Yahoo says more than 1B accounts hacked in 2013 security breach

Posted:
in General Discussion
Yahoo, still reeling from a hack that impacted more than 500 million accounts earlier this year, on Wednesday revealed another one billion accounts were compromised in a separate attack dating back to 2013.




The recently disclosed data breach appears to have leaked data similar to information obtained in a separate hack revealed in September, judging by information released in a Yahoo statement.

According to the company, the latest intrusion revealed user account information that might include names, email addresses, phone numbers, dates of birth, passwords hashed using the MD5 protocol and encrypted or unencrypted security questions and answers. Yahoo does not believe password information was disclosed in clear text, nor did payment card data or bank account information leak as part of the breach.

By comparison, Yahoo's 2014 hack, which involved some 500 million accounts, reportedly revealed names, email addresses, telephone numbers, dates of birth, passwords and security questions. At the time, the company blamed the attack on a state-sponsored actor.

While the attack is distinct from the breach disclosed in September, Yahoo is blaming at least part of the activity on the same state-sponsored agent or agents.

Thought to have been carried out in 2013, the attack was only recently uncovered by Yahoo's security team. In November, law enforcement officials furnished the company with data files a third party claimed was gleaned from user accounts. Analysis of the data narrowed down a probable attack window to August 2013.

"We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016," the company said in an email sent out to affected users.

Detailing how hackers managed to break in to more than one billion accounts, Yahoo CISO Bob Lord said his team believes an unauthorized third party likely accessed Yahoo's code in 2013 and discovered a way to forge cookies. Armed with a cookie creation tool, intruders would be able to access accounts without a password.

Yahoo is in the process of notifying users it believes was impacted by the breach and is requiring those affected to change their passwords. The company also invalidated unencrypted security questions and answers in a bid to stave off follow-up attacks.
«1

Comments

  • Reply 1 of 32
    News / media outlets per Yahoo! advising users change passcodes/words 'immediately'. :|

    This happened in 2013.
    edited December 2016 bdkennedy1002
  • Reply 2 of 32
    Wunderbar......
  • Reply 3 of 32
    Yahoo: "Hi Mr. Smith, its Yahoo. Just wanted to tell you 3 years ago all your personal information and passwords were stolen. If you need anything, don't hesitate to contact us."
    slprescottglynhequality72521LukeCageberndogboltsfan17
  • Reply 4 of 32
    SoliSoli Posts: 8,692member
    News / media outlets per Yahoo! advising users change passcodes/words 'immediately'.
    This happened in 2013.
    Just another reason why people should:

    • Use a secure password manager
    • Use randomized passwords
    • Never use the same password for different account
    • Use 2FA or 2SV, if available.

    … for starters. You can't ever guarantee security, or even be certain that a breach will be detected, so we need secure our internet-facing logins the best possible way. 
    edited December 2016 lkruppLukeCage
  • Reply 5 of 32
    Such a POS company. I don't use my Yahoo! account anymore, but the password structure I used there was somewhat similar to other, more important sites. Now I have to change everything. Ugh. 

    We, as a country, are screwed. We care zero about, and as a result, invest very little in security and privacy. It's biting us in our digital butts in every which way, including our elections (it's the Dems today, but I guarantee it'll be the Repubs tomorrow). The Russians, Chinese, and the (third-rate) N Koreans cause much of this mayhem, and just point and laugh at us. It shocks and surprises me that we don't have the balls to take out their digital infrastructures (I am sure we have the means).

    Hopefully, Trump will be a little different. We'll see. 


    edited December 2016 baconstang
  • Reply 6 of 32

    Hopefully, Trump will be a little different. We'll see. 


    Is this the suggestion of a change of campaign rhetoric in favour of better iPhone encryption defending past constitutional rights of private independent communication, thinking, invention & even intellectual property...?  Or AI in the hands of the few?

    How should such extend beyond national (or other) economic interests to an increasingly global village?

    http://wwf.panda.org/about_our_earth/all_publications/lpr_2016/

    edited December 2016 Solibrakken
  • Reply 7 of 32
    Took them 3 years to fire out only a billion accounts got compromised. Wonder how long will take them to notify them. 
    baconstangtomkarl
  • Reply 8 of 32
    Let's shoot for 2 billion hacked accounts in 2017. You can do it, Yahoo! We believe in your lack of security. (Of course we won't hear about it until they discover it in 2019)
    baconstangking editor the grate
  • Reply 9 of 32
    Took them 3 years to fire out only a billion accounts got compromised. Wonder how long will take them to notify them. 
    By the time they notify them all, 20% of them will have died, macOS will be 10.19 and Windows 11 will have just been released.
  • Reply 10 of 32
    I didn't know they still have that many accounts...
    tomkarl
  • Reply 11 of 32
    So in 2019 we'll find out what data is being pinched right now? Great. 
  • Reply 12 of 32
    appexappex Posts: 687member
    2016, not 2013 on headline!
  • Reply 13 of 32
    appex said:
    2016, not 2013 on headline!
    We already knew about the September breach the news today is indeed the 2013 case!
    simple mistake.
    That's what I thought when I read the email!
  • Reply 14 of 32
    this company should cease to exist long time ago
  • Reply 15 of 32
    mr omr o Posts: 1,046member
    starwars said:
    this company should cease to exist long time ago
    Not until Apple releases their own iPad Weather app …

    >:x
  • Reply 16 of 32
    rob53rob53 Posts: 2,007member
    Such a POS company. I don't use my Yahoo! account anymore, but the password structure I used there was somewhat similar to other, more important sites. Now I have to change everything. Ugh. 

