The Hacking of Yahoo

Last week, Yahoo! announced that it was hacked pretty massively in 2014. Over half a billion usernames and passwords were affected, making this the largest data breach of all time.

Yahoo! claimed it was a government that did it:

A recent investigation by Yahoo! Inc. has confirmed that a copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor.

I did a bunch of press interviews after the hack, and repeatedly said that "state-sponsored actor" is often code for "please don't blame us for our shoddy security because it was a really sophisticated attacker and we can't be expected to defend ourselves against that."

Well, it turns out that Yahoo! had shoddy security and it was a bunch of criminals that hacked them. The first story is from the New York Times, and outlines the many ways Yahoo! ignored security issues.

But when it came time to commit meaningful dollars to improve Yahoo's security infrastructure, Ms. Mayer repeatedly clashed with Mr. Stamos, according to the current and former employees. She denied Yahoo's security team financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo's production systems.

The second story is from the Wall Street Journal:

InfoArmor said the hackers, whom it calls "Group E," have sold the entire Yahoo database at least three times, including one sale to a state-sponsored actor. But the hackers are engaged in a moneymaking enterprise and have "a significant criminal track record," selling data to other criminals for spam or to affiliate marketers who aren't acting on behalf of any government, said Andrew Komarov, chief intelligence officer with InfoArmor Inc.

That is not the profile of a state-sponsored hacker, Mr. Komarov said. "We don't see any reason to say that it's state sponsored," he said. "Their clients are state sponsored, but not the actual hackers."

Posted on September 30, 2016 at 6:16 AM • 40 Comments

Comments

John DoeSeptember 30, 2016 6:39 AM

I wonder to what extent the takeover plays a part?

If nothing else, maybe, Yahoo IT laid down on the job, or many were laid off pending the takeover, demoralizing the rest. Frankly, it seems more than coincidental that after all these years the user base gets snagged on the brink of the buyout.

On a more personal vein:

Seems my personal data gets stolen once or twice every year. My credit cards never get old anymore, they are re-issued due to the latest hack. My Yahoo account, with the totally fake data, which I never use, no doubt was swept away in the latest debacle.

Seems getting your internet account stolen is the norm now. Yet the corporations and government keep demanding more and more data from us because:

Security.

Robert.WalterSeptember 30, 2016 6:59 AM

I've been suspecting for some time that "State Sponsored" and "working w/ Law Enforcement" were twin code cards being played, instead of a timely mia culpa/disclosure, for "get out of crap security jail" and "get out of timely disclosure jail" respectively.

If the allegations are true, I hope, if possible, Ms. Mayer is terminated, prosecuted and subject to civil actions by Yahoo! to clawback salary, bonuses and stock awards from the time she began rejecting requests for improvements in Yahoo! security.

Ms. Mayer went to Yahoo! And was entrusted with protecting people's vital assets as well as their jobs and equity investments and all we got were lousy acquisitions, Katie Couric and a lousy new logo. She needs to go and the board needs to aggressively clawback her incompetently earned gains as well as give back their own.

Robert.WalterSeptember 30, 2016 7:17 AM

From NYT:

""In defense of Yahoo’s security, a company spokeswoman, Suzanne Philion, said the company spent $10 million on encryption technology in early 2014, and that its investment in security initiatives will have increased by 60 percent from 2015 to 2016.

“At Yahoo, we have a deep understanding of the threats facing our users and continuously strive to stay ahead of these threats to keep our users and our platforms secure,” she said.""

Seems like the 10M$ was too little too late, and it as well as the 60% increase were reactive. More examples of board and executive incompetence.

Clive RobinsonSeptember 30, 2016 8:05 AM

With regards,

    Ms. Mayer repeatedly clashed with Mr. Stamos, according to the current and former employees. She denied Yahoo's security team financial resources and put off proactive security defenses...

The real question is was she behaving rational?

The answer actually depends on your emotional view point rather than the way it's been presented.

The first thing you have to understand is, the amount of money you do or do not spend on most forms of ICT security, has little or nothing to do with being attacked.

That is beyond a certain minimum amount of money you do or do not spend on ICT security most of it is wasted.

This is because of the simple fact that with connected systems they are all vulnerable at many points in their life cycle due to zero day attacks. Thus in such a vast "target rich environment" it is the attacker not the defender who decides if the site is attacked.

Further almost by definition those who find zero day attacks and build attack tools with them are in the upper fractional percentile of ability, whilst most technicians / admins are way down towards the norm.

Further attackers rarely get caught by their actuall attacks, what gets the LEOs on their backs is when they try to make money with the data etc.

Thus a cautious high level attacker will gain access to any connected site of their choice, irespective of what has been spent on most defensive measures.

This is the lesson that covert APT teaches us.

Thus the question arises of what cost is required to stop the other end of the spectrum of attackers such as "script kiddes". More often than not it's the cost of timely patching and rapid application of workarounds prior to the patches.

More recent security instrumentation looks for changes and oddities in behaviour of the system. Whilst they can detect an attack in progress there are two issues with them.

Firstly where do you set the sensitivity? Set it to high and you will chase your tail on ghosts in the system.

Secondly, even when you get the sensitivity right, what do you do? Do you have the inhouse expertise to diagnose and mittigate a zero day in a short enough time? Probably not so do you pull the plug on the business whilst the staff try to diagnose and mittigate?

Cleaver attackers know about the sensitivity issue, thus try to stay below the trigger threshold in various ways and slowly do what it is they intend to do, or get to the point where they can exfiltrate all the data they want before the staff can respond...

