ...that yahoo details had been so widely stolen that you could buy a book of them in the Moscow branch of Waterstones.

  5. Nate Amsden Silver badge

    why would people sue

    This is an email account, not like they swiped credit cards or social security numbers or something like that(I would expect Yahoo would not need that information for signing up for an account anyway).

    (been hosting my own email for roughly 20 years now)

    1. Dan 55 Silver badge

      Re: why would people sue

      There are people actually fill in their webmail account info with real details instead of the address of Buck House.

      I would also like to add fuck Yahoo, a sieve is more secure their webmail.

  6. Anonymous Coward
    Anonymous Coward

    Have account from 2004.. or so...

    I have had a Yahoo account for a very long time, but use it only for posting to forums. The crooks are going to be disappointed in what they find with my account.

    Didn't yahoo make everyone change their password in the past year?

    1. Dave Bell

      Re: Have account from 2004.. or so...

      I think they did. I have a Yahoo account for posting to a mailing list, and I changed passwords recently. There was nothing in the emails I got, but I had to change when I logged in recently to post something. There must be a lot of dormant accounts, and they must know it, but that huge total looks impressive.

      I know other companies which pull that trick of never deleting an account, possibly to mask a falling customer base.

    2. DropBear Silver badge

      Re: Have account from 2004.. or so...

      Apparently not. According to the "activity log" or whatever they call it my password was last changed over two years ago. Just changed it again, and I guess there was a point to not associating any personal info whatsoever with that account after all...

  7. Florida1920 Silver badge

    It is what it sounds like


    1. Nolveys Silver badge

      Re: It is what it sounds like

      "Yahoo!" Is properly pronounced thusly.

  8. Amos1

    The part that’s missing from their FAQ is when (and how) it was discovered. Perhaps this is how:

    "Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account. Since the inception of Yahoo's program in December 2015, …"

    Sysadmin #1: “We got the new government hacking detection tool running and we’re already getting hits!”

    Sysadmin #2: “Ummm…”

    1. Anonymous Coward
      Anonymous Coward

      ...have launched programs to detect and notify users when a company strongly suspects that...

      Sounds like a natural-language-processing program that listens in to the daily boss-level meeting and tries to detect "strong suspicion". Once matching criterion 0.95 is reached, it automatically fires off mails!

  9. Lennart Sorensen

    Whoever said they were yahoo webmail accounts? Lots of people have yahoo accounts for yahoo messenger, yahoo groups and many other things. Is it perhaps that list of users accounts that was stolen? Yahoo accounts does not equal yahoo webmail.

    1. Lee D Silver badge

      To the best of my knowledge, a Yahoo account is all of the above anyway.

      I know my old Geocities account that became a Yahoo account also logs me in over Yahoo Messenger (who uses that nowadays?!), Yahoo webmail, Yahoo groups, etc.

      Yahoo accounts are therefore likely centralised and if you have the details of one, you have them all (I doubt there are 500m Messenger usages, or 500m Groups users, or 500m old Geocities users!). I haven't logged in via Yahoo Mail for several years (2009 by the inbox I just looked at), so it's stupid if my credentials are lying around only on Yahoo Mail, and incredibly unlikely that only a single Yahoo service was hacked.

      It sounds like a central Yahoo database. But, nowadays, nobody uses any of that other junk and only Yahoo Mail is likely to be heard of, which is probably why the article says that.

  10. Alperian

    Sky use yahoo mail for their customers. What about that?

    1. Roland6 Silver badge

      If memory is correct, BT also used Yahoo mail for their customers at one stage.

      So yes "The statement leaves many questions unanswered.", specifically does this breech impact third-parties to whom Yahoo white-labelled their services to.

      1. Don Dumb

        @Roland6 - BT does use Yahoo Mail still (I've just checked)

        Oddly nothing on BT's news page mentions the breach.

        1. AndrewDu

          BT have just written to a lot of their account holders (maybe all of them) point out just this, and asking them to change their passwords.

    2. VinceH Silver badge

      "Sky use yahoo mail for their customers. What about that?"


      The penny now drops as to why, once in a blue moon, I get an occasional malware email that purports to come from my brother's ex. It doesn't come from her old Sky email address in full - but the left hand side of the address is hers. It's probably not an uncommon name, but when she signed up with Sky the person at the other end cocked up and spelt her name incorrectly - and that appears in the left hand side of these emails.

  11. 100113.1537

    A bit elitist aren't you El Reg?

    Just because a group of tech-savvy hacks in a developed country haven't used their Yahoo accounts for over a year doesn't mean that there aren't a lot of people using this service regularly. I have many African contacts for whom a Yahoo account (often french) is the only way to reliably contact them. These are often senior academics and government workers whose "work" email very often doesn't (work, that is).

    There is more than half a world outside the US and western Europe that relies on the kind of technology and services you make fun of (that's why there is still a market in PCs despite their demise being regularly forecast in these pages). Whether this information breach is going to affect people significantly is hard to say (it was two years ago, after all), but it will concern a lot of real people who use their Yahoo accounts every day.

    1. heyrick Silver badge

      Re: A bit elitist aren't you El Reg?

      I use Yahoo. It supports IMAP so my phone/tablet can pick it up using a "real" mail program and not whatever GMail thinks it is. It is an address I can give out, without worrying too much if people are going to do idiotic things like group mail with my address (and all the others) in the To line.

