back to article Yahoo! Mail! users! change! your! passwords! NOW!

Yahoo! is urging users of its Mail service to change their passwords to something secure and unique to the web giant – after a security breach exposed account login details to theft. The company said that it has reset the passwords on accounts connected to what it termed a "third-party database compromise" – that database …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Bet it was Sky. The email account security for them is the worst.

    Having once worked for them, I had a customer who was complaining because when he logged int his account for the first time, he was forced to reset his password, and found 24,000 emails dating back several years. Which he had proceeded to delete.

    He had been a sky customer for 10 days.

    He had actually accidentally hacked another users account because they shared a name and taste in football teams.

    He did not want to accept the fact that he had broken the law. He was also unhappy that some other person kept trying to change the password back again.

    My forehead met the desk several times over that conversation before i passed the whole mess over to a manager to escalate to the appropriate people.

    1. the spectacularly refined chap

      He did not want to accept the fact that he had broken the law.

      That's probably because based on the facts as you presented them he hadn't. There are no strict liability offences in the Computer Misuse Act so you have to establish mens rea (essentially deliberate intent) in order for it to be a crime. The scenario you describe falls far short of that.

      1. Anonymous Coward
        Anonymous Coward

        Oh well that's good. At least he wouldn't have had his evening ruined by a visit from the plods.

    2. Lost in Cyberspace

      Re:

      So far, it's all been BT customers that have been calling me

  2. Sanctimonious Prick

    users should never use the same password on multiple sites or services," said Yahoo!

    Try telling that to your partner!

    1. Bob Vistakin
      Facepalm

      Re: users should never use the same password on multiple sites or services," said Yahoo!

      Users should never use Yahoo for anything serious, says common internet knowledge.

      1. VinceH

        Re: users should never use the same password on multiple sites or services," said Yahoo!

        "Users should never use Yahoo for anything serious, says common internet knowledge."

        Try telling that to your partner!

        1. Tim Bates

          Re: users should never use the same password on multiple sites or services," said Yahoo!

          "Users should never use Yahoo for anything serious, says common internet knowledge."

          Try telling that to your partner!

          Try having to tell it to your BOSS!

    2. Gordon 10

      Re: users should never use the same password on multiple sites or services," said Yahoo!

      Try telling that to anyone who has 40-50 passwords to manage.

      1. TheMidnighToker

        Re: users should never use the same password on multiple sites or services," said Yahoo!

        I think the magic technology you're missing out on is called a "Password Manager"...

      2. Anonymous Coward
        Anonymous Coward

        Re: users should never use the same password on multiple sites or services," said Yahoo!

        At the very least, surely your email password should be unique? And probably your Paypal account too...

      3. Bryn Jones

        Re: users should never use the same password on multiple sites or services," said Yahoo!

        You should use a password manager to remember most of those account passwords (with long randomly generated passwords), then you only have to remember the important ones (online banking, etc) and the password for the password manager.

      4. Anonymous Coward
        Anonymous Coward

        Re: users should never use the same password on multiple sites or services," said Yahoo!

        The way I deal with passwords is to treat them like nouns that describe a new thing. Like say, my (non-existent) ¡¡¡Yahoo!!! account is associated in my mind with the (pass)word "J8&都帶ѕ"É//rť|¹çሰS❦27" (without quotes).

        Simple really. The only problem is I can never remember if the 'ѕ' is a Latin or Cyrillic one.

  3. Arachnoid

    Password complexity

    Doesn't make much difference if someone elses server is hacked and the user data is ransaked especially if its left in plain text.

    1. Bartholomew

      Re: Password complexity

      And https://xkcd.com/936/

      enforcing rules to use 3 out of 4 (upper, lower, number, symbol) can be a real pain in the arse to people with very secure 20+ character passwords.

      1. ElReg!comments!Pierre

        Re: Password complexity

        Yes, I'm routinely forced to dumb down my passwords to accomodate for the dimwitsenforcing this kind of rules. Worst thing is, there is no chance in hell of me remembering the resulting mess of mixed-case number-and-symbols-containing nightmare, so I have to write it down somewhere, making it all the more, erm "secure". Not that it matters anyway, as any decent rig would crack it in roughly 12 seconds, due to these rules not being fit for secure password generation.

        Not that anyone would want access to my Yahoo accounts of course: I give them away to spam-spaffing outfits exclusively. Interestingly, that includes the US' Customs and Border Protection (every once in a while you bump into a zealot deskjockey who insist the "email" field in these forms must be filled; invariably this is followed by a few hundred spam messages being sent to the addy over the next week. Not too bad, as spammers go, but you'd think the US government wouldn't sell their databases to penis enlargement pills outfits. And you'd be dead wrong).

