Yahoo says more than 1B accounts hacked in 2013 security breach
Yahoo, still reeling from a hack that impacted more than 500 million accounts earlier this year, on Wednesday revealed another one billion accounts were compromised in a separate attack dating back to 2013.
The recently disclosed data breach appears to have leaked data similar to information obtained in a separate hack revealed in September, judging by information released in a Yahoo statement.
According to the company, the latest intrusion revealed user account information that might include names, email addresses, phone numbers, dates of birth, passwords hashed using the MD5 protocol and encrypted or unencrypted security questions and answers. Yahoo does not believe password information was disclosed in clear text, nor did payment card data or bank account information leak as part of the breach.
By comparison, Yahoo's 2014 hack, which involved some 500 million accounts, reportedly revealed names, email addresses, telephone numbers, dates of birth, passwords and security questions. At the time, the company blamed the attack on a state-sponsored actor.
While the attack is distinct from the breach disclosed in September, Yahoo is blaming at least part of the activity on the same state-sponsored agent or agents.
Thought to have been carried out in 2013, the attack was only recently uncovered by Yahoo's security team. In November, law enforcement officials furnished the company with data files a third party claimed was gleaned from user accounts. Analysis of the data narrowed down a probable attack window to August 2013.
"We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016," the company said in an email sent out to affected users.
Detailing how hackers managed to break in to more than one billion accounts, Yahoo CISO Bob Lord said his team believes an unauthorized third party likely accessed Yahoo's code in 2013 and discovered a way to forge cookies. Armed with a cookie creation tool, intruders would be able to access accounts without a password.
Yahoo is in the process of notifying users it believes was impacted by the breach and is requiring those affected to change their passwords. The company also invalidated unencrypted security questions and answers in a bid to stave off follow-up attacks.
The recently disclosed data breach appears to have leaked data similar to information obtained in a separate hack revealed in September, judging by information released in a Yahoo statement.
According to the company, the latest intrusion revealed user account information that might include names, email addresses, phone numbers, dates of birth, passwords hashed using the MD5 protocol and encrypted or unencrypted security questions and answers. Yahoo does not believe password information was disclosed in clear text, nor did payment card data or bank account information leak as part of the breach.
By comparison, Yahoo's 2014 hack, which involved some 500 million accounts, reportedly revealed names, email addresses, telephone numbers, dates of birth, passwords and security questions. At the time, the company blamed the attack on a state-sponsored actor.
While the attack is distinct from the breach disclosed in September, Yahoo is blaming at least part of the activity on the same state-sponsored agent or agents.
Thought to have been carried out in 2013, the attack was only recently uncovered by Yahoo's security team. In November, law enforcement officials furnished the company with data files a third party claimed was gleaned from user accounts. Analysis of the data narrowed down a probable attack window to August 2013.
"We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016," the company said in an email sent out to affected users.
Detailing how hackers managed to break in to more than one billion accounts, Yahoo CISO Bob Lord said his team believes an unauthorized third party likely accessed Yahoo's code in 2013 and discovered a way to forge cookies. Armed with a cookie creation tool, intruders would be able to access accounts without a password.
Yahoo is in the process of notifying users it believes was impacted by the breach and is requiring those affected to change their passwords. The company also invalidated unencrypted security questions and answers in a bid to stave off follow-up attacks.
Comments
This happened in 2013.
… for starters. You can't ever guarantee security, or even be certain that a breach will be detected, so we need secure our internet-facing logins the best possible way.
We, as a country, are screwed. We care zero about, and as a result, invest very little in security and privacy. It's biting us in our digital butts in every which way, including our elections (it's the Dems today, but I guarantee it'll be the Repubs tomorrow). The Russians, Chinese, and the (third-rate) N Koreans cause much of this mayhem, and just point and laugh at us. It shocks and surprises me that we don't have the balls to take out their digital infrastructures (I am sure we have the means).
Hopefully, Trump will be a little different. We'll see.
How should such extend beyond national (or other) economic interests to an increasingly global village?
http://wwf.panda.org/about_our_earth/all_publications/lpr_2016/
simple mistake.
That's what I thought when I read the email!
>:x
The problem lies with the way IT staff is run and accepted by corporate management. In the case of Yahoo, it's obvious corporate management never cared about security so they didn't insist on having an IT staff who knew what they were doing. Yahoo, Home Depot, etc., etc., etc., have people in charge who haven't the faintest idea what it takes to secure anything. A lot of these people are the same ones who voted for a president who hasn't the faintest idea about anything so it doesn't surprise me Yahoo has been hacked constantly for years.
Better late than never?
It's no longer about big balls - it's about big brains and the winners will be those who apply their intellectual might strategically and with surgical precision rather than carpet bombing or brute force, which creates a lot of noise, fills lots of body bags, but is frustratingly difficult to even reach an end-state, much less "win."
If the Trump administration applies smart and adaptable people who can get things done and solve problems rather than resurrecting old war horses, bureaucrats, or opportunists looking to pad their personal fortunes, perhaps we'll get out ahead of these threats. We have some incredibly smart people, but so do all other countries on the planet, friends and foes. We have the advantage of having incredible amounts of resources and wealth to surround our smartest people with everything they need to get the job done.
Today is as close as we've ever been in the past 50 years to having a clean slate to start with because we've blown up our traditional political systems and trashed civility, morality, and empathy for the sake of expediency and the created crisis. Whether it's right or wrong really doesn't matter anymore, perception becomes reality, and we are at ground zero and must now step over the casualties and decide what we'll become going forward. The United States of Trump gets first crack at forging the new path forward. Will it choose brains or will it choose brawn?