Yahoo hack

[REWahoo]

Speaking of internet security, I started reading this Consumer Reports article and gave up about 1/3 of the way through. I think we're all doomed :

66 Ways to Protect Your Privacy Right Now - Consumer Reports

 

[easysurfer]

And then, a similar breach could happen at Yahoo or somewhere else next week. You can't possibly do what you are describing every time something like this happens. Neither can anybody else.

Nothing on the internet is completely secure. I hate that but I believe it to be true. All we can do, is what we can do.

This is why I like to just randomize my security answers.

One site my have something like:

Q. "What's your dog's name?"
A. Dog ³fE4D+


Another site may have:

Q. "What's your dog's name?"
A. Dog EL$2OU

That way, all my answers are unique so a hack only impacts that account and not throughout all my id/password/answers.

 

[Sunset]

Just curious, what leads you to say this?

I worked in IT, did software used by all the big bank employees and lots of other software at other companies. So were good about security, others not.

I have seen encryption was not used a lot in various companies, there are 2 common ways to encrypt the web users data, (1-way and 2-way).

Hopefully by now for passwords the 1-way is used everywhere, but if you ever click on "forgot password" and they send it to you, you can be sure it's not 1-way. Nobody can read a 1-way encrypted password as it cannot be decrypted. The system compares what you typed in after encrypting it to the stored value and if they match, then you must have typed in the password.

2-way means , the system can decrypt it. using a key, which of course means if the database is stolen they very likely have the key too.

The other way is to store it in plain text, which is easy.

If the rep can read the challenge question, it means it is probably not encrypted, (it could be done in the 2-way manner, but that is not much better for security). Frankly it's rare that anyone considers challenge questions needing security like passwords.

I've even had Reps give me clues at to my mother's maiden name (which was not a real name)

 

[Sunset]

I just did a count of the number of accounts stored in my Lastpass value. It is very close to 400.

Am I really expected to visit everyone one of these accounts, try to figure out if security questions are even used and then exclude the yahoo ones?

This could be at least a 9-5 project for a week (lunches not included!)

If I do take this on, I will be sure to document all of the security questions/answers in the Lastpass notes for the account, so that security question overlap can be identified much quicker for the next breach.

-gauss

I use random, different answers for all challenge questions so no cross-site commonality.

I store my answers in the notes section of my password manager for each site.

 

[gretah]

All these hacks (and my losing two custom-built websites because of one of them) is why I do not do banking online.

There is no longer anything secure about secure socket.

 

[Walt34]

Do people actually use yahoo mail for any sensitive information?
The only real thing on my account is my cell number so I can recover my password if I forget it. I only use it to gather information from companies and such. Makes a great spam filter.

They don't even have a cell number for me, and I think the original email address that I used to open the yahoo account no longer exists. I just use it for a spam filter, some product registrations so I'll know about a recall if one happens, craigslist if I'm buying/selling something, that sort of thing. Normally I look at it about once a week.

And right now I'm using it with some family members to plan a surprise birthday party for DW. That way she won't see any of those planning messages.

 

[Lsbcal]

All these hacks (and my losing two custom-built websites because of one of them) is why I do not do banking online.

There is no longer anything secure about secure socket.

I would hate to go way back to US post and checks.

As some from this site have suggested, I've upped my automation but check my accounts more frequently. On my phone I can use Lastpass to get into accounts easily for checks. Having a fingerprint reader on the phone is very nice as Lastpass can see that. So far no problems.

 

[eytonxav]

I had an old and infrequently used Yahoo account that I tried to delete yesterday. The site recognized my user name, but not my password, so I tried to recover/reset my password, and as a challenge question it wanted a few digits from an old work cellphone number that I can no longer recall, and there was no other way to get around that and no way to contact Yahoo. What a screwed up customer service capability, especially in light of the hack.

 

[gauss]

And then, a similar breach could happen at Yahoo or somewhere else next week. You can't possibly do what you are describing every time something like this happens. Neither can anybody else.

