back to article Yahoo! fined! $35m! for! covering! up! massive! IT! security! screwup!

The Disaster Formerly Known as Yahoo! has been fined $35m by US financial watchdog, the SEC, for failing to tell anyone about one of the world's largest ever computer security breaches. Now known as Altaba following its long, slow and painful descent in irrelevance, Yahoo! knew that its entire user database – including …

  1. Anonymous Coward
    Anonymous Coward

    How about fining BT for also failing to disclose the breach.

    BT quietly dropped Yahoo mail in Spring 2014, just stating they were switching BT customers over to BT Mail, without ever informing their users that it was likely a breach of their data had taken place.

    All the signs seem to indicate BT knew, but didn't disclose.

    As always, BT's cosy 'Fcuk buddy' Ofcom should investigate, but don't hold your breath.

    Also Ofcom, maybe look at BTRetail via BTOpenreach double charging line rental on the migration day between providers, it's only £0.63, but per customer that's more than anyone has paid in fines for this.

    1. Anonymous Coward
      Anonymous Coward

      Re: How about fining BT for also failing to disclose the breach.

      "Yahoo! Mail relaunched and revamped itself. Will anyone care?"

      Great for throw away email accounts for scammers etc. For anything that matters presumably outloook.com / hotmail will remain the destination of choice.

      1. Jove Bronze badge

        Re: How about fining BT for also failing to disclose the breach.

        http://www.theregister.co.uk/2014/03/13/bt_likely_to_have_breached_data_protection_act_after_email_accounts_were_allegedly_compromised_over_http_and_details_kept_in_log_files/

        https://www.zdnet.com/article/bt-dumps-yahoo-mail-after-account-hijack-claims/

    2. Doctor Syntax Silver badge

      Re: How about fining BT for also failing to disclose the breach.

      "As always, BT's cosy 'Fcuk buddy' Ofcom should investigate, but don't hold your breath."

      Wrong regulator. If it was a breach of personal data then it's ICO business.

      1. Anonymous Coward
        Anonymous Coward

        Re: How about fining BT for also failing to disclose the breach.

        "Wrong regulator. If it was a breach of personal data then it's ICO business"

        And the first response if you raised this as an official complaint, from the ICO would be "Have you contacted Ofcom?"

        We both know the first point of contact would be Ofcom, who should refer the matter to the ICO themselves. You're just being somewhat facetious.

        Personally, my own experience is these regulators (including the Ombudsman*) play one off the other to close down any complaints that might make Ofcom / ICO look bad.

        *Ombudsman Services close down any complaints seen to criticise Ofcom/Ofgem, because it's Ofcom/Ofgem that signs off Ombudsman Services tender. They're subservient to them.

        The whole complaints system is flawed "one big merry-go-round", that achieves nothing, because there is no way to make a complaint that affects large numbers of customers at once, other than 'super complaints' through Which? which take forever to get off the ground.

    3. Alan J. Wylie

      Re: How about fining BT for also failing to disclose the breach.

      I would have thought that when BT contracted with Yahoo! to handle their customers' emails, there would have been self-congratulatory press releases on the subject, perhaps naming the muppets who at the time took the credit.

      Can I find these anywhere using Google? Not a trace. The "Right to be forgotten" strikes again?

    4. leexgx

      Re: How about fining BT for also failing to disclose the breach.

      they did it as they was aware of the no password login issue that yahoo had on there service as to why they moving away from yahoo (some BT mail accounts seem to be still on a yahoo service)

      at least BT had a feature that automatically locked the account out when it detected a compromised account that is sending mass spam out, but as the hack did not need to know the password to log into the account it was causing lots of support issues as accounts was been randomly locked out because it was thinking the password was compromised

      a bunch of people i support had there accounts accessed to be send spam out , what it would do for what it seems is gain access via the yahoo mail App API then once it got the logged token it then went onto the full site and scanned all contacts and emails and mail bombed all of them, if you ever got them random Messes undeliverable in your inbox your account was accessed for spam sending

      note your password was actually never compromised as they was bypassing the login process, i had one person account over 4 times every time a different password, there was a password database leak at time point but it was Unrelated to this getting into yahoo accounts without passwords (some sort of XSS exploit/vulnerability to steal login but this one required zero action on the user part i had very old yahoo accounts emailing me that had not been used for long time) this was around 2013 when this happened it has been fixed and i like the single user login that yahoo and MS use now not used the password for years now (wish google would do it as they support Yes/no login on all android devices or IOS with google search installed)

    5. Anonymous Coward
      Anonymous Coward

      Re: How about fining BT for also failing to disclose the breach.

