Half! a! billion! Yahoo! email! accounts! raided! by! 'state! hackers!'

Email addresses, phone numbers, hashed passwords, DoBs, security Q&As swiped


Updated Hackers strongly believed to be state-sponsored swiped account records for 500 million or more Yahoo! webmail users. And who knew there were that many people using its email?

The troubled online giant said on Thursday that the break-in occurred in late 2014, and that names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers, were lifted.

This comes after a miscreant calling themselves Peace was touting copies of the Yahoo! account database on the dark web. At the time, in early August, Yahoo! said it was aware of claims that sensitive information was being sold online – and then today, nearly two months later, it alerted the world to the embarrassing security breach.

"We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor," said Yahoo!'s chief information security officer Bob Lord on Tumblr today.

"The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.

"Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter."

Yahoo! has said it will email all those thought to be affected by the theft and is advising everyone who hasn't changed their passwords in the last two years to do so. If you've forgotten your password however, you could be out of luck – security questions that Yahoo! was storing in unencrypted format have been deleted from the system.

Unlike others, Yahoo! doesn't appear to be offering any kind of credit monitoring service for affected customers, but helpfully includes a link for users to check their own credit records. It also advises users to be on their guard against unsolicited emails.

The statement leaves many questions unanswered. For example – how many of these email accounts are actually active for a start. It's difficult to imagine that Yahoo! actually has half a billion active email users and a quick poll around the office shows just over half of Vulture West staff have a Yahoo! account but that none of us have used it in the last year.

Yahoo! also fails to point out that the chief benefit to the hackers isn’t going to be their email accounts, but other online identities. People foolishly tend to reuse passwords and security question answers and that's where the main value of the data comes from.

The hack is also going to cause consternation at Verizon, which has offered to buy out the ailing portal for $4.8bn. Now that Yahoo! could be facing the mother of all class action suits, Verizon might be rethinking that price. ®

Updated to add

In late July, Verizon announced its intention to gobble up Yahoo!, just days before account information was shopped around on the dark web. According to Verizon today, it has only just learned of the staggering data theft even though fears for Yahoo!'s security were well reported back in August.

"Within the last two days, we were notified of Yahoo's security incident. We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact," Verizon told The Reg in a statement.

"We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment."


Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • About half of popular websites tested found vulnerable to account pre-hijacking
    In detail: Ocean's Eleven-grade ruse in which victims' profiles are rigged from the start

    Two security researchers have identified five related techniques for hijacking internet accounts by preparing them to be commandeered in advance.

    And they claim that when they analyzed 75 popular internet services, almost half were vulnerable to at least one of these techniques.

    Avinash Sudhodanan, an independent security researcher, and Andrew Paverd, a senior researcher at Microsoft, describe their findings in a paper titled, "Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web."

    Continue reading
  • Google keeps legacy G Suite alive and free for personal use
    Phew!

    Google has quietly dropped its demand that users of its free G Suite legacy edition cough up to continue enjoying custom email domains and cloudy productivity tools.

    This story starts in 2006 with the launch of “Google Apps for Your Domain”, a bundle of services that included email, a calendar, Google Talk, and a website building tool. Beta users were offered the service at no cost, complete with the ability to use a custom domain if users let Google handle their MX record.

    The service evolved over the years and added more services, and in 2020 Google rebranded its online productivity offering as “Workspace”. Beta users got most of the updated offerings at no cost.

    Continue reading
  • Yahoo Japan strives for universal passwordless authentication
    30! million! users! already! moved! to! TXT! and/or! FIDO! Attacks! and! support! requests! both! down!

    Yahoo Japan has revealed that it plans to go passwordless, and that 30 million of its 50 million monthly active users have already stopped using passwords in favor of a combination of FIDO and TXT messages.

    A case study penned by staff from Yahoo Japan and Google's developer team, explains that the company started work on passwordless initiatives in 2015 but now plans to go all-in because half of its users employ the same password on six or more sites.

    The web giant also sees phishing as a significant threat, and has found that a third of customer inquiries relate to lost credentials.

    Continue reading

Biting the hand that feeds IT © 1998–2022