Nothing on the internet is completely secure. I hate that but I believe it to be true. All we can do, is what we can do.

Thanks

Perhaps I will take solace in the fact that most computer sites will not let you in with just correct security question answers, but also require access to the email account of record.

I guess going forward I will start documenting security question/answers with the rest of my LastPass data.

It would be really nice if yahoo would let individual account holders know what type of data was lost for their account (ie was it encrypted or unencrypted security questions/answers). Failing that at least perhaps a statistical breakdown (ie 98% encrypted 2% unencrypted).

-gauss

 

[Tadpole]

Boy did I do something dumb yesterday when I changed password. I told Yahoo to delete my security questions without looking to see what the questions and answers were. Now I don't know if or what security questions I need to change at other sites.

 

[kaneohe]

Anyone using Yahoo mail and checking your account activity? Learned how to do that on some thread here in Sept. 2016 when the Yahoo hack was being publicized. It shows what browser & OS were used as well as the location at various times.

I've been checking periodically since I changed the password a few months ago with nothing strange showing....................... until today, when it showed a
strange computer using Windows (which I don't use) in a location where I haven't been ............so I changed password again. A useful tool to check
periodically.

 

[Lsbcal]

Anyone using Yahoo mail and checking your account activity? Learned how to do that on some thread here in Sept. 2016 when the Yahoo hack was being publicized. It shows what browser & OS were used as well as the location at various times.

I've been checking periodically since I changed the password a few months ago with nothing strange showing....................... until today, when it showed a
strange computer using Windows (which I don't use) in a location where I haven't been ............so I changed password again. A useful tool to check
periodically.

And this tool is where?

 

[kaneohe]

And this tool is where?

When in Yahoo mail, for me it is in the upper right hand corner. Forget the exact words but there is a box with something like "account info" . Click on the box and there will be on the left side, items like account security
(you can change password here) and account activity........the latter is the one that will show you a monitor of periodic past sessions......the browser/operating system/location. I almost stopped looking because it seemed like the same old thing each time until today............

That box on the upper right corner has an arrow that you can click that will result in those items in a pop-down list so you can go directly to account activity.

Just realized that DW's Yahoo mail looks somewhat different than mine..........hers has a gear in upper right
hand corner. Hover over that and a drop down menu shows "account info" at the bottom of the list.
Click on that and then select account activity.

 

[Hermit]

Anyone using Yahoo mail and checking your account activity? Learned how to do that on some thread here in Sept. 2016 when the Yahoo hack was being publicized. It shows what browser & OS were used as well as the location at various times.

I've been checking periodically since I changed the password a few months ago with nothing strange showing....................... until today, when it showed a
strange computer using Windows (which I don't use) in a location where I haven't been ............so I changed password again. A useful tool to check
periodically.

You changed your password after the hack and then someone got into your account using the new password? Yahoo has abdicated the responsibility to ensure no hackers to the user? Why are you still using Yahoo?

 

[Lsbcal]

You changed your password after the hack and then someone got into your account using the new password? Yahoo has abdicated the responsibility to ensure no hackers to the user? Why are you still using Yahoo?

How do you conclude this?

I also have gmail, but why should I cut off Yahoo? They have been good to me for years. True, I've had to be patient with their tweeking of the service but in the end it's been fine for my family.

 

[Chuckanut]

Getting hacked is unfortunate, but it happens to the best of them.

Getting hacked two years ago and keeping it from the people whose information is at risk is irresponsible, IMHO.

I am leaving Yahoo.

 

[Hermit]

How do you conclude this?

I also have gmail, but why should I cut off Yahoo? They have been good to me for years. True, I've had to be patient with their tweeking of the service but in the end it's been fine for my family.

I have gmail. I don't have to check on a regular bases to see if someone else has been using my account. That, IMHO, is moving the responsibility of checking for hackers to the user. Does that mean my gmail account will never be hacked? - probably not, but I really don't want have to monitor its status every day either. It would definitely be interesting to find out the circumstances about someone else either getting into your account or possibly just attempting to get into your account. In any case, you have a lot more patience than I.

