back to article Half! a! billion! Yahoo! email! accounts! raided! by! 'state! hackers!'

Hackers strongly believed to be state-sponsored swiped account records for 500 million or more Yahoo! webmail users. And who knew there were that many people using its email? The troubled online giant said on Thursday that the break-in occurred in late 2014, and that names, email addresses, telephone numbers, dates of birth, …

  1. Anonymous Coward
    Anonymous Coward

    phew!

    fucked em off when they demanded a legit mobile number....dunno if goggle still accept snide ones?

    1. Anonymous Coward
      Anonymous Coward

      Re: phew!

      Google have never accepted illegitimate mobile numbers (AFAIR). Tried making a new junk account recently; they don't even accept those free online SMS services.

      1. Lee D Silver badge

        Re: phew!

        But Google also don't ever require a phone number:

        Proof:

        Your new email address is afdsadfafdgafdgadgadfgadfgadf@gmail.com

        No number given (I just ignored that field). No previous email. Fake personal data. Incognito window.

        Just made it just now.

        1. RobHib

          Re: phew! — It depends.

          Google accounts:

          1. It depends on where you are on this planet, different rules, different places.

          2. Don't create an account on a machine that already has an account or one where you have tried and failed previously.

          3. If Google is already chasing you for a phone number, use another machine and IP address.

          4. It's often best to use a new/clean machine every time.

          5. If you are at the point that Google wants a phone number do not attempt to use the same email address that you attempted to use earlier, always do things anew.

          6. After getting the phone number problem, also I found leaving it for a few days then using a colleague's machine (whose ISP and IP are different) together with a completely different/new username then it worked OK.

          1. Anonymous Coward
            Anonymous Coward

            Re: phew! — It depends.

            If you fancy a bit of mischief you can repeatedly try to create a google mail account and deliberately fail - google will then block the IP address for a while. Try it at work sometime...

        2. Mage Silver badge

          Re: don't ever require a phone number?

          I think they do if creating a new account on a tablet. They send SMS message key for next step!

        3. fedoraman
          Coat

          Re: phew!

          Sorry - that email address is already taken.

        4. Lee D Silver badge

          Re: phew!

          I'm in the UK.

          I was on a school connection (so thousands of Google users, and all kinds) on the guest wifi (i.e. about as anonymous as you can get and the equivalent to doing it at a library or a cyber-cafe).

          You DON'T need a mobile to sign up for a Google account. It might pressure you for one, but it's not required.

          And if you live in a country where Google require it, you have no Internet freedom anyway because Google only do it where they are made to do it.

          But the premise that you need to give a phone number to get a Google account is nonsense - and you could use a proxy or public wifi to sign up for one in seconds. In fact, if that proxy or wifi is tied to ten thousand other Google accounts, it actually HELPS your anonymity if you wish to retain that, surely?

          1. VinceH

            Re: phew!

            "You DON'T need a mobile to sign up for a Google account. It might pressure you for one, but it's not required."

            Quite - and whenever I've logged in on a computer (not often, but often enough for this to be noticeable) if I've seen the prompt to add my phone number, I've always skipped it. However, somewhere down the line I stopped seeing that prompt my number - and I also noticed receiving text messages from Google reporting log-ins on a "new" device whenever I logged in on my computer (it's always "new" when cookies don't survive beyond the session).

            I looked in my account settings and my number was there.

            Probably picked up from my phone at some point.

        5. Anonymous Coward
          Anonymous Coward

          Re: phew!

          Well thats Fucked Afdsadfafdgafd Gadgadfgadfgadf from getting his name @ gmail.com you bastard!

    2. chivo243 Silver badge

      Re: phew!

      I've never given my number to either google or yahoo.. there is a skip button when they ask this nonsense, then a nag screen asking if you're sure.

    3. Anonymous Coward
      Anonymous Coward

      Re: phew!

      Ironic, as I wouldn't use anything that didn't use a phone number for TFA. All my yahoo accounts are TFA protected and don't have personally identifiable information, so I am sitting pretty..

  2. J. R. Hartley Silver badge

    Two fucking years, Yahoo!

    TWO FUCKING YEARS!!!!

    1. heyrick Silver badge

      Re: Two fucking years, Yahoo!

      Exactly. Should I bother to change my password? It's been changed since then...

    2. Anonymous Coward
      Anonymous Coward

      Re: Two fucking years, Yahoo!

      They needed that time to get rid of stock and complete the Verizon sale.

      And people cried about Sony and 2 days for initial disclosure and 6 days for full fact disclosure.... They are looking pretty dumb now.

    3. Anonymous Coward
      Anonymous Coward

      Re: Two fucking years, Yahoo!

      I agree but then I thought about it from another perspective.

      If you were hacked for data how would you know?

      A. It starts appearing on the net.

      B. You discover the breach yourself.

      If A didn't happen and if it did we would have found out about this a lot sooner then it's either people that want to keep it a secret and use it for themselves which means it could in fact be state sponsored.

