Socketosis Posted September 23, 2016 Share Posted September 23, 2016 https://www.theguardian.com/technology/2016/sep/22/yahoo-hack-data-state-sponsored Quote Details including names, passwords, email addresses, phone numbers and security questions were taken from the company’s network in late 2014 Hackers stole the personal data associated with at least 500m Yahoo accounts, the Sunnyvale, California-based company confirmed today. Details including names, passwords, email addresses, phone numbers and security questions were taken from the company’s network in late 2014 by what was believed to be a state-sponsored hacking group. The company is investigating the breach with law enforcement but currently believes that credit card or bank details were not included in the stolen data. “The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected,” said the company in a statement. I think this might be the final nail in the coffin for Yahoo. Quote Link to comment Share on other sites More sharing options...
Endless/Nameless Posted September 23, 2016 Share Posted September 23, 2016 yahoo is like going to the cheap shop by the mall that sells dodgy-looking imported goods on the cheap and purchasing a $15 android mini-tablet from hong kong 4 Quote Link to comment Share on other sites More sharing options...
Saxon Posted September 23, 2016 Share Posted September 23, 2016 Two years is so long that all the damage is done. Quote Link to comment Share on other sites More sharing options...
Faust Posted September 23, 2016 Share Posted September 23, 2016 5 hours ago, Endless/Nameless said: yahoo is like going to the cheap shop by the mall that sells dodgy-looking imported goods on the cheap and purchasing a $15 android mini-tablet from hong kong Nice analogy Kinda like Facebook is going to the middle of one of the roughest bazaars in India and shouting at the top of your voice "I'M A GULLIBLE WESTERN TOURIST WITH TOO MUCH MONEY!" 1 Quote Link to comment Share on other sites More sharing options...
Snagged Posted September 23, 2016 Share Posted September 23, 2016 Oh man, it's been so long since I used Yahoo account I bet the hacker(s) now know more about my account than I do, like the name of the account 5 Quote Link to comment Share on other sites More sharing options...
Feelwell Posted September 23, 2016 Share Posted September 23, 2016 Oh, two years. Good timing. I knew a guy who used Yahoo two years ago. Only Yahoo. Was weird. Yahoo mail, yahoo search engine, yahoo everything. He was a yahoo. Quote Link to comment Share on other sites More sharing options...
Jerry Posted September 23, 2016 Share Posted September 23, 2016 And I'm still using my Yahoo mail account... I could switch to Gmail, or reuse my decade-old Hotmail account I just retrieved, they would all be good moves at this point. Quote Link to comment Share on other sites More sharing options...
Deskai Posted September 23, 2016 Share Posted September 23, 2016 its fine, cause you see THATS VERIZONS PROBLEM NOW as they own yahoo Quote Link to comment Share on other sites More sharing options...
Socketosis Posted September 23, 2016 Author Share Posted September 23, 2016 5 hours ago, Jerry said: And I'm still using my Yahoo mail account... I could switch to Gmail, or reuse my decade-old Hotmail account I just retrieved, they would all be good moves at this point. Gmail likes to do phone verification on new accounts these days. Yahoo is even worse in that you need a mobile phone in order to make a new account. I wish they would fuck off with their phone shit. 1 Quote Link to comment Share on other sites More sharing options...
Jerry Posted September 23, 2016 Share Posted September 23, 2016 1 hour ago, Socketosis said: Gmail likes to do phone verification on new accounts these days. Yahoo is even worse in that you need a mobile phone in order to make a new account. I wish they would fuck off with their phone shit. Very handy, especially when you don't have a mobile phone. Thankfully I have one but that's still a big pile of BS. Quote Link to comment Share on other sites More sharing options...