      I have a private email. Maybe ten people know the address. Accordingly, their messages to me get read quickly as I look there first/most often.

      There is a point to having a third party deal with a mail service so people you don't necessarily want to hear from can attempt to contact you...

      By the way, after this disclosure, what's Yahoo! going to be going for now? I'll put my offer on the table: a half-eaten pack of wasabi flavoured crisps. If you sell it to me quickly, I'll throw in some stale Lindt chocolates.

      1. el_oscuro

        Re: A bit elitist aren't you El Reg?

        Gmail has full imap support too. I use it with thunderbird. Instructions for setting up most clients can be found here:

        1. Anonymous Coward
          Anonymous Coward

          Re: A bit elitist aren't you El Reg?

          But it's a Google product.

        2. DropBear Silver badge

          Re: A bit elitist aren't you El Reg?

          "Gmail has full imap support too."

          Yes, and my "me" email address is a Gmail one; there's not much point in trying to hide from an online store you just bought something from who they need to ship it to. My Yahoo address is my "not me" email, for things that have no need or no business having any idea who I really am. Now, this may sound paranoid to you, but I don't find having both those accounts with a single provider such a great idea - hence Yahoo, the only _other_ free email provider I can still access via POP3 or IMAP.

      2. Paul Crawford Silver badge

        Re: A bit elitist aren't you El Reg?

        I also use Yahool with POP access, it is OK for spammy stuff but it suffers a lot more spam than gmail seems to with a significant upsurge in the last month or so. Maybe this explains a bit?

        No phone number with mine, but every (rare) time I use the web login it pesters for one. However if signing up now they demand on.

        Gmail didn’t demand one at sign-up but the fskers blocked POP access when I went abroad for a trip and pestered for a phone number to unlock it, which it was simply not worth giving. Returned to operating again when back home.

        Both are out to whore you.

        1. Fred Dibnah

          Re: A bit elitist aren't you El Reg?

          Not sure what the beef is with spam (cue comments about pork). 99% of spam goes straight to the spam folder, leaving <10 messages a month in the inbox. I've been using Y! webmail for years, with Ublock Origin and Yahoo Mail Hide Ad Panel plugin, and it works great for me. I considering switching around the time that Marissa's minions fucked around with it for a few months, but they have left it alone since then.

          I've looked at other webmail offerings (don't want POP3 or IMAP) and I haven't seen anything better so far. YMMV, of course.

      3. Tom Paine Silver badge

        Re: A bit elitist aren't you El Reg?

        Gmail supports IMAP and always has done.

  12. Destroy All Monsters Silver badge
    Paris Hilton

    What is this I don't even

    Hackers strongly believed to be state-sponsored

    What does that even mean!

    I strongly believe Hillary will take the mic soon, having strongly detected an unholy alliance of Pepe the Sadfrog and the ever elusive all-powerful P.U.T.I.N. organization to ravage the purple yodeling cowboy, a strong symbol of Yankee Americanism, so as to have his star-spangled arse transformed into Cordon Bleu.

    This comes after a miscreant calling themselves Peace was touting copies of the Yahoo! account database this summer.

    Did you mean "corpses of the Yahoo! account database"?

    1. Captain DaFt

      Re: What is this I don't even

      Hackers strongly believed to be state-sponsored

      "What does that even mean!"

      My take:

      Some kid, living in estate housing, bored, with access to a computer.

      1. unix.beard

        Re: What is this I don't even

        My take: Yahoo! is trying to imply that it would take the resources of a nation state to get past their superb security.

    2. Doctor Syntax Silver badge

      Re: What is this I don't even

      "Hackers strongly believed to be state-sponsored

      What does that even mean!"

      It means "We do everything we possibly can to defend against ordinary hackers but state-sponsered - well, you can't really blame us for that." Wrings hands. Or was that washes them?

  13. Kevin McMurtrie Silver badge

    "email all those thought to be affected"

    I won't be getting that e-mail. I was just wondering if I should pull Yahoo from my mail server's blacklist because the spam deluge had settled down to a tiny trickle. It looks like now isn't a good time.

  14. heyrick Silver badge

    An observation - it is possible the passwords have been cracked

    Last Autumn I had the unpleasant experience of having to tell my boss to disregard an email from me as it contains a virus or some sort and was not sent by me.

    It was, however, marked as coming from me, and sent to a large number of people. After scouring my machine to try to track down the addresses present in the mail (it was an odd assortment, mostly people I know but it wasn't any addressbook I could lay my hands upon). The more I puzzled over this, the more it looked like it was basically listing the history of messages sent from my Yahoo! account. I was aware of this as I send myself messages when testing stuff like the phone/tablet settings are correct.

    How would this information be available if the account had not been compromised? That's a question we ought to be asking here. So either Yahoo! has yet another leak, or the passwords are being cracked. I don't know why they didn't hit the addressbook. Too obvious, maybe? It's rather clever to target those addresses a person has actually sent messages to.

    At any rate - perhaps their entire client database got lifted and they took two years to notice? Nice work. {slow handclap}

    1. el_oscuro

      Re: An observation - it is possible the passwords have been cracked

      Most websites handle websites wrong. Unless they are using a correct password has with a random per record salt, they can be cracked. If they are using any type of encryption or an unsalted hash, they might as well be plaintext.

      So if a website you use is breached, consider everything (passwords, email, security questions, etc) you used there compromised.


POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019