        1. Fihart

          Re: Password complexity

          The other problem with all these bloody passwords one has to manage is that the average phone keyboard is only marginally usable at best. Pressing extra alt and capital keys between numbers, letters and uppercase is a complete pain and hard to do accurately. Thank you Blackberry Torch with an onscreen keyboard incompatible with adult european male fingers -- or a tiny slide out one with a substantial ridge around it that makes number entry a contortion.

        2. Tom 13

          Re: Password complexity

          I don't have a lot of trouble generating the passwords. Remembering them is a whole other story.

          What I find more annoying is that some sites change the rules on what needs to be included, so my the passwords with that level of complexity which I routinely generate don't always work. Because some silly site (Yahoo!) won't allow you to use symbols in your password. The worst is WebEx where they have about 4 symbols that are allowed. So the resulting password is always complete jibberish. Also annoying in this story is that the third party is not named. They should be. I only use my Yahoo account for things I expect to be spammed on, so it isn't overly important to me. I did use the same password on a throwaway FB account just so I could keep track of the FB account pw. I don't actually care about the accounts per se. I just don't want them being used to hack other people.

        3. James O'Shea

          Re: Password complexity

          "you'd think the US government wouldn't sell their databases to penis enlargement pills outfits"

          Errm... large portions of the US Gov _are_ penis enlargement outfits. <exits, humming the :Marine Corps Hymn", especially the part about "If the Army and the Navy ever gaze on heaven's scenes, they'll find the streets are guarded by United States Marines". You can't make this stuff up.>

  4. This post has been deleted by its author

  5. M Gale

    So what about the username and password which is plainly still stored so that you can tell me that my old account got "deleted", with massive sarcasm quotes added for effect? You know, the one I can't change due to, well, the account being "deleted"?

  6. Anonymous Coward
    Anonymous Coward

    Would this be a recent breach??

    Or the one that occurred 12 months ago finally being acknowledged??

  7. Charles Manning

    While you're logged in...

    ... may as well delete your account.

    Marissa will have to do better than her last "very sorry" pseudo-self-flagellation for the 4 day mail outage fiasco.

    1. Valeyard

      Re: While you're logged in...

      To be fair, marissa self-flagellation would satisfy me

      1. Steven Raith
        Joke

        Re: While you're logged in...

        Surely it would be better to flagellate her (or whatever) yourself, after buying her dinner and discussing IT security with her?

        (hey, I'm a classy guy)

        Steven 'not had a date in a while' Raith.

        1. Anonymous Coward
          Anonymous Coward

          Re: While you're logged in...

          @Steven Raith

          The obvious solution to your dating problem is to store all your confidential data with Yahoo.

          Hey presto! Instantly fucked.

          1. Steven Raith

            Re: While you're logged in...

            I'll read the Daily Mail by choice before I use Yahoo for...fucking anything, thankyouverymuch.

            :-)

            Steven R

            (for our international commentards - the Daily Mail is like the Weekly World News, or other schlocky, lie-filled, made up tabloid rag in your locale, except it passes itself off as a real newspaper. And even more tragically, people actually take it seriously)

  8. Hans 1
    WTF?

    ThirdParty + PlainText Passwords ?

    Hello, anybody read the article ?

    >Yahoo! is urging users of its Mail service to change their passwords to something secure and unique to the web giant – after a security breach exposed account login details to theft.

    >The company said that it has reset the passwords on accounts connected to what it termed a "third-party database compromise" – that database contained records on some of Yahoo!'s users.

    This is so bad, really, soooo bad practice it beggars belief ...

    1. What are clear text passwords doing in a database?

    2. Worse, WTF is a third party doing with account details .... in clear text ???

    As Linus says, the security guy at Yahoo should be shot.

    1. Zama

      Re: ThirdParty + PlainText Passwords ?

      Doesn't sound like Yahoo did anything wrong. If anybody should be shot, it's the users who used the same password on multiple sites. And there's no evidence that clear-text passwords were stored anywhere. Software like John the Ripper and hashcat will make short work of salted and hashed password files.

      1. Dan 55 Silver badge
        Flame

        Bad Register, bad...

        A completely separate service to Yahoo has had their database hacked, Yahoo have obtained a copy and flagged the Yahoo mail accounts in the hacked database as accounts which must to change their password as many people use the same password for everything. If as soon as you log into Yahoo you are forced to change your password then you're affected otherwise you're not affected.