Moogle Posted September 24, 2016 Share Posted September 24, 2016 4 hours ago, Socketosis said: Gmail likes to do phone verification on new accounts these days. Yahoo is even worse in that you need a mobile phone in order to make a new account. I wish they would fuck off with their phone shit. I flipped so much shit when I switched over to gmail recently, and only a day after I made it had to do a text activation. Luckily (after being dumb for an hour) found out that there was a home phone activation. Still annoying though.. especially when they claimed that there was suspicious activity going on, yet when I checked the history logs for my gmail it only showed my IP accessing. Suspicious indeed! 1 Quote Link to comment Share on other sites More sharing options...
Gamedog Posted September 24, 2016 Share Posted September 24, 2016 Lol yahoo owns tumblr 1 Quote Link to comment Share on other sites More sharing options...
Socketosis Posted September 24, 2016 Author Share Posted September 24, 2016 35 minutes ago, Moogle said: I flipped so much shit when I switched over to gmail recently, and only a day after I made it had to do a text activation. Luckily (after being dumb for an hour) found out that there was a home phone activation. Still annoying though.. especially when they claimed that there was suspicious activity going on, yet when I checked the history logs for my gmail it only showed my IP accessing. Suspicious indeed! Yeah that's EXACTLY what my mind went to upon eeing the suspicious activity page. They make it sound like someone got into your account, but it's some stupid thing to verify that you're not a bot. Quote Link to comment Share on other sites More sharing options...
Jerry Posted December 19, 2016 Share Posted December 19, 2016 Wait, there's more! http://www.cbc.ca/news/technology/yahoo-data-breach-1.3896994 Another billion accounts compromised. That's right! I don't know how many users there are on Yahoo, but we must be getting pretty close to "all of them" at this point. I had already brought my old Hotmail account back from the dead when the first breach was made known to the public, but this seals it. Done with Yahoo. Thankfully it's never in my habit to put too much personal info on an online account, so I'm relatively serene. Quote Link to comment Share on other sites More sharing options...
Saxon Posted December 19, 2016 Share Posted December 19, 2016 @Jerry Do you know the significance of the data breach? What has the stolen data been used for exactly? Quote Link to comment Share on other sites More sharing options...
Vae Posted December 19, 2016 Share Posted December 19, 2016 People even still use Yahoo? 1 Quote Link to comment Share on other sites More sharing options...
Saxon Posted December 19, 2016 Share Posted December 19, 2016 10 minutes ago, Vae said: People even still use Yahoo? I think Gamedog mentioned that Yahoo owns other platforms, which we might not usually think of as 'Yahoo'. The breaches date back to 2013 and 2014 anyway, though. Quote Link to comment Share on other sites More sharing options...
Jerry Posted December 19, 2016 Share Posted December 19, 2016 @Saxon Quoting Yahoo itself: “The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) [lolwut] and, in some cases, encrypted or unencrypted security questions and answers, [...] The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information,” Though I would be careful about that last statement. This kind of incident is the reason why I never disclose sensitive info, let alone bank account info, to any email service. As of the purpose of the stolen data, it is still unclear. The first breach was made known when the details of 200 million accounts were put for sale online. But it's said that the data could be used for other purposes than direct resale. 1 Quote Link to comment Share on other sites More sharing options...
Faust Posted December 19, 2016 Share Posted December 19, 2016 5 minutes ago, Jerry said: hashed passwords (using MD5) [lolwut] 'Hashing' involves encoding data in such a way that it cannot ever be decoded again. There's no reasonable way to convert a hashed password back into the original password. MD5 is a common standard for doing this. The idea is that you can check the validity of a password by hashing it again and comparing it with the hash you have on record. By this means you do not have to store the genuine password in a location where a hacker might be able to get at it, but the hash itself is worthless and cannot be used to access the site. Quote Link to comment Share on other sites More sharing options...
Socketosis Posted December 19, 2016 Author Share Posted December 19, 2016 11 minutes ago, Faust said: 'Hashing' involves encoding data in such a way that it cannot ever be decoded again. There's no reasonable way to convert a hashed password back into the original password. MD5 is a common standard for doing this. The idea is that you can check the validity of a password by hashing it again and comparing it with the hash you have on record. By this means you do not have to store the genuine password in a location where a hacker might be able to get at it, but the hash itself is worthless and cannot be used to access the site. MD5 has had a collision vulnerability discovered in it for many years and is no longer the recommended hashing algorithm to use. Also, with the advancement of graphics card technology, "reversing" a hash generated from a weak algorithm takes a lot less time than it would using the CPU. 3 Quote Link to comment Share on other sites More sharing options...