    We, as a country, are screwed. We care zero about, and as a result, invest very little in security and privacy. It's biting us in our digital butts in every which way, including our elections (it's the Dems today, but I guarantee it'll be the Repubs tomorrow). The Russians, Chinese, and the (third-rate) N Koreans cause much of this mayhem, and just point and laugh at us. It shocks and surprises me that we don't have the balls to take out their digital infrastructures (I am sure we have the means).

    Hopefully, Trump will be a little different. We'll see. 


    If Trump and the FBI have their way, nothing will be secure in the US. We might as well not even use passwords because everyone will be able to get to our data. Trump won't fix anything.

    The problem lies with the way IT staff is run and accepted by corporate management. In the case of Yahoo, it's obvious corporate management never cared about security so they didn't insist on having an IT staff who knew what they were doing. Yahoo, Home Depot, etc., etc., etc., have people in charge who haven't the faintest idea what it takes to secure anything. A lot of these people are the same ones who voted for a president who hasn't the faintest idea about anything so it doesn't surprise me Yahoo has been hacked constantly for years.
  • Reply 17 of 32
    stevehsteveh Posts: 480member
    Took them 3 years to fire out only a billion accounts got compromised. Wonder how long will take them to notify them. 
    Well, we got the warning email last night...

    Better late than never?
  • Reply 18 of 32
    dewmedewme Posts: 1,998member
    We, as a country, are screwed. We care zero about, and as a result, invest very little in security and privacy. It's biting us in our digital butts in every which way, including our elections (it's the Dems today, but I guarantee it'll be the Repubs tomorrow). The Russians, Chinese, and the (third-rate) N Koreans cause much of this mayhem, and just point and laugh at us. It shocks and surprises me that we don't have the balls to take out their digital infrastructures (I am sure we have the means).

    We're not screwed, we're just slow to change and adapt to emerging threats and the infiltration of evil into everyday life. By "evil" I mean that anything that can be weaponized will be weaponized, from toys to connected toasters. Our slow response to asymmetric threats is the inherent nature of large countries with huge bureaucracies and mega investments in traditional security, i.e., standing million man armies, navies, air forces, police forces, prison systems, and their trillions of dollars of supporting industries. The asymmetric nature of cybersecurity, much like terrorism, totally befuddles traditional defense measures at all levels from national defense to the local cops.  

    It's no longer about big balls - it's about big brains and the winners will be those who apply their intellectual might strategically and with surgical precision rather than carpet bombing or brute force, which creates a lot of noise, fills lots of body bags, but is frustratingly difficult to even reach an end-state, much less "win."

    If the Trump administration applies smart and adaptable people who can get things done and solve problems rather than resurrecting old war horses, bureaucrats, or opportunists looking to pad their personal fortunes, perhaps we'll get out ahead of these threats. We have some incredibly smart people, but so do all other countries on the planet, friends and foes. We have the advantage of having incredible amounts of resources and wealth to surround our smartest people with everything they need to get the job done.

    Today is as close as we've ever been in the past 50 years to having a clean slate to start with because we've blown up our traditional political systems and trashed civility, morality, and empathy for the sake of expediency and the created crisis. Whether it's right or wrong really doesn't matter anymore, perception becomes reality, and we are at ground zero and must now step over the casualties and decide what we'll become going forward. The United States of Trump gets first crack at forging the new path forward. Will it choose brains or will it choose brawn? 
  • Reply 19 of 32
    zoetmb said:
    dewme said:

    The United States of Trump gets first crack at forging the new path forward. Will it choose brains or will it choose brawn? 
    You admit it's the United States of Trump and you're actually asking whether it's going to choose 'brains'?   The man doesn't even read and he's sending Pence for the intelligence briefings because he doesn't want to bother attending himself.   He's anti-science and anti-fact.   He refuses to admit when he's wrong.  Brains has absolutely nothing to do with it.   The only thing working in our favor is that Government moves so slowly, we might just be able to survive the next four years, if Trump doesn't accidentally start a major war because someone "insults" him.   
    What are you talking about? Intelligence briefings are given on an iPad. Obama even admits he doesn't read them all. Trump was only getting a briefing once a week, but now its about 3 times a week. Like Trump would actually start a war over what someone said about him. Where on earth do you come up with that crazy idea? We were more likely going to war under Hilary had she won. 
  • Reply 20 of 32
    volcanvolcan Posts: 1,772member
    They never say what the compromise was. Every website hashes passwords. Why should we change our passwords? It is incredibly difficult to unencrypted passwords. The real value of hacked accounts is the underlying personal information, like addresses, phone numbers, spouses, children, mothers maiden names, birthdays, SS# etc. The passwords are not really that accessible due to MD5.
    edited December 2016
Sign In or Register to comment.