      If B didn't happen straight away how is it that 2 years later they find out? That doesn't make any sense, why would you audit 2 year old logs?

  3. Keef

    I have a Yahoo! account because...

    I have Sky UK as a provider of my internet services and with that comes the account with Yahoo! I don't want or need.

    Maybe I could go elsewhere but I doubt the situation would be better anywhere else in the long term.

  4. Anonymous Coward
    Anonymous Coward

    I always thought yahoo accounts where used by spammers..............a lot I get are

    1. Pen-y-gors Silver badge

      I always thought...

      ...that yahoo details had been so widely stolen that you could buy a book of them in the Moscow branch of Waterstones.

  5. Nate Amsden

    why would people sue

    This is an email account, not like they swiped credit cards or social security numbers or something like that(I would expect Yahoo would not need that information for signing up for an account anyway).

    (been hosting my own email for roughly 20 years now)

    1. Dan 55 Silver badge

      Re: why would people sue

      There are people actually fill in their webmail account info with real details instead of the address of Buck House.

      I would also like to add fuck Yahoo, a sieve is more secure their webmail.

  6. Anonymous Coward
    Anonymous Coward

    Have account from 2004.. or so...

    I have had a Yahoo account for a very long time, but use it only for posting to forums. The crooks are going to be disappointed in what they find with my account.

    Didn't yahoo make everyone change their password in the past year?

    1. Dave Bell

      Re: Have account from 2004.. or so...

      I think they did. I have a Yahoo account for posting to a mailing list, and I changed passwords recently. There was nothing in the emails I got, but I had to change when I logged in recently to post something. There must be a lot of dormant accounts, and they must know it, but that huge total looks impressive.

      I know other companies which pull that trick of never deleting an account, possibly to mask a falling customer base.

    2. DropBear Silver badge

      Re: Have account from 2004.. or so...

      Apparently not. According to the "activity log" or whatever they call it my password was last changed over two years ago. Just changed it again, and I guess there was a point to not associating any personal info whatsoever with that account after all...

  7. Florida1920
    Angel

    It is what it sounds like

    Yahoo!

    1. Nolveys

      Re: It is what it sounds like

      "Yahoo!" Is properly pronounced thusly.

  8. Amos1

    The part that’s missing from their FAQ is when (and how) it was discovered. Perhaps this is how:

    "Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account. Since the inception of Yahoo's program in December 2015, …"

    Sysadmin #1: “We got the new government hacking detection tool running and we’re already getting hits!”

    Sysadmin #2: “Ummm…”

    1. Anonymous Coward
      Anonymous Coward

      ...have launched programs to detect and notify users when a company strongly suspects that...

      Sounds like a natural-language-processing program that listens in to the daily boss-level meeting and tries to detect "strong suspicion". Once matching criterion 0.95 is reached, it automatically fires off mails!

  9. Lennart Sorensen

    Whoever said they were yahoo webmail accounts? Lots of people have yahoo accounts for yahoo messenger, yahoo groups and many other things. Is it perhaps that list of users accounts that was stolen? Yahoo accounts does not equal yahoo webmail.

    1. Lee D Silver badge

      To the best of my knowledge, a Yahoo account is all of the above anyway.

      I know my old Geocities account that became a Yahoo account also logs me in over Yahoo Messenger (who uses that nowadays?!), Yahoo webmail, Yahoo groups, etc.

      Yahoo accounts are therefore likely centralised and if you have the details of one, you have them all (I doubt there are 500m Messenger usages, or 500m Groups users, or 500m old Geocities users!). I haven't logged in via Yahoo Mail for several years (2009 by the inbox I just looked at), so it's stupid if my credentials are lying around only on Yahoo Mail, and incredibly unlikely that only a single Yahoo service was hacked.

      It sounds like a central Yahoo database. But, nowadays, nobody uses any of that other junk and only Yahoo Mail is likely to be heard of, which is probably why the article says that.

  10. Alperian

    Sky use yahoo mail for their customers. What about that?

    1. Roland6 Silver badge

      If memory is correct, BT also used Yahoo mail for their customers at one stage.

      So yes "The statement leaves many questions unanswered.", specifically does this breech impact third-parties to whom Yahoo white-labelled their services to.

      1. Don Dumb

        @Roland6 - BT does use Yahoo Mail still (I've just checked)

        Oddly nothing on BT's news page mentions the breach.

        1. AndrewDu

          BT have just written to a lot of their account holders (maybe all of them) point out just this, and asking them to change their passwords.

    2. VinceH

      "Sky use yahoo mail for their customers. What about that?"

      Ah!

      The penny now drops as to why, once in a blue moon, I get an occasional malware email that purports to come from my brother's ex. It doesn't come from her old Sky email address in full - but the left hand side of the address is hers. It's probably not an uncommon name, but when she signed up with Sky the person at the other end cocked up and spelt her name incorrectly - and that appears in the left hand side of these emails.