Jerry Posted December 19, 2016 Share Posted December 19, 2016 1 hour ago, Faust said: 'Hashing' involves encoding data in such a way that it cannot ever be decoded again. There's no reasonable way to convert a hashed password back into the original password. MD5 is a common standard for doing this. The idea is that you can check the validity of a password by hashing it again and comparing it with the hash you have on record. By this means you do not have to store the genuine password in a location where a hacker might be able to get at it, but the hash itself is worthless and cannot be used to access the site. As @Socketosis said. MD5 has been considered insecure for passwords for years now, since 2004 at least, and probably even before. Apparently the collision vulnerability was discovered as early as 1996. Hashing passwords with MD5 in 1994 was certainly OK. But with all the newer, much more secure hash functions out there today, the only sensible use I see for MD5 is checksumming downloaded files for integrity. 2 Quote Link to comment Share on other sites More sharing options...
ArielMT Posted December 19, 2016 Share Posted December 19, 2016 (edited) 2 hours ago, Faust said: 'Hashing' involves encoding data in such a way that it cannot ever be decoded again. There's no reasonable way to convert a hashed password back into the original password. MD5 is a common standard for doing this. The idea is that you can check the validity of a password by hashing it again and comparing it with the hash you have on record. By this means you do not have to store the genuine password in a location where a hacker might be able to get at it, but the hash itself is worthless and cannot be used to access the site. If the password hashing method is neither inherently slow nor cryptographic, then deriving plaintext passwords from the hashes is trivial. Even salting hashes with a static salt isn't good enough, as the total all-accounts compromise of Fur Affinity last May demonstrated, and they were using a hashing algorithm better than MD5. MD5 was never intended to be used for cryptographic security, only for simple data integrity checks. [Edit: I'm wrong about that; it actually was.] As for what anyone could do with the Yahoo data pilfered, every single bit of even the most innocous information is a piece of the puzzle that is your identity, and together it can be used to engage in all kinds of clever scams either in your name, against your family, friends, and acquaintences, or against your money. That much data can fetch a really nice price on the black market. Yahoo really is run by a buch of yahoos, and Verizon is discovering it like a moral crusader discovering e621. Edited December 19, 2016 by ArielMT 1 Quote Link to comment Share on other sites More sharing options...
Jerry Posted December 19, 2016 Share Posted December 19, 2016 6 minutes ago, ArielMT said: Fur Affinity last May demonstrated, and they were using a hashing algorithm better than MD5 That says everything. Even they didn't go that low. 7 minutes ago, ArielMT said: MD5 was never intended to be used for cryptographic security, only for simple data integrity checks. Even historically? I don't doubt that cracking MD5-hashed data was possible in the web's earliest years. But it couldn't be done at as large a scale as today, could it? Of course nowadays even the cheapest desktop graphics card can do it in seconds. Quote Link to comment Share on other sites More sharing options...
ArielMT Posted December 19, 2016 Share Posted December 19, 2016 12 minutes ago, Jerry said: Even historically? I don't doubt that cracking MD5-hashed data was possible in the web's earliest years. But it couldn't be done at as large a scale as today, could it? Of course nowadays even the cheapest desktop graphics card can do it in seconds. I appear to be wrong about its historical purpose. That acknowledged, its security flaws have been known for so long that experts have spent the last 20 years recommending against it. Quote Link to comment Share on other sites More sharing options...