        In other words the headline in El Reg is wrong and would be something much more serious.

        As much as I like to stick the boot into Yahoo, they seem to have done things properly this time, apart from telling everyone via Tumblr when it should be via their login screen.

        I still wouldn't trust Yahoo with my mobile number for 2FA though.

      2. Robert Grant

        Re: ThirdParty + PlainText Passwords ?

        Er they won't. Use a 1Password (or whatever) password and watch either of those tools take longer than the age of the universe to crack a 23-character password.

      3. Alan_Peery

        Re: ThirdParty + PlainText Passwords ?

        Even if the passwords were stored encrypted, what possible reason does Yahoo (as the service provider) have to share the *password*? Username, etc, makes some sense. Password sharing does not.

  9. Anonymous Coward
    Unhappy

    How about informing us properly, Yahoo?

    The link provided in the article is to a tumblr blog entry. I can find nothing on the Yahoo site (at least not as obvious as it needs to be), so how does Yahoo expect us to know about the problem if we don't subscribe to the likes of The Register?

    Is it meant to be under the omg! menu?

    1. Fatman
      FAIL

      Re: How about informing us properly, Yahoo?

      Is it meant to be under the omg! menu?

      In the 'states' there is a syndicated 'media show' (IIRC OMG! The Insider) that is partnered with yaHOO!, perhaps that is where they should have publicized it.

      It is quite likely more important than the latest antics of Justin Bieber.

  10. lglethal Silver badge
    WTF?

    Honest Question

    I cant think of a single reason, why a third party firm should be given a list of Yahoo's users email addreses, let alone giving them the users email addresses PLUS the passwords. Honestly, can anyone tell me even a single reason that would happen? Anyone?

    (and lets not go into the fact it seems to have been done in plain text, which is frankly gobsmacking!)

    1. Zama

      Re: Honest Question

      Sally has an account with Yahoo. She doesn't have much of an imagination, and uses the name of her dog as a password. She then downloads a new version of some Adobe product, which requires registration. So she supplies her yahoo email address and, foolishly, the same password that she uses for that account. When the Adobe database is hacked, the attackers know that this sort of behaviour is rife and they use the Adobe details to try and break into the Yahoo account. Chances are good that they'll succeed with a moderately high proportion of users. Yahoo were not at fault in this scenario

      1. Tom 13

        @Zama

        Yeah, but the wording from Yahoo! seems to imply a closer linkage, like somehow or other this third party was a partner for something. Which makes it all the more problematic that Yahoo! won't say who the third party is. Speculating further might lead deep into black helicopter territory.

        1. Alan_Peery

          Re: @Zama

          I agree on the implied linkage -- the end of the Tumbler message issues an apology. If this was a simple third-party compromise like the Adobe scenario that Zama gives, then Yahoo has no apology to make as they would be going above and beyond their responsibilities.

      2. Charles Manning

        @Zama

        If what you say is true, then it won't be a Yahoo-only problem. The same issue would be faced by hotmail, Google etc.

        It is rather unclear, but there do not seem to be reports of that happening.

        If it is only Yahoo that are having the issue, then there is some smoke being blown up donkeys.

  11. auburnman
    FAIL

    Just tried to change my Sky password, the change password dialogue is doing sweet FA. Fantastic.

    1. Tom 13

      Re: the change password dialogue

      Hey, at least you could FIND the change password dialogue. I spent five minutes hunting for the damn thing when I logged into Yahoo!

      Who the f*ck HIDES the change password dialogue? That's like keeping a doomsday device secret!

      1. The Mole

        Re: the change password dialogue

        Hover over the cog on the right hand side | Settings | Change Password.

        Just make sure you type it right - for some reason they don't make your confirm what you typed (though do let you show everybody your password if you want.

  12. Joe 37

    So their solution is to hand out your mobile number to all and sundry as well.

    Is it just me, or is this "two factor" authentication just another data grab for Y! and the ilk to lose/get hacked/sell?

    1. Fihart

      @ Joe 37

      See my other comment -- you don't have to give Yahoo your phone number when they ask for it. Just ignore the message and sign out.

    2. Pascal Monett Silver badge

      It's not just you

      I also immediately thought "hey, opportunity grab !".

      It is telling that Yahoo! adopts the same strategy as Google for grabbing you phone number.

      Unfortunately for them, I'm not giving Google my number because the less it knows about me the better I feel, and I certainly won't be giving it to Yahoo! because I find it even less trustworthy than Google.

