Yahoo confirms 'state-sponsored' hackers stole personal data from 500m accounts

[Socketosis]

https://www.theguardian.com/technology/2016/sep/22/yahoo-hack-data-state-sponsored

Quote

Details including names, passwords, email addresses, phone numbers and security questions were taken from the company’s network in late 2014

Hackers stole the personal data associated with at least 500m Yahoo accounts, the Sunnyvale, California-based company confirmed today.

Details including names, passwords, email addresses, phone numbers and security questions were taken from the company’s network in late 2014 by what was believed to be a state-sponsored hacking group.

The company is investigating the breach with law enforcement but currently believes that credit card or bank details were not included in the stolen data.

“The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected,” said the company in a statement.

I think this might be the final nail in the coffin for Yahoo.

[Endless/Nameless]

yahoo is like going to the cheap shop by the mall that sells dodgy-looking imported goods on the cheap and purchasing a $15 android mini-tablet from hong kong

[Saxon]

Two years is so long that all the damage is done.

[Faust]

5 hours ago, Endless/Nameless said:

yahoo is like going to the cheap shop by the mall that sells dodgy-looking imported goods on the cheap and purchasing a $15 android mini-tablet from hong kong

Nice analogy Kinda like Facebook is going to the middle of one of the roughest bazaars in India and shouting at the top of your voice "I'M A GULLIBLE WESTERN TOURIST WITH TOO MUCH MONEY!"

[Snagged]

Oh man, it's been so long since I used Yahoo account

I bet the hacker(s) now know more about my account than I do, like the name of the account

[Feelwell]

Oh, two years.

Good timing.

I knew a guy who used Yahoo two years ago. Only Yahoo. Was weird. Yahoo mail, yahoo search engine, yahoo everything. He was a yahoo.

[Jerry]

And I'm still using my Yahoo mail account... 

I could switch to Gmail, or reuse my decade-old Hotmail account I just retrieved, they would all be good moves at this point.

[Deskai]

its fine, cause you see

THATS VERIZONS PROBLEM NOW

as they own yahoo

[Socketosis]

5 hours ago, Jerry said:

And I'm still using my Yahoo mail account... 

I could switch to Gmail, or reuse my decade-old Hotmail account I just retrieved, they would all be good moves at this point.

Gmail likes to do phone verification on new accounts these days. Yahoo is even worse in that you need a mobile phone in order to make a new account. I wish they would fuck off with their phone shit.

[Jerry]

1 hour ago, Socketosis said:

Gmail likes to do phone verification on new accounts these days. Yahoo is even worse in that you need a mobile phone in order to make a new account. I wish they would fuck off with their phone shit.

Very handy, especially when you don't have a mobile phone. 

Thankfully I have one but that's still a big pile of BS.

[Moogle]

4 hours ago, Socketosis said:

Gmail likes to do phone verification on new accounts these days. Yahoo is even worse in that you need a mobile phone in order to make a new account. I wish they would fuck off with their phone shit.

 

I flipped so much shit when I switched over to gmail recently, and only a day after I made it had to do a text activation. Luckily (after being dumb for an hour) found out that there was a home phone activation. Still annoying though.. especially when they claimed that there was suspicious activity going on, yet when I checked the history logs for my gmail it only showed my IP accessing. Suspicious indeed!

[Gamedog]

Lol yahoo owns tumblr

[Socketosis]

35 minutes ago, Moogle said:

 

I flipped so much shit when I switched over to gmail recently, and only a day after I made it had to do a text activation. Luckily (after being dumb for an hour) found out that there was a home phone activation. Still annoying though.. especially when they claimed that there was suspicious activity going on, yet when I checked the history logs for my gmail it only showed my IP accessing. Suspicious indeed!

Yeah that's EXACTLY what my mind went to upon eeing the suspicious activity page. They make it sound like someone got into your account, but it's some stupid thing to verify that you're not a bot.

[Jerry]

Wait, there's more!

http://www.cbc.ca/news/technology/yahoo-data-breach-1.3896994

Another billion accounts compromised. That's right! I don't know how many users there are on Yahoo, but we must be getting pretty close to "all of them" at this point.