Jerry Posted December 19, 2016 Share Posted December 19, 2016 7 minutes ago, ArielMT said: I appear to be wrong about its historical purpose. That acknowledged, its security flaws have been known for so long that experts have spent the last 20 years recommending against it. We're talking very early years here, before SHA existed. With this in mind it's almost unbelievable Yahoo still hashes passwords with MD5, that indeed has been cryptographically dead for 20 years now. 1 Quote Link to comment Share on other sites More sharing options...
Hux Posted December 19, 2016 Share Posted December 19, 2016 I hope Yahoo dies and takes Tumblr to the grave with it. We're making the Internet great again and we gotta cull the weakest members. Quote Link to comment Share on other sites More sharing options...
Socketosis Posted December 20, 2016 Author Share Posted December 20, 2016 6 hours ago, ArielMT said: Even salting hashes with a static salt isn't good enough, as the total all-accounts compromise of Fur Affinity last May demonstrated, and they were using a hashing algorithm better than MD5. They were using SHA1, which is also broken teehee! Honestly I don't even use MD5 for checksums unless I have to, because SHA1 is 160 bits (vs 128) and I figure it's probably a bit more reliable. Quote Link to comment Share on other sites More sharing options...
ArielMT Posted December 20, 2016 Share Posted December 20, 2016 What makes Yahoo's decision more complacently boneheaded is that they actually have the money and resources to migrate their password security away from MD5 completely silently, and that's been the case since their IPO (which probably kicked off the dotcom bubble). Quote Link to comment Share on other sites More sharing options...
Saxon Posted December 20, 2016 Share Posted December 20, 2016 3 hours ago, Hux said: I hope Yahoo dies and takes Tumblr to the grave with it. We're making the Internet great again and we gotta cull the weakest members. Tumblr has some good...art.. on it. Also good porn. What makes Yahoo's decision more complacently boneheaded is that they actually have the money and resources to migrate their password security away from MD5 completely silently, and that's been the case since their IPO (which probably kicked off the dotcom bubble). Hopefully they will learn their lesson, given that they stand to lose a lot of $$$ in their takeover now. 1 Quote Link to comment Share on other sites More sharing options...
Vallium Posted December 20, 2016 Share Posted December 20, 2016 Ich I still have yahoo sadly... mainly because with gmail it tends to link your email account to that Google social network shit, and that has ruined my life before since I dont want my contacts near my youtube account activity. Theres probably a way out of it but dont want the hassle What other mail account systems are there anyways? Quote Link to comment Share on other sites More sharing options...
Saxon Posted December 20, 2016 Share Posted December 20, 2016 1 minute ago, WolfNightV4X1 said: Ich I still have yahoo sadly... mainly because with gmail it tends to link your email account to that Google social network shit, and that has ruined my life before since I dont want my contacts near my youtube account activity. Theres probably a way out of it but dont want the hassle What other mail account systems are there anyways? I have a gmail for professional content and a separate email for everything else...although the second email is managed by a company that was severely hacked recently. Quote Link to comment Share on other sites More sharing options...
Hux Posted December 20, 2016 Share Posted December 20, 2016 23 hours ago, Saxon said: Tumblr has some good...art.. on it. Also good porn. Yeah, but tumblr strikes me as weird and there are many other alternatives without the awkward interface. Also, people really go there for porn? It looks like it's all gifs and images. What is this, 1995? Quote Link to comment Share on other sites More sharing options...
Faust Posted December 20, 2016 Share Posted December 20, 2016 Yeah I should have said 'cannot EASILY decrypt it' but I was trying to dumb it down for the layman. Quote Link to comment Share on other sites More sharing options...
Saxon Posted December 20, 2016 Share Posted December 20, 2016 14 hours ago, Hux said: /snips/ A lot of furries have tumblrs, but I suppose they are increasingly on twitter now. 1 Quote Link to comment Share on other sites More sharing options...
Fossa Posted December 20, 2016 Share Posted December 20, 2016 Did they say what state sponsored it? Curious, here. I bet it was West Virginia, because they are so poor and addicted to hillbilly heroin, and coal is worth nothing anymore now that we have fracking, and all they have are banjos and moonshine to sell. Somebody should check into this. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.