      Google may be an evil, all-watching Internet overlord, but at least it is an efficient one. Yahoo! just looks like a bunch of confused amateurs next to the Big G.

  13. Martin H Watson

    Complex password, simple user Id

    We read so much about the importance of complex passwords. However I wonder how many times user IDs such as John.Smith, jsmith, user2, training, sysadmin and administrator are used. Making user IDs more complex but still meaningful will help increase security. Especially for sysadmins. I've long advocated this, but it is rarely mentioned.

  14. Anonymous Coward
    Anonymous Coward

    Yahoo!

    Really is an appropriate choice of name for a company, isn't it. Gulliver would recognize them.

  15. CAPS LOCK

    My Yahoo account has no news of this in it.

    Password changed anyway.

    1. Fihart

      Re: My Yahoo account has no news of this in it.

      Nor mine but, like you, done it anyway.

      Incidentally, after resetting password was asked to supply a mobile phone number. I refuse to do that on principal because these web firms have no hesitation in flogging details (or they get them stolen).

      I ignored the demand for a mobile number and simply signed out of Yahoo. Had no problem signing in with the new password.

  16. e-smith

    Improved password change security!

    Please change your password with the form that won't let you change your password. One line asks for current password, second line asks for new password, then click Save. So sez the instructions.

    Error pops up telling you the passwords don't match.

    Seriously?

    1. RyokuMas
      FAIL

      Re: Improved password change security!

      Mine perpetually says that my new password is too similar to my old one.

      ... I've tried a dozen so far.

      1. Colin Wilson 2

        Re: Improved password change security!

        "Mine perpetually says that my new password is too similar to my old one"

        How on earth would they know? Unless they are saving them in plain text...

        1. Tom 13

          Re: Improved password change security!

          All operating systems can and in secure settings are configured to remember x number of previous passwords and prevent you from using them again. Whether the password is encrypted or they are just checking against a hash I don't know, but it's pretty much irrelevant. At my current work location I believe they are tracking the previous 24 for both network and email accounts. Damn thing remembers passwords I don't remember having used.

          I understand the reason for the check and the absurdly high number of remembered passwords. Back when it remembered the last 5 passwords we had people who would change the password 6 times to get back to their original password. Personally I'd rather those idiots were throw into the Hell of the Upside Down Sinners.

    2. Joe 35

      Re: Improved password change security!

      I didn't have that problem, but it only asks you to type the new one in once. Insane.

    3. mickey mouse the fith

      Re: Improved password change security!

      "Please change your password with the form that won't let you change your password. One line asks for current password, second line asks for new password, then click Save. So sez the instructions.

      Error pops up telling you the passwords don't match.

      Seriously?"

      Are you using firefox by any chance?

      I almost tore my hair out with this, checking and rechecking i was tapping in the right characters only to have the bloody thing moan about pw not matching.

      After pissing about, changing characters, case and symbols thinking it was their shit pw system not recognising certain characters, I tried it in chrome, and it worked first time.

      Dont know if its an compatibility thing with an add -on or yahoo are just shit at making websites function properly. Il go with the second option.

  17. taxman
    Facepalm

    THUD!

    Trying to do this and .........account locked! Password reset sent to.....yup the account that's been locked not the 'other' account! And to get to the security questions to confirm who I am.....yup you need the new password!W!T!F!

    1. Fihart

      Re: THUD!

      Yes, I anticipated this could happen. And decided beforehand that if Yahoo flucked up and locked me out I'd simply abandon the account I've had for 15 years and move to a different provider.

      Luckily my password change went smoothly -- apart from their stupid demand for a cellphone number (which I ignored by simply signing out). But Yahoo remain on a short leash as far as I am concerned. Too many more screw ups and slowdowns and I'll look elsewhere.

  18. Mr_Pitiful
    Happy

    Baffling

    What is this yahoo! thing you mention?

    1. Pascal Monett Silver badge
      Trollface

      Something that died last millennium but is still not aware of that fact.

    2. Vociferous

      Re: Baffling

      It's UKIP's home away from Stormfront.

      (Seriously. Read the comments section.)

    3. Anonymous Coward
      Anonymous Coward

      Re: Baffling

      Sort of like a Google but with massive annoyance levels.

  19. Anonymous Coward
    Anonymous Coward

    This is no fault of Yahoo.

    Another website was hacked, users who used the same password as their Yahoo password on the hacked website/forum/whatever need to change their password now on Yahoo.

    This is the fault of the user not using different password for different websites.

    no more no less

    1. Dick

      Really?

      Can you point to a statement by any responsible party saying that's what happened? If it did happen that way why are only Yahoo emails affected?