I had already brought my old Hotmail account back from the dead when the first breach was made known to the public, but this seals it. Done with Yahoo. Thankfully it's never in my habit to put too much personal info on an online account, so I'm relatively serene.

[Saxon]

@Jerry Do you know the significance of the data breach? What has the stolen data been used for exactly?

[Vae]

People even still use Yahoo?

[Saxon]

10 minutes ago, Vae said:

People even still use Yahoo?

I think Gamedog mentioned that Yahoo owns other platforms, which we might not usually think of as 'Yahoo'.

The breaches date back to 2013 and 2014 anyway, though.

[Jerry]

@Saxon Quoting Yahoo itself: “The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) [lolwut] and, in some cases, encrypted or unencrypted security questions and answers, [...]  The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information,” 

Though I would be careful about that last statement. This kind of incident is the reason why I never disclose sensitive info, let alone bank account info, to any email service.

As of the purpose of the stolen data, it is still unclear. The first breach was made known when the details of 200 million accounts were put for sale online. But it's said that the data could be used for other purposes than direct resale.

[Faust]

5 minutes ago, Jerry said:

hashed passwords (using MD5) [lolwut]

'Hashing' involves encoding data in such a way that it cannot ever be decoded again. There's no reasonable way to convert a hashed password back into the original password. MD5 is a common standard for doing this. The idea is that you can check the validity of a password by hashing it again and comparing it with the hash you have on record. By this means you do not have to store the genuine password in a location where a hacker might be able to get at it, but the hash itself is worthless and cannot be used to access the site.

[Socketosis]

11 minutes ago, Faust said:

'Hashing' involves encoding data in such a way that it cannot ever be decoded again. There's no reasonable way to convert a hashed password back into the original password. MD5 is a common standard for doing this. The idea is that you can check the validity of a password by hashing it again and comparing it with the hash you have on record. By this means you do not have to store the genuine password in a location where a hacker might be able to get at it, but the hash itself is worthless and cannot be used to access the site.

MD5 has had a collision vulnerability discovered in it for many years and is no longer the recommended hashing algorithm to use. Also, with the advancement of graphics card technology, "reversing" a hash generated from a weak algorithm takes a lot less time than it would using the CPU.

[Jerry]

1 hour ago, Faust said:

'Hashing' involves encoding data in such a way that it cannot ever be decoded again. There's no reasonable way to convert a hashed password back into the original password. MD5 is a common standard for doing this. The idea is that you can check the validity of a password by hashing it again and comparing it with the hash you have on record. By this means you do not have to store the genuine password in a location where a hacker might be able to get at it, but the hash itself is worthless and cannot be used to access the site.

As @Socketosis said.

MD5 has been considered insecure for passwords for years now, since 2004 at least, and probably even before. Apparently the collision vulnerability was discovered as early as 1996.

Hashing passwords with MD5 in 1994 was certainly OK. But with all the newer, much more secure hash functions out there today, the only sensible use I see for MD5 is checksumming downloaded files for integrity.

[ArielMT]

2 hours ago, Faust said:

'Hashing' involves encoding data in such a way that it cannot ever be decoded again. There's no reasonable way to convert a hashed password back into the original password. MD5 is a common standard for doing this. The idea is that you can check the validity of a password by hashing it again and comparing it with the hash you have on record. By this means you do not have to store the genuine password in a location where a hacker might be able to get at it, but the hash itself is worthless and cannot be used to access the site.

If the password hashing method is neither inherently slow nor cryptographic, then deriving plaintext passwords from the hashes is trivial.  Even salting hashes with a static salt isn't good enough, as the total all-accounts compromise of Fur Affinity last May demonstrated, and they were using a hashing algorithm better than MD5.

MD5 was never intended to be used for cryptographic security, only for simple data integrity checks.  [Edit: I'm wrong about that; it actually was.]

As for what anyone could do with the Yahoo data pilfered, every single bit of even the most innocous information is a piece of the puzzle that is your identity, and together it can be used to engage in all kinds of clever scams either in your name, against your family, friends, and acquaintences, or against your money.  That much data can fetch a really nice price on the black market.

Yahoo really is run by a buch of yahoos, and Verizon is discovering it like a moral crusader discovering e621.

