back to article Oath-my-God: THREE! BILLION! Yahoo! accounts! hacked! in! 2013! – not! 'just!' 1bn!

With Equifax testifying in US Congress today about its own massive security failings, someone at Yahoo! presumably thought now would be a good time to bury bad news – but some things are too large to hide. In a filing on Tuesday to America's financial watchdogs, Yahoo!, now owned by Verizon under the Oath brand, admitted the …

  1. Len Silver badge
    Holmes

    How did they get to 3 billion accounts?

    Considering Yahoo was never really that big outside the US, how did they amass 3 billion accounts? Many dormant accounts?

    1. Youngone Silver badge

      Re: How did they get to 3 billion accounts?

      I suspect they had that many accounts because they hosted email for others.

      My ISP supplied email account was actually hosted by Yahoo! until this breach happened, they have since bought their email system home which is nice.

      At the time they forced users to change their password also. I guess they didn't believe Yahoos! assurances that it was only "some" accounts.

    2. Mark 85 Silver badge

      Re: How did they get to 3 billion accounts?

      Easy answer to the 3 billion question... many of us had throw away accounts there. I had 5 and lost all 5 so I created 5 new ones that so far haven't been "attacked" as far as I know. The first 5 had their passwords changed by the miscreants and luckily, all 5 were clear of any emails. I generally check them daily and delete any email since like I said... throwaways.

    3. Version 1.0 Silver badge

      Re: How did they get to 3 billion accounts?

      At one time Yahoo provided email services to AT&T and all AT&T email accounts were directed to Yahoo - I'm sure that's changed now but when the accounts were migrated did anyone change their passwords?

      1. Snapper

        Re: How did they get to 3 billion accounts?

        Also BT in the UK.

        1. Archtech Silver badge

          Re: How did they get to 3 billion accounts?

          "Also BT in the UK".

          Why am I not surprised to learn this?

          Depressed. Deeply, very deeply, dreadfully deeply depressed. But not surprised.

          1. katrinab Silver badge

            Re: How did they get to 3 billion accounts?

            TalkTalk manage their own email. Does that make them any better?

            I still have a @lineone.net address from the days when you accessed the internet by paying 3p per minute for a dial-up phone call. It still works, to usual TalkTalk levels of reliability, even though I left them about 20 years ago.

          2. Anonymous Coward
            Anonymous Coward

            Re: How did they get to 3 billion accounts?

            I know (as one personally affected) that for the original BT consumer email accounts, BT insisted you had to confirm your home address (which they had automatically lifted from your phone a/c ), mothers maiden name and date of birth. BT then facilitated sharing of these details with Yahoo when we were shifted (or should that be shafted) to the Yahoo service but both failed to make sure they were kept securely enough.

            Once home address, mothers maiden name and date of birth are out there together in a nice package, you are ripe for identity theft. One attempt with my info involved a bank loan using my credentials but with but a slightly different address (an empty house down the road).

            The loan was approved subject to paperwork being signed and returned. Fortunately the friendly postman who knew us delivered the paperwork to my real address (seeing my name and initials).

            You wouldn't credit (pardon the pun) how uninterested the bank concerned seemed to be.

            After the last attempt to shift us BT Yahoo mugs to a different but cheaper-for-BT outsourced service failed miserably (surprise), it looks like millions of BT suckers are stuck with Yahoo for ever. "Yahoo!" or should that be "Oh Fcuk!"

      2. WolfFan Silver badge

        Re: How did they get to 3 billion accounts?

        At one time Yahoo provided email services to AT&T and all AT&T email accounts were directed to Yahoo - I'm sure that's changed now but when the accounts were migrated did anyone change their passwords?

        Ah... no. Yahoo still provides email services to AT&T, despite now being owned by Verizon. AT&T's level of incompetence is approached only by Comcast, Times-Warner, BT, Verizon and Sprint, and exceeded only by Yahoo and perhaps Talk-Talk. Hmm. Wait. Yahoo is now part of Verizon. Oh, my.

        1. Archtech Silver badge

          Re: How did they get to 3 billion accounts?

          Incompetence grows exponentially with scale.

    4. Anonymous Coward
      Anonymous Coward

      Re: How did they get to 3 billion accounts?

      2.75 billion were spammers.

    5. katrinab Silver badge

      Re: How did they get to 3 billion accounts?

