The world’s media is agog this morning after embattled internet company Yahoo disclosed its network was penetrated three years ago and personal data on 500 million users was stolen. The company only discovered this recently after someone offered the information for sale on the “deep web” for $2 000. Yes, just 20 Ben Franklins – or 0.004 cents per account. Yahoo has accused “State-sponsored” hackers of doing the dirty deed. Common code for North Korea. Sounds like Dr Evil in an Austin Powers movie threatening to blow up the world unless he gets a million dollars. That’s a joke, of course. This isn’t. Yahoo is in the process of being sold to Verizon for $4.8bn so a massive data breach is the last thing Marissa Mayer’s business needs right now. Worse, as it all happened in late 2014, this particular horse has bolted long ago. Three years is an eternity in our warp speed world. Whatever stolen information was useful to the underworld was packaged and sold off long ago for much more than 0.004c a pop. Big lessons here. Passwords need to be powerful and changed often. Identity theft is very real and can destroy much more than one’s financial resources. The Bloomberg story below offers some excellent ideas on what you can and should do about it. – Alec Hogg
By
(Bloomberg) — Yahoo’s data theft – involving about half the company’s 1 billion users (see below) – is no joke.
At a time of increasing breach fatigue, when big data exposures sometimes elicit little more than a yawn, this incident sets a new bar for massive leaks of account information.
The break-in, which Yahoo attributed to a state-sponsored actor, presents a serious problem for users, because the data the hackers got isn’t just a partial look at people’s profiles; it’s as close to a full haul as they come from a company like Yahoo. The cyber-thieves stole account details including user names, scrambled passwords, birth dates, security questions and other personal information, but apparently not payment card and other financial data.
Hackers may have accessed millions of Yahoo accounts for years undetected. While Yahoo stressed that the passwords were encrypted, the re-use of passwords across the internet and thriving sale of hacked databases on the black market means that hackers may easily connect the dots for many other accounts.
Here’s what to do if you’re one of the unlucky Yahoo users whose account was compromised:
Yahoo says it’s alerting affected users and asking them to change their passwords. Even if you’re not notified, you should do this anyway.
The reason: Companies generally only report information that they can prove was taken from them. And it’s trivial for hackers to cover their tracks. So even if digital-forensics investigators strongly suspect or believe that certain data was accessed or taken, if it’s not verified, it may never be reported.
This is a good opportunity for Yahoo users to turn on login verification, which will implement a text-message alert or phone call when someone tries to access your account from an unrecognized computer. This is a wonderful feature that all major internet companies now offer.
Read also: Google’s tortoise and Yahoo’s hare – lessons for business and life
If you want to go the extra mile, call your cell-phone provider and add a verbal password to your account there; that will prevent hackers who are seriously dedicated to hijacking your e-mail account from tricking your cell-phone service provider into routing the alerts or calls to phones under their control.
Now is also a good time for users to try novel authentication services such as Yahoo’s Account Key, which links the Yahoo mobile app to your phone to prevent anyone from logging in without having access to that device.
Tech companies are increasingly rolling out useful authentication services that reside on smartphones and add extra layers of log-in security — Google has Google Authenticator, and there’s another app from Duo Security called Duo Mobile, both of which generate onetime login codes that exist only on your phone and the company’s servers.
500m Yahoo accounts hacked, data offered for sale on “deep web”
By
(Bloomberg) — Yahoo! Inc. said the personal information of at least 500 million users was stolen in an attack on its accounts in 2014, exposing a wide swath of its roughly 1 billion users ahead of Verizon Communications Inc.’s planned acquisition of the web portal’s assets.
The attacker was a “state-sponsored actor,” and stolen information may include names, e-mail addresses, phone numbers, dates of birth, encrypted passwords and, in some cases, un-encrypted security questions and answers, Yahoo said Thursday in a statement. The continuing investigation doesn’t indicate theft of payment card data or bank account information, or unprotected passwords, the company said. Affected users are being notified, accounts are being secured, and there’s no evidence the attacker is still in the network, Yahoo also said.
