Yahoo hack

[MichaelB]

Looks like Yahoo has been hacked again, this time it looks like lots of info was obtained. Time to change passcodes.

From ARS Technica Yahoo says half a billion accounts breached by nation-sponsored hackers | Ars Technica

At least half a billion Yahoo accounts have been breached by what investigators believe is a nation-sponsored hacking operation. Attackers probably gained access to a wealth of holders' personal information, including names, e-mail addresses, phone numbers, birth dates, answers to security questions, and cryptographically protected passwords.

 

[REWahoo]

It happened in late 2014 and they are just now letting us know? Sheesh...

Glad I've changed my password a couple of times since the hack.

 

[GrayHare]

"I am shocked — shocked — to find that hacking is going on in there!"

 

[aja8888]

"I am shocked — shocked — to find that hacking is going on in there!"

Wait until the hackers get into Facebook. I'll bet there is a treasure trove of good stuff in there!

 

[easysurfer]

It happened in late 2014 and they are just now letting us know? Sheesh...

Glad I've changed my password a couple of times since the hack.

Did you change your challenge answers too? Just watching the news today and that info got hacked also.

I don't use my Yahoo accounts much anymore, but still am going to do same changing just to be sure.

 

[REWahoo]

Did you change your challenge answers too?

I disabled them.

Several months ago I set up a two-level verification, so I have to respond to a text message to my phone in order to log in.

 

[easysurfer]

I disabled them.

Several months ago I set up a two-level verification, so I have to respond to a text message to my phone in order to log in.

Nice. Good idea.

 

[Sunset]

I always use crazy answers to challenge questions, as my personal information is public and some folks don't like me...

 

[Lsbcal]

I disabled them.

Several months ago I set up a two-level verification, so I have to respond to a text message to my phone in order to log in.

I always worry that I will loose my email capability if on vacation and the phone becomes disabled, lost, or stolen.

For Yahoo, I just use another email account to verify ... and a very strong password stored in Lastpass password manager.

 

[Lsbcal]

When things like this happen and state sponsored hacking is possibly involved, I worry that information is being stored for future use. Not just for modest scams but for huge economic destabilization.

Should a real cyberwar break out, things could get nasty for all of us.

And if you are doing compromising things with your computer, hopefully you are not in a sensitive position that offers espionage potential. Maybe I'm reading too many spy novels?

 

[easysurfer]

When things like this happen and state sponsored hacking is possibly involved, I worry that information is being stored for future use. Not just for modest scams but for huge economic destabilization.

Should a real cyberwar break out, things could get nasty for all of us.

And if you are doing compromising things with your computer, hopefully you are not in a sensitive position that offers espionage potential. Maybe I'm reading too many spy novels?

I think the cyberwar has already started. Just check out the current headlines. Something like exposing a very high profile person's passport should be considered a war crime. Well, maybe not as bad as a war crime, but not the new norm.

I went ahead and disabled two Yahoo email accounts that I don't really use anyhow.

Reading about the Yahoo hack. The info gets sold in the underground so the bad guys can try out the stolen/passwords to steal financial information. The success rate is only about 1-2%. That's where good long passwords and hard to guess challenge answers come in. 1-2% but o 500M is still pretty big.

 

[Lsbcal]

I think the cyberwar has already started. Just check out the current headlines. Something like exposing a very high profile person's passport should be considered a war crime. Well, maybe not as bad as a war crime, but not the new norm.

I went ahead and disabled two Yahoo email accounts that I don't really use anyhow.

Reading about the Yahoo hack. The info gets sold in the underground so the bad guys can try out the stolen/passwords to steal financial information. The success rate is only about 1-2%. That's where good long passwords and hard to guess challenge answers come in. 1-2% but o 500M is still pretty big.

Maybe not quite a cyberwar yet but definitely probing and worse (like the North Korean incident with Sony). We don't really know all the detail and can only see the tip of the iceberg.

On those challenge questions, I notice that Yahoo suggests removing them entirely. Are they not just passwords in another form? If one uses dictionary words for the answers, maybe that is a security issue.

 

[easysurfer]

Maybe not quite a cyberwar yet but definitely probing and worse (like the North Korean incident with Sony). We don't really know all the detail and can only see the tip of the iceberg.

On those challenge questions, I notice that Yahoo suggests removing them entirely. Are they not just passwords in another form? If one uses dictionary words for the answers, maybe that is a security issue.

That North Korea thing is scary. +1 about the tip of the iceberg as only what we know.

My Yahoo account is mixed with my old ATT account when I had DSL. Don't even see where I can remove the challenge question as navigating with that set up sure is not friendly. I don't even use that email anymore since switching providers. My challenge answers and passwords are now randomized.

 

[Sunset]

Maybe not quite a cyberwar yet but definitely probing and worse (like the North Korean incident with Sony). We don't really know all the detail and can only see the tip of the iceberg.

On those challenge questions, I notice that Yahoo suggests removing them entirely. Are they not just passwords in another form? If one uses dictionary words for the answers, maybe that is a security issue.