      OFCOM look after BT, they have special protected status.

      What I want to know is how I claim my cut of that $35m, as after all it's USERS that were affected.. where does that 35m go???

  2. Amos1

    So 1.1 cents per record

    And they say that breaches are expensive.

    1. Nolveys Silver badge
      Trollface

      Re: So 1.1 cents per record

      And they say that breaches are expensive.

      Pretty expensive, it works out to $350,000 per user.

  3. Steve Aubrey

    "Will anyone care?"

    No.

    That is all.

    1. Ole Juul Silver badge

      Re: "Will anyone care?"

      I care. Yahoo! fills an important role as laughingstock. El Reg wouldn't be the same without its "massive! security! screwup!" headlines.

  4. Anonymous Coward
    Anonymous Coward

    Measily 35m fine? - I'm looking forward to the Revolution

    https://www.huffingtonpost.ca/2017/08/07/ex-facebook-exec-warns-of-revolution-caused-by-job-automation_a_23068976/

    https://www.huffingtonpost.ca/2017/01/26/us-business-elite-prepares-for-crisis_n_14420284.html

  5. sanmigueelbeer Silver badge
    Happy

    What is Yahoo!?

    1. Aladdin Sane Silver badge
      Coat

      Isn't it a brand of milkshake?

  6. Anonymous Coward
    Anonymous Coward

    Oh, and earlier this month, Yahoo! Mail relaunched and revamped itself.

    They did indeed,

    as well as revamping their "privacy" policy and also giving users their FIRST look at some "privacy" controls that they never had control over before including "connected apps" that showed users for the first time that companies such as Linkedin had access to their data.

    Yahoo then tried to force users into agreeing with their new "privacy" policy by refusing access to the users email by throwing a fake error if the user chose "I'll do this later" instead of "I agree" to the new policies that read: "Oops Something went wrong!" "Start Over" bringing the user back to the privacy policy agreement page holding users hostage to where they couldn't access their account to migrate to a different email provider.

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh, and earlier this month, Yahoo! Mail relaunched and revamped itself.

      Perhaps I should take a look.

      But to be honest I didn't notice because I usually use IMAP and log in to webmail once in a blue moon.

      Anon, because otherwise I'm admitting in public that I use Yahoo! Mail.

      1. RobinCM

        Re: Oh, and earlier this month, Yahoo! Mail relaunched and revamped itself.

        You don't get multi-factor authentication on old protocols like IMAP. Which to their credit, Yahoo have been strongly encouraging their users to turn off if they don't need it. Given that 99.99% of people just use a browser this is the right approach.

        I used to use IMAP years ago (via a telnet client sometimes, ha!) but MFA is too useful a security measure.

        1. leexgx

          Re: Oh, and earlier this month, Yahoo! Mail relaunched and revamped itself.

          the IMAP way needs a custom password generated when Yes/No login is enabled on the account (that password can only access the email messages and contacts and calendar cannot be used to log into the yahoo site or account pages) if the mail app supports 2FA login (i think Thunderbird and IOS does with yahoo, MS and google maybe others) you can use Yes/no login to link the account to the mail app

  7. Ian Emery Silver badge

    Directors??

    At a minimum, the Board of Directors, exec and non-exec, should be banned from ever holding such a position again - for life.

    Monetary penalties will never stop the suits from covering up their mistakes.

  8. Anonymous South African Coward Silver badge

    Altaba reminds me of Ali Baba and his^H^H^H the^H^H^H whatever 40 thieves...

  9. TechnicalBen Silver badge

    I lost TWO accounts to this.

    Most recent one again in 2016/17 as I managed, some how, to recover it in 2016 after 4 years blocked, then it gets "to many login attempts" and my existing password no longer works *AGAIN*.

    So that's presumably twice that one account got a password leaked out (and the first time I did manage to do an emergency recovery and/or they never changed my pass, just got the account blocked from multiple hacking attempts, and eventually the block expired?).

    No, I don't expect it was leaked from a third party website, as I use different passes on each account, and both got locked out. :(

  10. Aodhhan Bronze badge

    FINE??

    A $5 billion company is fined only 35 million for failing to notify investors. Not much of a fine.

    This fine comes out to 0.07% of the companies value.

    This isn't a fine, it's a punch-line.

  11. 89724905708169238590784I93056703497430967093434677347864785234986359235564854495684561564545876

    fines are simply tokens

    ...fines are never going to be high enough to be any real liability and until that changes...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019