“Yahoo is working closely with law enforcement on this matter,” the company said in the statement. “Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry.”
The disclosure of the data theft comes at a particularly sensitive time for Chief Executive Officer Marissa Mayer, as she navigates the company toward a planned $4.8 billion acquisition by Verizon, set to close by early next year. Mayer, who has dealt with difficulties and complaints about Yahoo’s e-mail service in the past, needs to keep users logging in to drive traffic and draw the advertising that fuels the company’s revenue growth, which has been sluggish under her leadership.
https://twitter.com/DaveyBlahBlah/status/779206851774873600
The company began investigating after receiving a report in July of a hacker claiming to have hundreds of millions of stolen Yahoo log-ins for sale on the black market, according to a person familiar with Yahoo’s probe. Investigators couldn’t find evidence backing up those claims. However, the person said Yahoo decided to conduct a deeper, separate investigation that uncovered the larger breach and notified Verizon this week. The person asked for anonymity to discuss internal findings.
Two other people familiar with the Yahoo investigation said the link to a nation state is not iron-clad. And Yahoo has yet to disclose the evidence on which it is basing the link to a nation state.
Claiming a hack was launched by a foreign government is the ultimate get-out-of-jail-free card for embarrassed corporate executives. As Bloomberg News previously reported, senior leaders at JPMorgan Chase & Co. lobbied the White House and various federal agencies to attribute a hacking attack against the bank in 2014 as being sponsored by Russia, but the FBI disagreed, and later filed criminal charges linking the breach to a stock pump-and-dump scheme, although there remained debate in the intelligence community about a possible government link.
Verizon was notified of the incident within the last two days, the company said in an e-mailed statement.
“We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact,” Verizon said in an e-mail. “We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities.”
‘Epidemic’
The confirmation that accounts were compromised came almost two months after the company said it was investigating claims that a hacker was offering to sell user account details stolen in a data breach. The same hacker, who previously sold data taken from LinkedIn and MySpace, posted information from 200 million Yahoo accounts on a dark web marketplace, Motherboard reported in early August. The stolen information being offered was most likely from 2012, Motherboard reported, citing the hacker, who uses the name Peace.
“All of this compromised information is very useful for criminals in order to hijack user identities and use them for fraudulent purposes,” said Avivah Litan, an analyst with Gartner. “Identity impersonation has become a global criminal epidemic and there are no simple solutions.”
Yahoo, a case study in poor management, bad design, and now–data leaks. @jmbrandonbb https://t.co/RJGyrnSRaz
— Inc. (@Inc) September 23, 2016
Yahoo is encouraging users to review their accounts for suspicious activity and to change their password and security questions — along with answers for other online accounts where they use the same or similar information. The company also recommends users avoid clicking on links or downloading attachments from suspicious e-mails.
Many of the stolen accounts in a sample of data obtained by Motherboard were no longer in use and had been canceled. The sale of all of the data for just under $2,000 suggested much of the information was obsolete, made up, or useless because the hackers had already attacked legitimate accounts and exhausted their need for the material.
Data Spills
While the breach is a blow to Yahoo, more broadly it underscores the danger of large datasets spilling into the hacker underground and being used for criminal purposes for years without the breached companies knowing, or with them only taking minimal action based on whatever data hackers tell them was taken.
now that yahoo's security questions and answers have been stolen, make sure to change your childhood pet on every site you use
— 🎁🎄 eevee 🎄🎁 (@eevee) September 23, 2016
LinkedIn said in May it was investigating whether a breach of more than 6 million users’ passwords in 2012 was bigger than originally thought, following a hacker’s attempt to sell what was purported to be login codes for 117 million accounts. LinkedIn said it appeared more data was taken in the initial attack and that the company was just learning about the larger amount through the hacker’s posting.
Like many internet companies that have been breached, LinkedIn only reset passwords of everyone it believed was part of the breach at the earlier time, which amounted to 6.5 million users.