  11. 100113.1537

    A bit elitist aren't you El Reg?

    Just because a group of tech-savvy hacks in a developed country haven't used their Yahoo accounts for over a year doesn't mean that there aren't a lot of people using this service regularly. I have many African contacts for whom a Yahoo account (often french) is the only way to reliably contact them. These are often senior academics and government workers whose "work" email very often doesn't (work, that is).

    There is more than half a world outside the US and western Europe that relies on the kind of technology and services you make fun of (that's why there is still a market in PCs despite their demise being regularly forecast in these pages). Whether this information breach is going to affect people significantly is hard to say (it was two years ago, after all), but it will concern a lot of real people who use their Yahoo accounts every day.

    1. heyrick Silver badge

      Re: A bit elitist aren't you El Reg?

      I use Yahoo. It supports IMAP so my phone/tablet can pick it up using a "real" mail program and not whatever GMail thinks it is. It is an address I can give out, without worrying too much if people are going to do idiotic things like group mail with my address (and all the others) in the To line.

      I have a private email. Maybe ten people know the address. Accordingly, their messages to me get read quickly as I look there first/most often.

      There is a point to having a third party deal with a mail service so people you don't necessarily want to hear from can attempt to contact you...

      By the way, after this disclosure, what's Yahoo! going to be going for now? I'll put my offer on the table: a half-eaten pack of wasabi flavoured crisps. If you sell it to me quickly, I'll throw in some stale Lindt chocolates.

      1. el_oscuro

        Re: A bit elitist aren't you El Reg?

        Gmail has full imap support too. I use it with thunderbird. Instructions for setting up most clients can be found here:

        https://support.google.com/mail/answer/78892?hl=en

        1. Anonymous Coward
          Anonymous Coward

          Re: A bit elitist aren't you El Reg?

          But it's a Google product.

        2. DropBear Silver badge

          Re: A bit elitist aren't you El Reg?

          "Gmail has full imap support too."

          Yes, and my "me" email address is a Gmail one; there's not much point in trying to hide from an online store you just bought something from who they need to ship it to. My Yahoo address is my "not me" email, for things that have no need or no business having any idea who I really am. Now, this may sound paranoid to you, but I don't find having both those accounts with a single provider such a great idea - hence Yahoo, the only _other_ free email provider I can still access via POP3 or IMAP.

      2. Paul Crawford Silver badge

        Re: A bit elitist aren't you El Reg?

        I also use Yahool with POP access, it is OK for spammy stuff but it suffers a lot more spam than gmail seems to with a significant upsurge in the last month or so. Maybe this explains a bit?

        No phone number with mine, but every (rare) time I use the web login it pesters for one. However if signing up now they demand on.

        Gmail didn’t demand one at sign-up but the fskers blocked POP access when I went abroad for a trip and pestered for a phone number to unlock it, which it was simply not worth giving. Returned to operating again when back home.

        Both are out to whore you.

        1. Fred Dibnah Silver badge
          WTF?

          Re: A bit elitist aren't you El Reg?

          Not sure what the beef is with spam (cue comments about pork). 99% of spam goes straight to the spam folder, leaving <10 messages a month in the inbox. I've been using Y! webmail for years, with Ublock Origin and Yahoo Mail Hide Ad Panel plugin, and it works great for me. I considering switching around the time that Marissa's minions fucked around with it for a few months, but they have left it alone since then.

          I've looked at other webmail offerings (don't want POP3 or IMAP) and I haven't seen anything better so far. YMMV, of course.

      3. Tom Paine Silver badge

        Re: A bit elitist aren't you El Reg?

        Gmail supports IMAP and always has done. https://support.google.com/mail/answer/7126229?hl=en

  12. Destroy All Monsters Silver badge
    Paris Hilton

    What is this I don't even

    Hackers strongly believed to be state-sponsored

    What does that even mean!

    I strongly believe Hillary will take the mic soon, having strongly detected an unholy alliance of Pepe the Sadfrog and the ever elusive all-powerful P.U.T.I.N. organization to ravage the purple yodeling cowboy, a strong symbol of Yankee Americanism, so as to have his star-spangled arse transformed into Cordon Bleu.

    This comes after a miscreant calling themselves Peace was touting copies of the Yahoo! account database this summer.

    Did you mean "corpses of the Yahoo! account database"?

    1. Captain DaFt

      Re: What is this I don't even

      Hackers strongly believed to be state-sponsored

      "What does that even mean!"

      My take:

      Some kid, living in estate housing, bored, with access to a computer.

      1. unix.beard

        Re: What is this I don't even

        My take: Yahoo! is trying to imply that it would take the resources of a nation state to get past their superb security.