      Yahoo needs to come clean and name the mystery third party.

  20. Paul Westerman

    Keepass FTW

    Password changed (only needed to enter once, as observed by others) to Keepass-generated 20 character jumble of nonsense

    1. Anonymous Coward
      FAIL

      Re: Keepass FTW

      Keepass is a brilliant piece of software. I just need to persuade the other half to use it. As for blame, there are the users using the same password on multiple sites (I am sure plenty people do it), but Yahoo! should take the majority of it for giving out users passwords (and usernames) to another company. You just don't do that, unless you're Yahoo. I have been threatening to dump Yahoo for a while, now seems as good a time as any.

      1. Kelli

        Re: Keepass FTW

        Nowhere in the article does it say that Yahoo gave out usernames and passwords to another company.

        Another company was hacked where users were registered using their yahoo emailaddress and the same password as they use on Yahoo Mail.

        1. Dick

          Re: Keepass FTW

          Nowhere in the article does it say "Another company was hacked where users were registered using their yahoo email address and the same password as they use on Yahoo Mail."

  21. Mage Silver badge

    Badly done

    They STILL don't send a confirmation link to previous email address before changing it on password change or have you type it twice.

  22. Gareth Holt

    Account deleted

    Despite not having used my Yahoo! mail for a considerable time whereby it should have automatically expired, somehow it was still live.

    I've put it out of its misery now...

  23. AbeSapian

    Not To Put Too Fine a Point On It

    Just why, exactly, was Yahoo sharing user's passwords with a third party? The only reason to have the password is if you're going to log into the account. What was that third party doing?

    Regardless of the fact that it was the third party's systems that were hacked, it is an enormous breach on the part of Yahoo for even sharing passwords with that third party. The liability is Yahoo's.

  24. captain veg Silver badge

    Spammed

    Was spammed from the Yahoo! account of a friend on Tuesday, presumably one of those thusly cracked. The spam contained nothing but a hyperlink, which I entirely failed to follow. I'm guessing some exploit attempt was on the other end.

    Worryingly, the following day I got three very similar spams from the webmail of a relative, but not using a Yahoo! account. This time it was AOL. Is there some link between the two?

    -A.

  25. Alan Denman

    Software companies gone soft!

    There ain't many of the big guys left who ain't been hacked.

    The bigger you get the harder you fall.

  26. Vociferous

    Two-factor authentication =

    "GIVE US URE PHONE NUMBER! U CAN TRUST US!"

    Like hell.

    Well, Google's been doing it for ages, it was only a matter of time until Yahoo decided they needed to sell ads to phones too.

    Thing is, I don't need secure. Anyone could hack my gmail or yahoo or facebook or TheRegister accounts, and I couldn't care less, so having to jump hoops for a "strong" protection I don't need is really fucking annoying.

  27. Donald Becker

    I suspect that this was an extremely bad breach.

    One that reveals Yahoo was passing plaintext passwords over to partners.

    When I logged in today I got the "suspicious activity detected on your account" message, along with "UPDATE YOUR PASSWORD RIGHT NOW NOW NOW NOW".

    I had already read a headline about the compromise and I had a unique username and password on Yahoo. Otherwise I would have read the accompanying words as meaning some other site had been compromised and hackers were using that login info to abuse my Yahoo account. That's extremely sleazy. There was no apology, not acknowledgement of a massive screw-up.

  28. rontom

    responsibility?

    Two days after the breach I'm informed of a risk to my email account. Yahoo email is yahoo's responsibility. Why should I listen to their security advice if they're trying to blame an unnamed third party? And why should I give them my cellphone/mobile number?

  29. Anonymous Coward
    Anonymous Coward

    Blame others for your failure, blame others for your security holes.

    You can sort of see why Yahoo are so unloved and crappy.

  30. Vociferous

    Yahoo.co.uk is still experiencing problems.

    It's been down at least five times this sunday. Only for a few seconds each time, but still -- if I didn't know better I'd say someone was working on a production server and restarting it.

  31. Arachnoid
    Thumb Up

    Maybe its time.......

    That Yahoo let you change your log in credentials to something other that your well known email address

  32. Howard Hanek
    FAIL

    Somewhere in the Clouds.......

    Someday Britain will wake up and find that the London Financial District has been successfully migrated overnight to Lagos. Fortunately being an English speaking country business will continue uninterrupted and Abu Dabai will purchase the vacant real estate from the owners for a pittance. Britain will then apply for membership in the African Union.....

This topic is closed for new posts.

Other stories you might like