I've asked Yahoo to delete my account years ago...
... but were my data actually wiped, or they kept a record of them, and they were stolen anyway?
Yahoo! is reminding folks that hackers broke into its systems, and learned how to forge its website's session cookies. That allowed the miscreants to log into user accounts without ever typing a password. In warnings emailed out this week, the troubled web biz said accounts were infiltrated in 2015 and 2016 using forged …
Consumers and businesses alike must be encouraged to turn on things like two-factor authentication wherever possible
No, I am not giving that bunch of idiots my phone number, it'll get stolen in the next hack (isn't there one due round about now?).
The company recommended that users consider adopting its Yahoo Account Key, an authentication tool that eliminates the need for a password.
Yahoo Account Key also needs your phone number, if they really had your security in mind this would not be necessary.
Also, it's doubtful this advice works, it seems that hackers can just manufacture session cookies without any need to log in. That's how shit Yahoo is.
They still have mine from the days when Vodafone would not let you take yours with you when you left.
Fat lot of good that will do the hackers.
I use it only for throw away emails so I really don't care that much.
Oh and it has emails from a few {cough, cough} dodgy sites (not pron by the way) but to do with body modification. I was using for research for a novel honest officer.
They still have mine from the days when Vodafone would not let you take yours with you when you left.
Fat lot of good that will do the hackers.
I use my Google Voice number for anything that absolutely needs one (and I don't have GV/hangouts set to receive calls). And if Google ever absolutely needed my phone number I have a Talkatone one.
the CEO say, 75% of their annual income, bonuses or actually lock them up, *nothing* is going to change except the onus of security being put *squarely at the users doorsteps.
You cant blame users for having crap passwords when sites don't have a common system, like how one site insists on a min of 10 chr$, upper AND lower case, numbers and a symbol where as website B will let you use "password" as a password.
"alohanumeric" ?
This mean only letters found in Hawaii?
Anyway - try creating passwords on their Super Router 3, or whatever it is. Have to choose over 8 long, must have special characters, Capitals, Numbers, emoji, grandmother's maiden name, the second letter of the day of your birth, last 6 digits of your entire DNA sequence, IQ divided by BMI * blood alcohol level taken at midnight on new years day 6 years ago.
I think it's fair to say that (except for a few poor bastards that for whatever reason can't extricate themselves from needing the specific email address), anyone still using Yahoo email at this point has no concern for their account's security anyway, and 2FA or anything else isn't going to get a lot of participation.
I finally closed my Yahoo a few months ago after one of my friends called up to say they were getting spam from it. I'd not really used it for a while but I was reluctant to clsoe it since it was my very first email account and I'd had it since 1995.
But I'd changed the password to some 15 character monstrosity from a password manager so even I didn't know what it was yet it still got nailed (wasn't spoofed there were some other hints about that).
What scares me is that we have stopped being surprised when this happens. These are technology companies who cannot manage simple security activities and treat their customers' data with contempt.
Comments above suggest various measures to try to stop this but there is so much aggressive apathy (Yes I know that is an oxymoron) from the companies involved that even if some Government Monitor tried to fine them it is hard to see them having the bottle to make it a big enough number to change things.
"So why push me to two-factor authentication ?"
To gather even more information (valid phone #) about their users, to sweeten the pot for the sale, and oops... share with the hackers.
My Yahoo! account is strictly for websites that insist on one, there's minimal info in it, and none that's actual.
2FA? With them? Pah! When >name< >password< no longer works, I'll just start using one of my other throw away accounts elsewhere.
"So why push me to two-factor authentication ?"
Well, one thing though: you don't always need to provide extra info for that. There are also systems which can show a specific image which you can then scan with your phone (or snap a pic and use a program) which will extract the code which you need to provide.
Other than that you're absolutely right of course!
I technically still have a Yahoo address, in that I originally had a Rocket Mail address. Then when they were bought by Yahoo to become Yahoo mail, they said that all existing customers would have an account for life.