    2. Doctor Syntax Silver badge

      Re: What is this I don't even

      "Hackers strongly believed to be state-sponsored

      What does that even mean!"

      It means "We do everything we possibly can to defend against ordinary hackers but state-sponsered - well, you can't really blame us for that." Wrings hands. Or was that washes them?

  13. Kevin McMurtrie Silver badge

    "email all those thought to be affected"

    I won't be getting that e-mail. I was just wondering if I should pull Yahoo from my mail server's blacklist because the spam deluge had settled down to a tiny trickle. It looks like now isn't a good time.

  14. heyrick Silver badge

    An observation - it is possible the passwords have been cracked

    Last Autumn I had the unpleasant experience of having to tell my boss to disregard an email from me as it contains a virus or some sort and was not sent by me.

    It was, however, marked as coming from me, and sent to a large number of people. After scouring my machine to try to track down the addresses present in the mail (it was an odd assortment, mostly people I know but it wasn't any addressbook I could lay my hands upon). The more I puzzled over this, the more it looked like it was basically listing the history of messages sent from my Yahoo! account. I was aware of this as I send myself messages when testing stuff like the phone/tablet settings are correct.

    How would this information be available if the account had not been compromised? That's a question we ought to be asking here. So either Yahoo! has yet another leak, or the passwords are being cracked. I don't know why they didn't hit the addressbook. Too obvious, maybe? It's rather clever to target those addresses a person has actually sent messages to.

    At any rate - perhaps their entire client database got lifted and they took two years to notice? Nice work. {slow handclap}

    1. el_oscuro

      Re: An observation - it is possible the passwords have been cracked

      Most websites handle websites wrong. Unless they are using a correct password has with a random per record salt, they can be cracked. If they are using any type of encryption or an unsalted hash, they might as well be plaintext.

      So if a website you use is breached, consider everything (passwords, email, security questions, etc) you used there compromised.

      1. Anonymous Coward
        Anonymous Coward

        Re: An observation - it is possible the passwords have been cracked

        Won't they just steal the salt, too, which MUST exist somewhere for them to be able to salt your entries? In which case, we're basically screwed no matter what?

        1. Anonymous Coward
          Anonymous Coward

          Re: An observation - it is possible the passwords have been cracked

          No, the salt is just there to make the password guess-hash-compare attack impractical.

          Not using salt:

          1) Take list of known or possible passwords (use lists from previous breaches off the Internet)

          2) Hash passwords in list, yielding a lookup table of hashes (rainbow table)

          3) Check to see whether any of the hashes appear in the exfiled list of hashes password (bonus: you can see whether two entries use the same password directly as their hashes are identical)

          +) Bonus points, if the hash algorithm used is "fast" or can be done in hardware (like MD5 can) then you can do brute-force too, but today these are eminently practical. Special hash algorithms that are unfeasible for brute-force attacks exist, so service providers should use these.

          Using salt (which is stored generally right next to the hash and is thus not a secret), you can only do +) as every password becomes unique as it is effectively extended by the "salt" string.

        2. Vic

          Re: An observation - it is possible the passwords have been cracked

          Won't they just steal the salt, too, which MUST exist somewhere for them to be able to salt your entries? In which case, we're basically screwed no matter what?

          Stealing the salt isn't really a problem; it's there to prevent collision attacks. That means your attacker cannot use a rainbow table because he needs a password/salt combination that no only hashes to the right value, but also starts with the salt specified.

          Vic.

      2. Tom Paine Silver badge

        Re: An observation - it is possible the passwords have been cracked

        Properly hashed passwords /can/ be hacked, but it takes a hell of a long time, even with a fancy GPU-packed dedicated rig. Check the Wikipedia article on Bcrypt.

    2. H in The Hague Silver badge

      Re: An observation - it is possible the passwords have been cracked

      "The more I puzzled over this, the more it looked like it was basically listing the history of messages sent from my Yahoo! account."

      Had something like that happen with two old Yahoo accounts too - spam sent to contacts in my history. Fortunately I mostly used those to mail myself rather than others. When I checked the connection log in Yahoo it showed that the accounts had been accessed by some app, quite a while before the spam. The odd thing is, Yahoo normally warns you when the account is accessed from a new device or region, but didn't raise a warning in this case.

  15. Anonymous Coward
    Terminator

    Yahoo state-sponsored hack

    Hackers strongly believed to be state-sponsored swiped account records for 500 million Yahoo! webmail users

    Who is it that believes this and what evidence have they produced that the hack was state-sponsored?

    --

    you are now connected to the wireless network “WANK”

    1. VinceH

      Re: Yahoo state-sponsored hack

      "Who is it that believes this and what evidence have they produced that the hack was state-sponsored?"

      State sponsored is the new black. I suspect we'll see this line trotted out more and more - especially for larger companies and/or Overpuddlian ones (or those who are particularly significant or important over there).