      They were / possibly still are the market leader in Japan.

      Back then, they were the biggest email provider, slightly ahead of Hotmail. Gmail may have overtaken them now.

      Also, a lot of people have more than one account. For example sexylegs69@... might be a good choice for signing up for dating sites, but not for signing up with recruitment agents.

    6. arctic_haze Silver badge

      Re: How did they get to 3 billion accounts?

      They had a plus/minus system of rating comments in their discussion fora. Therefore trolls and spammers needed tens of accounts to stay above zero.

  2. John Brown (no body) Silver badge
    Angel

    considerably biggest discount.

    considerably! biggest biggly! discount!

    FTFY, no charge.

    1. Notas Badoff

      Re: considerably biggest discount.

      considerably enbiggened enbuggered overpayment.

    2. Nolveys Silver badge

      Re: considerably biggest discount.

      Biggest discount...

      Current asking price is negative three bucks. Or you can have it for free and we will throw in this sandwich.

      1. hplasm Silver badge
        Happy

        Re: considerably biggest discount.

        Or you can have it for free and we will throw in this sandwich list of user accounts.

        1. Archtech Silver badge

          Re: considerably biggest discount.

          "Or you can have it for free and we will throw in this sandwich list of user accounts".

          But bring along a fleet of trucks, because the list weights 7561 tons.

      2. Uncle Slacky Silver badge
        Thumb Up

        Re: considerably biggest discount.

        <Zoidberg>Once again the sandwich-heavy portfolio pays off for the hungry investor!</Zoidberg>

  3. Lorribot

    I believe that BT Internet and Yahoo were linked in some way, can't recall details but defo my btinternet.net email was with Yahoo, and I suspect other ISPs may have been providing email accounts through Yahoo. Plus when do you delete a user account when the number of accounts is how you measure/boast how big you are? Plus all those spam mailboxes that got created in the 90s but not deleted, 3 Billion accounts or email address is a possibility, but there were only probably 1 billion real users, and on 30 active ones.

    1. Florida1920 Silver badge

      I believe that BT Internet and Yahoo were linked in some way

      AT&T moved their Internet service customers over to Yahoo at some point, too, but the @att.com email address still worked. Yahoo merely provided the "service." That might include SBC and any other companies AT&T gobbled up.

    2. TechnicalBen Silver badge

      BT's old Email, and currently Sky...

      Older BT emails are still stuck on Yahoo (AFAIK) and Sky still uses them?

  4. TReko

    Destroying value

    It is a pity there is no way to claw back the $55 million Marissa got.

    Still in the scheme of value destruction her predecessors were worse.

    1. Mikel

      Re: Destroying value

      She has her detractors, but shareholders fared pretty well under her.

      1. Robert Grant

        Re: Destroying value

        One of her predecessors invested in Alibaba, which came to fruition to the tune of $1B, which she frittered away. While Yahoo was already on the ropes when she joined, she was not a good CEO - turning around a business when you have a billion dollars at your disposal is definitely not hard mode.

        1. Naselus

          Re: Destroying value

          Yeah, Yahoo stock more or less doubled under Mayer, but pretty much all of that was down to the Alibaba holding - if you take it out of the equation, Mayer had almost no impact whatsoever. In fact, Yahoo shares became a direct proxy for Alibaba fairly early during her tenure, which implies that the market didn't think her decisions would have any measurable effect on anything - or that Yahoo under Mayer was going to do anything valuable by itself, either.

      2. Stevie Silver badge

        Re: She has her detractors, but shareholders fared pretty well under her.

        How about now?

        I thought record levels of remuneration were because of assumed risk of being thrown to the dogs in the event of malfeasance. This level of "mis-statement" of the company's vulnerability to litigation would seem to invite criminal investigation.

  5. Rob D.
    FAIL

    Porridge

    Unfortunately this level of compromise, linked with stupid security failings like poor password hashing or improperly stored personal data or lack of investment in reasonable protection, is always going to happen until significant jail time is available and targeted at the executive levels. Bit like SOX compliance - as soon as the threat of felony convictions appeared in the US, proper auditing suddenly became de rigueur.

    1. Darth.0

      Re: Porridge

      is always going to happen until significant jail time is available and targeted at the executive levels.

      is always going to happen until significant jail time is mandatory and targeted at the executive levels.