1) The problem with challenge questions is sometimes they are not encrypted at all. Think to when you phone into a bank or some place and they ask you some security questions to confirm you are you.
If they ask any of your challenge questions (mother's maiden name, your first pet, etc) and can confirm you got it correct, it's very likely not encrypted.
So anyone who gets a copy of the database has all your challenge answers. Now they effectively have a password to your site.

2) The other problem is people answer the challenge questions honestly so they will remember them. "Street you lived on in high school" is Frank St. Well use of FB, research of streets around the school, streets your childhood friends lived on, etc all will reveal the answers.

 

[Rustward]

1) The problem with challenge questions is sometimes they are not encrypted at all. Think to when you phone into a bank or some place and they ask you some security questions to confirm you are you.
If they ask any of your challenge questions (mother's maiden name, your first pet, etc) and can confirm you got it correct, it's very likely not encrypted.
So anyone who gets a copy of the database has all your challenge answers. Now they effectively have a password to your site.

2) The other problem is people answer the challenge questions honestly so they will remember them. "Street you lived on in high school" is Frank St. Well use of FB, research of streets around the school, streets your childhood friends lived on, etc all will reveal the answers.

Just curious, what leads you to say this?

 

[Just_Steve]

Do people actually use yahoo mail for any sensitive information?
The only real thing on my account is my cell number so I can recover my password if I forget it. I only use it to gather information from companies and such. Makes a great spam filter.

 

[Lsbcal]

Do people actually use yahoo mail for any sensitive information?
The only real thing on my account is my cell number so I can recover my password if I forget it. I only use it to gather information from companies and such. Makes a great spam filter.

Things I've used it for: travel reservation confirms, Amazon purchase confirms, friends, other site email correspondence. Have not used it for financial information (to or from).

 

[easysurfer]

Do people actually use yahoo mail for any sensitive information?
The only real thing on my account is my cell number so I can recover my password if I forget it. I only use it to gather information from companies and such. Makes a great spam filter.

My bigger fear is if someone assumes my email and then starts using the email for illegal activity.

 

[gauss]

My bigger fear is if someone assumes my email and then starts using the email for illegal activity.

If you change your password and challenge questions then this should not be an issue for you with this current hack.

Of larger concern to me is the leaked security questions and any overlap with any other accounts that I have (especially those without mutli-factor authentication).

So has anyone/everyone received personalized notification from yahoo about this yet? I have not -- I only heard about it on the radio this evening. I suspect I may receive notification in coming days but in the interim I am curious what other yahoo's experience has been wrt notification.

-gauss

 

[easysurfer]

If you change your password and challenge questions then this should not be an issue for you with this current hack.

Of larger concern to me is the leaked security questions and any overlap with any other accounts that I have (especially those without mutli-factor authentication).

So has anyone/everyone received personalized notification from yahoo about this yet? I have not -- I only heard about it on the radio this evening. I suspect I may receive notification in coming days but in the interim I am curious what other yahoo's experience has been wrt notification.

-gauss

Haven't received any notification. But went ahead and disabled 2 emails and changed the password and challenge answers for another.

Hackers have no shame. Now there's news that Pippa Middleton got family photos hacked with the intent of hackers selling them.

Pippa Middleton’s iCloud account has been hacked, it has emerged.
It is believed a number of personal photos of the Duchess of Cambridge's sister have been accessed in the unlawful hack, including images of Prince George and Princess Charlotte.
In a statement issued by her lawyers, Ms Middleton confirmed her account had been unlawfully accessed. Her representatives say the hackers are trying to sell the private photographs to publications

Pippa Middleton photos leak: Images stolen in iCloud account hack | The Independent

 

[gauss]

I just did a count of the number of accounts stored in my Lastpass value. It is very close to 400.

Am I really expected to visit everyone one of these accounts, try to figure out if security questions are even used and then exclude the yahoo ones?

This could be at least a 9-5 project for a week (lunches not included!)

If I do take this on, I will be sure to document all of the security questions/answers in the Lastpass notes for the account, so that security question overlap can be identified much quicker for the next breach.

-gauss

 

[Peter]

I did get an e-mail this morning. Changed my password, for what it's worth.

 

[Lsbcal]

DW and I received emails yesterday.

 

[ERD50]

RE two level verification:

I always worry that I will loose my email capability if on vacation and the phone becomes disabled, lost, or stolen. ....

That's my concern as well. How do I handle this?

I gave up an old email address years ago - it was tied to the ISP. I did a good job of getting everything and everyone updated to my new gmail address. But I forgot one, when I realized it sends out an annual message, and that date came and went.

It wan't important, so I didn't put much effort into it, but I didn't see anyway to retrieve that account without my old email address.

Sounds like I need to report it stolen/lost to get a new SIM with the same phone #? I guess I'd want to do that anyhow, but there would be some delay.

-ERD50

 

[W2R]

I just did a count of the number of accounts stored in my Lastpass value. It is very close to 400.

Am I really expected to visit everyone one of these accounts, try to figure out if security questions are even used and then exclude the yahoo ones?

This could be at least a 9-5 project for a week (lunches not included!)

And then, a similar breach could happen at Yahoo or somewhere else next week. You can't possibly do what you are describing every time something like this happens. Neither can anybody else.

Nothing on the internet is completely secure. I hate that but I believe it to be true. All we can do, is what we can do.