Edited December 19, 2016 by ArielMT

[Jerry]

6 minutes ago, ArielMT said:

Fur Affinity last May demonstrated, and they were using a hashing algorithm better than MD5

That says everything. Even they didn't go that low.

7 minutes ago, ArielMT said:

MD5 was never intended to be used for cryptographic security, only for simple data integrity checks.

Even historically? I don't doubt that cracking MD5-hashed data was possible in the web's earliest years. But it couldn't be done at as large a scale as today, could it? Of course nowadays even the cheapest desktop graphics card can do it in seconds.

[ArielMT]

12 minutes ago, Jerry said:

Even historically? I don't doubt that cracking MD5-hashed data was possible in the web's earliest years. But it couldn't be done at as large a scale as today, could it? Of course nowadays even the cheapest desktop graphics card can do it in seconds.

I appear to be wrong about its historical purpose.

That acknowledged, its security flaws have been known for so long that experts have spent the last 20 years recommending against it.

[Jerry]

7 minutes ago, ArielMT said:

I appear to be wrong about its historical purpose.

That acknowledged, its security flaws have been known for so long that experts have spent the last 20 years recommending against it.

We're talking very early years here, before SHA existed.

With this in mind it's almost unbelievable Yahoo still hashes passwords with MD5, that indeed has been cryptographically dead for 20 years now.

[Hux]

I hope Yahoo dies and takes Tumblr to the grave with it. 

We're making the Internet great again and we gotta cull the weakest members. 

[Socketosis]

6 hours ago, ArielMT said:

Even salting hashes with a static salt isn't good enough, as the total all-accounts compromise of Fur Affinity last May demonstrated, and they were using a hashing algorithm better than MD5.

They were using SHA1, which is also broken teehee!

Honestly I don't even use MD5 for checksums unless I have to, because SHA1 is 160 bits (vs 128) and I figure it's probably a bit more reliable.

[ArielMT]

What makes Yahoo's decision more complacently boneheaded is that they actually have the money and resources to migrate their password security away from MD5 completely silently, and that's been the case since their IPO (which probably kicked off the dotcom bubble).

[Saxon]

3 hours ago, Hux said:

I hope Yahoo dies and takes Tumblr to the grave with it. 

We're making the Internet great again and we gotta cull the weakest members. 

Tumblr has some good...art.. on it.

Also good porn.

What makes Yahoo's decision more complacently boneheaded is that they actually have the money and resources to migrate their password security away from MD5 completely silently, and that's been the case since their IPO (which probably kicked off the dotcom bubble).

 

Hopefully they will learn their lesson, given that they stand to lose a lot of $$$ in their takeover now.

[Vallium]

Ich  I still have yahoo sadly...

mainly because with gmail it tends to link your email account to that Google social network shit, and that has ruined my life before since I dont want my contacts near my youtube account activity. Theres probably a way out of it but dont want the hassle

What other mail account systems are there anyways? 

[Saxon]

1 minute ago, WolfNightV4X1 said:

Ich  I still have yahoo sadly...

mainly because with gmail it tends to link your email account to that Google social network shit, and that has ruined my life before since I dont want my contacts near my youtube account activity. Theres probably a way out of it but dont want the hassle

What other mail account systems are there anyways? 

I have a gmail for professional content and a separate email for everything else...although the second email is managed by a company that was severely hacked recently.

[Hux]

23 hours ago, Saxon said:

Tumblr has some good...art.. on it.

Also good porn.

Yeah, but tumblr strikes me as weird and there are many other alternatives without the awkward interface.

Also, people really go there for porn? It looks like it's all gifs and images. What is this, 1995?

[Faust]

Yeah I should have said 'cannot EASILY decrypt it' but I was trying to dumb it down for the layman.

[Saxon]

14 hours ago, Hux said:

/snips/

A lot of furries have tumblrs, but I suppose they are increasingly on twitter now.

[Fossa]

Did they say what state sponsored it? Curious, here. 

I bet it was West Virginia, because they are so poor and addicted to hillbilly heroin, and coal is worth nothing anymore now that we have fracking, and all they have are banjos and moonshine to sell. Somebody should check into this.