      Fixed it for you.

    2. Zippy's Sausage Factory

      Re: Porridge

      Speaking of SOX, wonder whether that's another bit of "red tape" Trump wants to eliminate.

      1. Aitor 1 Silver badge

        Re: Porridge

        SOX is actually bad for security, as interpreted by beancounters and lawyers.

    3. Stevie Silver badge

      Re: Porridge

      No doubt Yahoo! had retained the services of a number of former Volkswagen computer specialists who followed their historically-established nefarious criminal urges when it came to designing the data security measures.

  6. Lysenko

    Oath...

    a profane or offensive expression used to express anger or other strong emotions.

    An uncharacteristic outbreak of factual accuracy from the branding strategists...

    1. Alister Silver badge

      Re: Oath...

      However, consider the other meaning...

      a solemn promise, often invoking a divine witness, regarding one's future action or behaviour.

      Yeah, they didn't stick to that, did they?

      1. Hans 1 Silver badge
        Coffee/keyboard

        Re: Oath...

        a solemn promise, often invoking a divine witness

  7. Anonymous Coward
    Anonymous Coward

    Yahoo!

    Is still a thing?

    1. hplasm Silver badge
      Headmaster

      Re: Yahoo!

      Is still a thing?

      Yahoo. Noun: a rude, noisy, or violent person. One who is paid $55M to drag a company down.

  8. chivo243 Silver badge
    Devil

    I doubt

    I wouldn't be smiling (ever) if the company I was leading had such a massive fail. Marissa must be heavily medicated when she's photographed, or thinking of that awesome golden parachute?

    1. Archtech Silver badge

      Re: I doubt

      psychopath

      n noun a person suffering from chronic mental disorder with abnormal or violent social behaviour.

      DERIVATIVES

      psychopathic adjective

      psychopathically adverb

  9. Anonymous Coward
    Anonymous Coward

    Marissa Meyer laughed all the way to the bank

    with a $55m golden parachute, and is now reportedly looking around for another challenge before retiring.

    Perhaps that challenge will take the form of shareholders challenging that renumeration in the light of the new evidence that has emerged.

    1. Anonymous Coward
      Anonymous Coward

      Re: Marissa Meyer laughed all the way to the bank

      Who in their right mind would let her anywhere near the levers of power now?

      Guess stopping people working from home and changing the angle of the exclamation mark didn't work as hoped, eh?

      1. Naselus

        Re: Marissa Meyer laughed all the way to the bank

        "Who in their right mind would let her anywhere near the levers of power now?"

        Hewlett Packard Enterprises

        1. Doctor Syntax Silver badge

          Re: Marissa Meyer laughed all the way to the bank

          "Hewlett Packard Enterprises"

          Fails on "in right mind".

      2. Archtech Silver badge

        Re: Marissa Meyer laughed all the way to the bank

        "Who in their right mind would let her anywhere near the levers of power now?"

        Er, have you noticed who is holding the levers of power that control the USA - and hence all our lives?

  10. Destroy All Monsters Silver badge

    Blimey!

    recently obtained new intelligence

    An additional 15 IQ points?

  11. herman Silver badge

    It sounds familiar, like AOhell

    Ya who?

    Is anyone still using them?

    1. Pompous Git Silver badge

      Re: It sounds familiar, like AOhell

      "Ya who?

      Is anyone still using them?"

      They were useful when I participated in some group discussions. Then I got locked out. I don't know the correct answers to my secret questions... apparently. Maybe this stuff-up explains that.

  12. Ian Emery Silver badge

    Once again

    I will mention, as I did for the previous stories about the estimates on account breaches; that at the time I suggested they were lying, as EVERYONE I knew with a Yahoo account had it hacked back in 2013.

    I STILL get relayed emails from my old account, even though I lost control of it at the time; and at no point have I ever received an email from Yahoo telling me that my account had been hacked.

    I suggest it isnt a case of "just found out", but more "we have just been found out".

    1. Archtech Silver badge

      Re: Once again

      'I suggest it isnt a case of "just found out", but more "we have just been found out"'.

      In executive circles, I believe those are synonymous.

  13. Anonymous Coward
    Anonymous Coward

    Et tu Equifax....