- Hermit

 

[Lsbcal]

Getting hacked is unfortunate, but it happens to the best of them.

Getting hacked two years ago and keeping it from the people whose information is at risk is irresponsible, IMHO.

I am leaving Yahoo.

I agree that it's irresponsible to keep it from users. I haven't been reading the news on this event.

That said, even if some bad guys got into the Yahoo computers if one uses a strong password it is unlikely (in my opinion) that anything bad will happen. That is because the data stolen would be encrypted and difficult to parse unless the password were a stupid one. I bet the people who got hacked would be the ones who violated basic advise like using very strong passwords or clicking on links that invite a divulgence of the password.

Today I saw an article on the DNC hack job. The article was not definitive but one could infer from it that the victim of the attack fell for clicking on a "Google" link within the bogus email to change his password. He could have simply changed his password through a known Google link but that was apparently not done. If I am right, this was not really a sophisticated hack but a common tactic of hackers.

 

[zinger1457]

Today I saw an article on the DNC hack job. The article was not definitive but one could infer from it that the victim of the attack fell for clicking on a "Google" link within the bogus email to change his password. He could have simply changed his password through a known Google link but that was apparently not done. If I am right, this was not really a sophisticated hack but a common tactic of hackers.

From what I read in the DNC case the user did what he should have done, the staff contacted the IT department and asked if the request was legit. The guy in the IT department looked at it and said it was legit and to make the change immediately. I'm guessing the guy in the IT department is busy looking for a new job.

 

[Lsbcal]

From what I read in the DNC case the user did what he should have done, the staff forwarded the notice to the IT department and asked if the request was legit. The guy in the IT department looked at it and said it was legit and to make the change immediately. I'm guessing the guy in the IT department is busy looking for a new job.

Yes the IT guy screwed up. But the person who owned the password ultimately screwed up big time by clicking on the provided link instead of going to the true Google site through a known good link.

We've all clicked on provided links from friends before. This should only be done if you think it is safe and if you are not the administrator of the machine (so you won't click on a bogus malware install link and actually install malware). One should *never* click on a provided link to a critical account like a financial account or one that asks ultimately for your password.

I've received email from Vanguard that was legitimate and provided a "helpful" link to their website. I never use it and just go to my known link. They may have stopped this stupid practice.

I hope someday this sort of tactic is stopped by software. Seems like we need a link monitor that examines email links and warns if it is suspect. I think I have such software with "Ublock Origin" in Firefox (available as an add-on). I also think that the paid version of Malwarebytes examines Google links for issues. But please note, these are just my thoughts and I am not a security expert.

 

[MRG]

That said, even if some bad guys got into the Yahoo computers if one uses a strong password it is unlikely (in my opinion) that anything bad will happen. That is because the data stolen would be encrypted and difficult to parse unless the password were a stupid one. I bet the people who got hacked would be the ones who violated basic advise like using very strong passwords or clicking on links that invite a divulgence of the password.

I would never assume that all data at rest is encrypted! Even passwords! I know of too many implementations where that is not the case.

It's possible on most platforms today, but many systems sadly do not use it. Most, if not all DBMS support it, but there can be issues. The DBMS can do equality and inequality operations easily, but range operations result in full table scans. OK for some things, not good for multi million row tables. Throw in a few joins and it can get really ugly.

 

[zinger1457]

Yes the IT guy screwed up. But the person who owned the password ultimately screwed up big time by clicking on the provided link instead of going to the true Google site through a known good link.

If an IT department tells a worker to do something a high percentage of them are likely to do it.

 

[Lsbcal]

If an IT department tells a worker to do something a high percentage of them are likely to do it.

But did the IT guy say "click the provided link". Possibly not. I don't think we know the answer.

 

[braumeister]

Makes sense to me

 

[zinger1457]

But did the IT guy say "click the provided link". Possibly not. I don't think we know the answer.

Maybe not specifically but by stating the email was legit, which he knew had the link in it, is the same as saying go ahead and click it.