      Consider how it appears to the man in the street when a company's security gets breached, and lots of customer data is nabbed:

      - If it's a lone spotty oik who has discovered they've left a gaping hole in their system, and exploited it, the company looks like it's run by idiots.

      - If it's claimed that it was a state sponsored attack, all of a sudden it sounds like lots of resources were used in getting past the company's defences, and it doesn't look quite so bad on them.

      (We, of course, realise that even if it is "state sponsored" it's probably still thanks to a gaping hole, and the company are run by idiots.)

      And there may be a TLA agenda that could be helped along by supposedly state sponsored breaches.

      See also: Sony and the Norks.

      Over here, TalkTalk are so utterly incompetent they didn't even think of it.

  16. inmypjs Silver badge

    What else was compromised?

    Might explain emails titled from xxxxx where xxxxx is someone I know which contain not much more than a link to a compromised website and an xxxxx@yahoo.com signature.

    At a glance they look like a friend sending a web link. The from address was the xxxxx@ the domain where the spam came from. Said friend told me he hadn't used the yahoo address in years.

    Seems his Yahoo address book or email history got leaked and was being used to lure his contacts to compromised web sites.

    I have had 3 such emails from 'him' now although the two later ones were only signed xxxxx.

    1. Mr Dogshit

      Re: What else was compromised?

      Yeah - I've received two of those, purporting to have come from two different people I know with Yahoo! accounts.

  17. Anonymous Coward
    Anonymous Coward

    How does this affect BT email addresses @btinternet.com which seem inextricably linked to @yahoo.com through webmail?

    1. Anonymous Coward
      Anonymous Coward

      I'm pretty sure BT stopped using yahoo to screw up their email a couple of years ago and decided they could do an equally poor job inhouse.

      1. Don Dumb
        Flame

        @AC - Nope, just checked and the banner at the top says "BT Yahoo! Mail"

        Nothing on the BT news site says anything about the Yahoo breach (quelle suprise) and I have had no email advising me whether I am affected. Obviously changed password anyway.

        Feel very much like I am paying for my lazyness in getting off BT email.

      2. Dave_P

        BT still use Yahoo. Migration away stopped 2 years ago, with nothing to explain why. So half of the users are still with Yahoo, with the other half hosted with Openwave messaging - who themselves have a serious issue.

        The advice given to change password is simply not good enough in this case. The advice should be to change password AND change security questions and answers. This is because those security answers are required when users have forgotten their password. So hackers could still access the account by "forgetting" the password, answer the security questions and getting a changed password. This will then cut off the account holder.

        So all the stuff should be changed.

        What also isn't mentioned is if any contacts have also been stolen. If so all those people will and have got even more spam, some pretending to come from the compromised Yahoo account. This is actually happening, but sometimes the email comes "from" the hacked user, but with a different domain than Yahoo.

    2. David Gosnell

      Wondered that too about BT

      They were going to get shot of the hucksters, but nope, never happened. I will safely assume all email from BT accounts *may* be compromised (as, in fairness, I have come to assume of 75% of webmail).

      1. Kubla Cant Silver badge
        Unhappy

        Re: Wondered that too about BT

        I contacted BT Support to ask them how the Yahoo breach affected their email service. I wish I could say the reply was convincing.

        Me: What are the implications for BT email of the massive Yahoo data breach? Your site claims my account uses BT Mail, but your web mail page is titled "BT Yahoo", and it is served from a Yahoo domain: https://us-mg42.mail.yahoo.com.

        BT: Hello. I'm <name redacted>.Thanks for that information, I'll check it and get back to you in a moment.

        Me: Thank you

        BT: Your e-mail would be powered by Yahoo, so you have to use Yahoo page to login.

        Me: So what are the implications of the Yahoo data breach for me?

        BT: There is no data breach using Yahoo page, as it is secured.

        Me: The page may be secured, but Yahoo has just admitted they have been hacked. What is BT's position on this?

        BT: There is no such update for BT e-mails.

        BT: If there would be any we will update you thorugh text

        Me: What does that mean? Have BT Yahoo email accounts been hacked or not?

        BT: No, they have been not. However, you can change your security question and answer, along with password for your e-mail.

        Me: Thank you

        1. Nifty

          Re: Wondered that too about BT

          As I was updating my security in Yahoo, it recommended I DISABLE the security questions as they are INSECURE. So I did, assuming I could come back later and change them. Wrong. the option to have security questions has now been disabled permanently. So the only reset option now is the alternate email address or a text to the phone. Puzzled.

          Plus, I thought I might change my DOB to a different one, why give it away with my name & email address to future hackers? But Yahoo does not allow this. Is it permanently baked into your Yahoo account?

        2. VinceH

          Re: Wondered that too about BT

          "I contacted BT Support to ask them how the Yahoo breach affected their email service. I wish I could say the reply was convincing."

          Sounds like you spoke to first line support, and he was at a complete loss when you took him off script.