I've not used that address in at least fifteen years, but it makes me smile knowing that a tiny fraction of electricity and disk space is being wasted by yahoo, just collecting spam for me, that I will never look at.
The focus of the discussions of Yahoo has been email, but they operate a number of other services, including Flickr, which use the same login credentials as Yahoo. If they are using the same authentication systems, does that mean that Flickr is also vulnerable to the forged session cookies?
One would assume that to be the case, given Yahoo! imposed their common authentication system onto Flickr a couple of years ago. More worryingly this means those who infiltrated their systems had access to a massive database of personal photos (for those who use the mobile app to sync personal photos) along with associated geolocation info. Very worrying. Imagine the profile a state actor could build on a potential target.
I did some investigation for a client who had evidence to suggest that his Yahoo account had been exploited (emails being sent to contacts in his address book, purportedly from him). My conclusion at the time was that there was an API in existence (for developers) which could be used to run a dictionary attack on Yahoo account logins without either the user being aware, or Yahoo locking them out.
This Yahoo controversy has been going on a lot longer than everyone is making out.
If I had a tenner for every time an article here has asked this question (or implied it) in the last few years, I could probably go away for a nice spa weekend or something, to calm down...
There is one reason, and one alone, why I still have a Y! account: Flickr. I'm a Pro account holder; I've been one for over a decade; have 1000s of pics in my account (some of which only exist there AFAIK (yes, I KNOW, more the fool me, etc.))... and call me weird, but I actually LIKE the way Flickr works (esp. the auto-upload from the iPhone app). If Flickr could be liberated from its current ownership, I'd drop my Y! account so fast it would exceed the pull of gravity, and I feel sure thousands of users would follow suit.
I'd practically bet real moolah that Y! knows this, which is why I fear Flickr will have to be crowbarred out of its owner's cold, dead mitts...
I have a Yahoo account dating from when Freecycle was run as a Yahoo Group. An article on El Reg, a few months ago, reminded me that I should close it down.
I tried to log in, and my password was rejected. Hmm. Maybe they've reset it in the wake of all the infiltration we've been hearing about. I Request a password reset.
The next thing I get is an EMail from Yahoo to my non-Yahoo EMail address (which they must have got from my Yahoo account records) containing a one-time login link. I follow the link to Yahoo and try to set a new password. At this point Yahoo tells me in no uncertain terms that it can't create a new password for that account because the account does not exist.
What a bunch of utter clueless wankers!
When Yahoo! held hostage accounts "synchronized" with AT&T, that was the last straw for me, way back in 2005. We had email through Yahoo! in some of our offices, where that was the only way we could provide services for remote offices. We didn't have them on our head office server yet, because they didn't have the necessary router, or broadband for such a connection. We were on a budget and unless the community population and/or services met a certain category, we didn't use our company email server.
After we switched from AT&T to a broadband service that had just been built in one of the far flung communities, we discovered all email was going to be lost because Yahoo/AT&T refused to release it as a web based email again. Yahoo! and AT&T were both sued over this and lost in court but it was too late for our hapless remote offices. We had to rebuild from scratch, and we never forgot about that. Never again will I or anyone I know, recommend Yahoo for web based email again, even though now - you can supposedly free it up after that court case. They really stuck it in the dirt with treating so many people that way. And then they wonder why their market share keeps going down.
There is nothing more irritating than having to delete Yahoo! as a search engine in everyone's browsers too!! It keeps coming back and taking over the browser like that 'Ask' tool bar that was finally declared a PUP a few years ago. You cannot engender good will acting like this, but Yahoo! never seems to get it. Just like A-Hole, er I mean AOL did years ago. The pestilence will finally be eradicated by their continued bad behavior, and everyone jumping ship like a bunch of drowning rats! Thankfully we finally instituted Outlook Web Access 2003 email for remote dial up offices, so we could get an SSL connection and still use our central server to control our remote offices. Never again will we ever trust an outsider like that for email service - besides I would bet that the HIPAA regulations have by now blocked using such insecure services now anyway.