    Mmmmm....Hackers had access to Equifax systems from March to July. Who actually believes that only a portion of Equifax's data was taken. Given the five months it is more believable that all 920 million personal credit records and 91 million company records have been taken,

    1. Hans 1 Silver badge
      Joke

      Re: Et toi Equifax....

      Mmmmm....Hackers had access to Equifax systems from March to July. Who actually believes that only a portion of Equifax's data was taken. Given the five months it is more believable that all 920 million personal credit records and 91 million company records have been taken,

      The hackers had a capped internet connection, could not download more ;-)

      1. Naselus

        Re: Et toi Equifax....

        "The hackers had a capped internet connection, could not download more ;-)"

        You may be joking, but this is actually more or less right. The hackers knew what they were doing, and so will have throttled the data extraction to avoid producing a tell-tale traffic increase. It's not uncommon for extraction to occur at <10kb/s across several months to avoid detection.

  14. Anonymous Coward
    Anonymous Coward

    What it would be like to be a CEO...

    ...when your company has a major cock up, instead of being fired as happens to the minions below you, you just get asked to "retire" instead for $55 million.

  15. TechnicalBen Silver badge

    Unable to collaborate myself...

    The only reason I did not know for certain that all Yahoo users were hacked... is I was not able to ask all of them.

    All of those I know (and even my own accounts), showed signs of strange actions/hack/attempts. Such as password resets (normal if someone tries) and occasional failed delivery attempts (that could have been false headers on someone else's email)... so I was unable to confirm, but was suspicious that someone had had an attempt at sending out emails from my account.

    That and I know a lot of people who their accounts were "hacked" and needed to change passwords.

    1. Jamie Jones Silver badge

      Re: Unable to collaborate myself...

      Not having your account access doesn't mean anything - if the details from 6 billion accounts were exposed, you can be sure at least one or two will ignored!

  16. unwarranted triumphalism

    The thing with the exclamation marks was never funny. Cut it out.

    1. Doctor Syntax Silver badge

      "The thing with the exclamation marks was never funny."

      Funny, no; scornful, yes.

  17. Milton Silver badge

    Meyer; Yahoo; riddance

    Meyer; Yahoo; riddance. In a good world, we'll never hear either of those names, and their wretched association with greed, deceit and towering incompetence, ever again.

  18. jonfr

    Flickr accounts conntect to Yahoo! emails

    Yahoo! forced everyone on Flickr to use Yahoo! email account. I have a Flickr account and I had to use Yahoo! email account after some date (around 2013) and I was unable to use my normal email account at the time. I just set-it up, saved the password and never used the Yahoo! email account for anything.

  19. Anonymous Coward
    Anonymous Coward

    re Equifax needs a new CEO

    likewise, Ueber UK, I hear. Plenty of opportunities for high-class failures to merge (and re-emerge)

  20. Stevie Silver badge

    Bah!

    "The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information."

    Two months from now: "There was a misprint in our last public statement regarding the one three billion compromised user accounts. The word "not" should be removed from between "did" and "include". Oath Shredded Foot Inc sincerely regrets the error."

  21. Howard Hanek Bronze badge
    Linux

    On sale at the Canton Fair.....

  22. Slx

    People still have Yahoo! accounts?!

  23. ecofeco Silver badge

    Who else is lying about their data breach?

    Now you have to ask yourself, just who else is lying about their data thefts?

    Trick question: all of them

  24. Anonymous Coward
    Anonymous Coward

    Yahoo Groups

    Yahoo began in the kindler, gentler, days of the internet, and unfortunately secure web programming practices clearly weren’t on their mind. However, to have failed to have monitored, tested and updated their systems to ensure that they kept up to date with security best practices is unforgivable.

    But I still have a small fond spot for Yahoo because of the Yahoo Groups mailing list hosting service, which really was a great service for many groups and organisations back in the days of dialup, when every minute online cost you money (and monopolised your phone line). However, the user base of those groups has gradually trickled over to web forums and, apart from Flickr (which was an acquisition rather than an in-house service) Yahoo didn’t really seem to find a niche after broadband arrived.

    A bit of a shame for one of the web pioneers: with some forethought, and with technically competent management (and, hopefully, rather less evil), Yahoo could somehow still have been where Google are now...

  25. Spacedinvader
    FAIL

    <i>!</i>

    Again, with the lazy headline writing. Either do it right or stop!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019