        3. Anonymous Coward
          Anonymous Coward

          Re: Wondered that too about BT

          I've discovered that changing my @btinternet.com password generates a password change confirmation from my-yahoo-register@cc.yahoo-inc.com for the bt email address and states,

          "You can always change your password by doing the following:

          1. Sign in to your cobranded service

          2. Go to your Member Center

          3. Choose "Change Password""

          My partner changed her @yahoo.co.uk password and got confirmation from no-reply@cc.yahoo-inc.com, same domain. So BT Mail sounds like a white label service offered by yahoo and is very much at risk of being involved in the same hack, but I'm not an expert in such things and white label services could be segregated somehow but it's not worth taking a chance on my ignorance!

  18. batfastad

    So...

    So everyone still employed by Yahoo! at this stage may as well get their coats with the last person turning the lights off on their way out.

    Delaying this announcement for two years will have given any execs with a decent shareholding ample time to get rid.

  19. Anonymous Coward
    Anonymous Coward

    Yahoo had half a billion users ???

    Yeah Right....

    Nothing but a PR stunt....

    1. Don Dumb

      Re: Yahoo had half a billion users ???

      @AC "Yahoo had half a billion users ?"

      If you count all the companies they run email for (at least Sky and BT here in the UK) then they might well run 500m *accounts*.

      Naturally every account is assumed to be an active user because no one would have a redundant or dormant account.

  20. Anonymous Coward
    Anonymous Coward

    Must check my GeoCities page....

    Seriously?

    Yahoo!?

    Who even...

  21. Anonymous Coward
    Anonymous Coward

    "It was hot, the night we burned Yahoo. Out in the malls and plazas, moths were batting themselves to death against the neon, but in Bobby’s loft the only light came from a monitor screen and the green and red LEDs on the face of the matrix simulator. I knew every chip in Bobby’s simulator by heart; it..."

    "But that was two years ago"

    "Shut up an let me tell my story!"

  22. wolfetone

    In fairness to Yahoo!, I don't think they really thought they'd be around in 2 years time.

    However, why is it state sponsored? Where's the evidence? More than likely it'll be Russia, or Russia will be blamed.

    1. Anonymous Coward
      Anonymous Coward

      As others observed elsewhere in the thread, claiming hacks must be "state sponsored" is the new black because obviously your security is so good that it could only have been cracked with the resources of a nation state.

      And Yahoo!'s security can't *possibly* have been crappy enough to have been broken by regular, garden hackers from their bedrooms. No sir.

  23. MacroRodent Silver badge
    FAIL

    Change! your! Flickr! password!

    I'm sure not many people actually care about Yahoo email, but Yahoo also owns the popular Flickr photo-sharing site, and it is accessed with the same account! Hmm. Got to change my password there ASAP...

    Aha, the Flicr sign in now even warns about it like this: Make sure your account is secure!

    To secure your account, change your password and update your mobile number.

    1. Lusty

      Re: Change! your! Flickr! password!

      If you're concerned by privacy, read the Flickr terms then close the account. Your password is irrelevant on that site since nothing you place there is yours anyway.

    2. Dan 55 Silver badge

      Re: Change! your! Flickr! password!

      "We've just been hacked. Please give us your phone number."

      Nope. Not before, not now, not ever.

  24. Paratrooping Parrot
    Mushroom

    Back in late 2015

    I had my Yahoo Mail address book hacked and so people in my address book had spam emails sent to them. I had created the password using Keepass then. I had to change my password again after that breach. Would this be related to the hack, or is this something else?

    1. Anonymous Coward
      Anonymous Coward

      Re: Back in late 2015

      Everybody I know who had a Yahoo account got hacked in 2014/15; Yahoo kept claiming it was poor security at our end, and that nothing was wrong at their end.

      Even then, the whole planet knew this was bullshit; my account had been unused for over 10 years, yet it was STILL hacked, NO WAY my password leaked, as I hadnt logged in since about 2004; hell I couldnt even REMEMBER the password, it had been so long; if I could remember any of the details, I would close it, as it still faithfully forwards spam to one of my gmail accounts.

  25. Anonymous Coward
    Anonymous Coward

    Dilemma

    Use an online hosted email address or run your own server locally.

    With the first you have a dedicated team of paid people to maintain the service, sell your data and lie to you and the second you may be on your own hoping the attacks on new exploits discovered while you are sleeping/on holiday are not used.

    I can't help feeling there needs to be* a tiny mail proxy box that looks to the outside world like an email server but has extremely limited scope to data and zero access to address book or old email, that way you can get the email but a compromise doesn't give access to your stuff. The real email can be a a separate box/VM with limited access times and much handshaking.

    I hate putting servers (or even private NAS) online to make use of some service, anything on the net is a target, not just that service all of it.

    *I assume it exists but await the name(s)

    1. Charles 9 Silver badge

      Re: Dilemma

      The trouble is that it's a dilemma. With the first, you MAY have a crack team running the place...or you could have a bunch of idiots who couldn't be asked to fix a breach on a weekend. With the second, when something happens, you can nip on down yourself and work on it...if you have the time and wherewithal to do it.

      As for limiting scope, guess what's one of the hottest things in the exploit trade? Privilege escalation. With them, it doesn't matter how limited the entry point is, it becomes like the proverbial foot in the door: all they need to bust the pinata wide open no matter how hard you set things up. Use a VM? Red Pill. Separated machines? Gather credentials then traverse the intranet. Quite simply, if there's a door, someone can kick it down, and because physical presence is not required unlike your front door, everyone's going to come knocking eventually.

      I frankly think this'll come to a head and start asking existential questions about the Internet: questions about whether or not we need to start over using a whole different model of statefulness and (dis)trust. Kinda like how open season eventually gives way to necessary regulation.

    2. Doctor Syntax Silver badge

      Re: Dilemma

      "Use an online hosted email address or run your own server locally."

      There's a range of options. One is to use a small, specialist hoster. Unless it's the sort of thing you do for a living yourself they're going to be better at securing things themselves (see Charles 9's post above) and small enough to care - it's their livelihood.

      1. Anonymous Coward
        Anonymous Coward

        Re: Dilemma

        The Privilege escalation was part of my point, have something really simple at the gate so there are not two hundred libraries to secure, it does one thing, it buffers text files coming in and has no access to anything else most of the time, when you want to empty the buffer you open a link through a firewall to it and accept only specific email type stuff then send the clear flag.

        Part of the reason escalation is worth using is that there will be routes to juicy stuff behind the first point of call, if the first point is really well stripped down and has no access further up the chain except in short well controlled (AV filtered) windows then it's less worth the hassle. Currently we are meant to hang windows servers out for email, really like all that complexity to do what is basically move text files from one IP to another. Want to update the server? without a mail fall-back you will bounce email but have a small buffer in front and things still get saved.

        I know comments like this are pointless because 99% of replies on public forums are "we don't do it like that", the people embracing ideas are off doing other stuff.

        1. Charles 9 Silver badge

          Re: Dilemma

          But then you just pwn the GATE. Or just end-run around it and find a way to attack a kernel-level process, if not the kernel itself.

    3. Vic

      Re: Dilemma

      I can't help feeling there needs to be* a tiny mail proxy box that looks to the outside world like an email server but has extremely limited scope to data and zero access to address book or old email

      That rapidly becomes a spam sewer. If it has no access to anything else, it must accept any email that passes cursory checking - i.e. you can't test against valid addresses, context rule,s that sort of thing. Having accepted that mail, you then have to do something with it - so you either deliver spam to your users, or you bounce it. And that makes you a vector for a reflection attack...

      Vic.

  26. Lusty
    Facepalm

    Accounts != users

    500M accounts might be one enthusiastic user...

    1. David Pollard

      Re: Accounts != users

      He/she would have very sore fingers.

  27. Anonymous Coward
    Anonymous Coward

    Hackers strongly believed to be state-sponsored

    this seems like a perfect excuse these days: our valuable customers! We can protect you from teenage ninja hackers, but THAT is believed to be a work of a State-Aponsored Agency, and as you know, some World-Renowned Agencies can go to ANY lenghts. We can not name them at this stage, nudge-nudge, wink-wink, but we're awfully sorry we couldn't protect your details as we promised, sorry! No, really, we ARE sorry, and now f... off!

  28. Andrew Moore
    Coat

    Main suspects...

    the Houyhnhnms.

  29. Halfmad Silver badge

    So state sponsored eh?

    Or more likely the FBI told Yahoo it had been hacked, I very much doubt Yahoo spotted it themselves.

  30. lansalot

    I was surprised to find I had a Yahoo account - it looks like it went over when I registered for flickr years ago.

    Logged in to find an inbox that was full of nothing but incredibly-obvious spam. So their spam filters suck for sure. Oh, and the page design... it was like a teenagers Myspace page.. :(

  31. Mr Dogshit

    Why the bitching?

    1. Why are you all bitching about people who sign up for a freebie webmail account having to provide an actual phone number? Surely by doing so, that prevents spammers and scammers from creating countless accounts?

    2. Why use a crappy free webmail service anyway? I pay $3.33 a month for a proper service, which includes 4 GB of email space, 8GB document storage and IMAP.

  32. groovyf

    What's really frustrating is the inability to delete user accounts on sites. Generally, there's no way to delete your online account from a system.

    Modaco were breached, and I was notified earlier this week from haveibeenpwned.

    I've not logged-on/used their forums for a good few years so had forgotten about the account - again, there's no way to remove the account, (though they did state in an informational post that you could email them to ask them to delete it).

  33. David Pollard

    Sad for Freegle and Freecycle

    Local Freegle and Freecycle groups do a grand job of recycling a whole lot of unwanted kit, thus steering lots of items towards further use rather than landfill. Although not perfect, Yahoo Groups hosts them both and it would be a shame if this hacking were to put people off using them.

  34. Anonymous Coward
    Anonymous Coward

    Nice timing.

    Any word when someone in western government is going to say we could prevent this sort of thing by monitoring all your internets?

  35. Anonymous Coward
    Anonymous Coward

    500,000,000 Yahoo users..

    In the words of Victor Meldrew, 'I don't believe it'

    For sure, the Execs knew, that's why they held off the announcement for 2 YEARS!!!

    Secrets, Lies and Bullshit in order to get their final bonus..

  36. andy 103 Silver badge

    Who still uses Yahoo?!

    500 million account details stolen.

    Not to worry since 499 million were likely inactive / historical accounts!

  37. fidodogbreath Silver badge
    Facepalm

    Even old accounts can have value

    just over half of Vulture West staff have a Yahoo! account but [...] none of us have used it in the last year

    Abandoned and disused accounts can still be valuable to hackers -- maybe more valuable than active ones, since no one is paying attention to them. They're chock full of contact lists, website registrations, bank alerts (you might not use Yahoo anymore, but probably still use the same bank), etc.

    That dusty old Yahoo address might be the recovery email for your Gmail account. It might have new-account confirmation emails that contain passwords and security questions/answers that you've re-used on multiple sites. Or the sexy emails from that person you "met" at that trade show in 2012, but somehow forgot to mention to your spouse. The list could go on.

    As has been mentioned above, some ISPs outsource their email to Yahoo. Cracking those hashed Yahoo passwords could get hackers into those users' ISP accounts, which contain real PII.

    So don't be too smug, ex-Yahoo users. This could still bite you in the ass.

  38. Ilsa Loving

    How many active?

    And of those 500 million accounts, I'm guessing about 25 were still in active use?

  39. Anonymous Coward
    Anonymous Coward

    I am staying with Yahoo

    "names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers, were lifted."

    Hmm, my yahoo e-mail address is already in the public domain on account of me giving it to other people so that they can e-mail me. If you know my name (which is in my e-mail address), then getting my DOB isn't too difficult; but that was my bad, not Yahoo's

    Are anybody's e-mail providers safe? Fact is, if you want to do anything online you need e-mail, and I think yahoo are as on the ball as anyone when it comes to security, so I'm staying with them.

  40. spiny norman

    Security?

    Having seen this on the news I logged into yahoo.co.uk to change my password, to be told by the ever helpful Firefox that they don't have a valid certificate for https://uk.mg40.mail.yahoo.com. Fortunately I only use it to soak up junk mail from Facebook and Linkedin, so I guess it doesn't matter that much.

  41. JJKing Silver badge
    Facepalm

    Didn't yahoo make everyone change their password in the past year?

    I copied and pasted my old password into the New Password box and Yahoo email was quite happy to accept it. Wonderful security. My Yahoo account is 20 years old and while I don't use if much I do prefer their interface to that abortion Gmail uses.

    Guess I really should change the password to something different, after all a password should not be 20 years old too. But then again, I only use that password on that site, in fact every site I logon to has a unique password. I'm old so I have an excuse to be stupid and lazy.

  42. CbD1234567890

    Another posthumous compliment for yahoo

    Apart from the huge list of "compliments" - including destroying a bunch of other working companies and giving it's failure of a CEO the biggest bonus of her lifetime... Notice how this came to light AFTER the Verizon deal.

    Naturally if it did come out before, V would have bought them for nothing more than 25 cents. And who wants a 25 cent company that pays 40 million $ to its CEO???

    Ans: Verizon!! (you thought this was gonna be "Yahoo" didnt you :P

    1. Charles 9 Silver badge

      Re: Another posthumous compliment for yahoo

      Thing is, the deal wasn't CLOSED yet (the deal been declared but not tendered), so by doing this now they've practically torpedoed the deal, as Verizon IINM is still in a position to back out. Because both companies are public, the deal also has to be cleared by the SEC as well. Indeed, withholding the breach for as long as this could run afoul of disclosure and fiduciary duty laws.

  43. Anonymous Coward
    FAIL

    BT

    At the risk of beating a dead horse, BT has posted this on their website,

    " At BT, we take the security of our customers’ data and information extremely seriously.

    You may have seen that overnight Yahoo! announced that a copy of certain user account information was stolen from its company’s network in late 2014. Yahoo! is the provider of some of BT’s customers email accounts and we are urgently investigating this with them.

    If you were a BT Yahoo email account holder in 2014 and haven’t reset your password since then, as a precaution we advise that you change your passwords online and follow good password management practices."

    So most likely BT's yahoo provided accounts are compromised too. I'm off to find someone else to host my email.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020