Thus at some point all major sites will get attacked by high level attackers who will eventually succeed. It's a game that will always be lost irespective of the money spent on staff and other resources. Not being able to take the site down just makes it more likey to be sooner rather than later.

http418September 30, 2016 8:19 AM

@Clive,

If I am reading you correctly, you seem to be making the same point as I hear so often lately, aka "data as a liability". I just hate having to always assume I will loose the battle and therefor plan accordingly. Does anyone know of another industry, past or present, that goes in assuming failure (not just planning for it but assuming it)?

65535September 30, 2016 8:37 AM

The Yahoo hack is huge.

I wonder if the hack will be traced back to Yahoo’s adventures with the well known “three letter agencies [or spy subcontractors] and mandatory backdoors. Verizon is not much better.

jonesSeptember 30, 2016 9:24 AM

I'm dubious of most attributions of responsibility for these types of publicized hacks. Last week, for example, I observed the same MO attacking two of my sites from four ip addressed each in a different country.

France:
37.187.17.19 - - [21/Sep/2016:05:35:04] "GET www.mysite.com/index.php??author=1 HTTP/1.1" 301 270 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:40.0) Gecko/20100101 Firefox/40.0"
37.187.17.19 - - [21/Sep/2016:05:35:05] "GET www.mysite.com/index.php??author=2 HTTP/1.1" 404 9914 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:40.0) Gecko/20100101 Firefox/40.0"

China:
58.218.185.110 - - [21/Sep/2016:05:35:12] "POST www.mysite.com/wp-login.php HTTP/1.1" 200 3939 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:40.0) Gecko/20100101 Firefox/40.0"
58.218.185.110 - - [21/Sep/2016:05:35:14] "POST www.mysite.com/wp-login.php HTTP/1.1" 200 3938 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64;

Phillipines:
124.106.239.210 - - [21/Sep/2016:10:51:41] "GET www.mysite2.com/index.php??author=1 HTTP/1.1" 301 897 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:40.0) Gecko/20100101 Firefox/40.0"
124.106.239.210 - - [21/Sep/2016:10:51:42] "GET www.mysite2.com/index.php??author=2 HTTP/1.1" 301 893 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:40.0) Gecko/20100101 Firefox/40.0"

Sweden:
62.63.212.207 - - [21/Sep/2016:10:52:13] "POST www.mysite2.com/wp-login.php HTTP/1.1" 200 4912 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:40.0) Gecko/20100101 Firefox/40.0"
62.63.212.207 - - [21/Sep/2016:10:52:14] "POST www.mysite2.com/wp-login.php HTTP/1.1" 200 4911 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:40.0) Gecko/20100101 Firefox/40.0"


The attack above is likely launched from some type of botnet, but even these can be difficult to figure out.

Two weeks ago, for example, I observed a lot of traffic attempting to access a malicious file I had found on my server, and which I had already removed. The file itself is part of a web shell: the php file is just a bunch of variables that get their values posted to them, and once that code is loaded, the file gets rolled into another file on another server through a php include:

79.110.28.191 - - [14/Sep/2016:08:17:21] "GET www.mysite3.com/kurt-arts.php HTTP/1.1" 404 587 "-" "Python-urllib/2.7" 0
5.101.221.169 - - [14/Sep/2016:13:18:58] "GET www.mysite3.com/kurt-arts.php HTTP/1.1" 404 587 "-" "Python-urllib/2.7" 0

This attack can be traced to a series of networks in Russia with suspicious names like "Ogden Utah Network" or "Canada Vancouver Network" owned by some Trusov Ilya Igorevych; I can't say whether this is a compomised server farm or entrepreneurism, but I can't even read the code to see what it's doing because the file on my sever is just a bunch of variable names -- no values.


There are no purely technical solutions to defending against these types of attacks; it requires smart configuration options, cautious security policies, and the vigilance of actual humans willing to read server logs like some people read the newspaper in the morning.

qwerttySeptember 30, 2016 9:31 AM

@John Doe

The hack happened in 2014, the disclosure happened just after the takeover, so I guess it wasn't the techs being frustrated and leaving the door open, but rather the execs doing their best so that everybody kept quiet about it.

HoratioSeptember 30, 2016 9:46 AM

It's not like Yahoo doesn't care about the data of their users. Else they wouldn't have bothered challenging FISA warrants in secret. But it looks like they were really slacking on the technical end.

ShazSeptember 30, 2016 9:53 AM

I have a stack of risk assessment reports, months of bright red vulnerability scans and a sore throat from asking for resources for security, too. I can't even get our board to let me have an intern.

On the private side, boards are looking to extract as much profit out of the company to give to shareholders. On the public side politicians slash budgets just for the sake of appeasing corporate donors and looking tough on "wasteful" government agencies. Both situations don't lend themselves well to the mostly unplanned-for expense of doing security right.

I'm starting to think I'm on the Sisyphus side of security, trying to change decades of organizational inertia. Maybe it's better to be on the clean-up and "I told you so" side where I don't really have to worry about being on the hook for when something goes wrong.

Clive RobinsonSeptember 30, 2016 9:58 AM

@ http418,

Does anyone know of another industry, past or present, that goes in assuming failure (not just planning for it but assuming it)?

Yup physical security.

There is a myth of 100% security. Anyone who has kicked a can around the block a couple of times knows that it's rubbish. At the simplest level, if you can get at your valuables then so can somebody else by a knife to the throat, impersonation or by having time and privacy to defeat your physical security systems.

Thus physical security is about buying time for a physical response by other humans to come to your rescue or to grab the attackers.

As physical security is a subset of information security most of what applies to physical security applies to information security.

DomSeptember 30, 2016 10:20 AM

@Clive Robinson
Men with gogs, guns and such provide physical security. Everything else is at best intrusion detection or served as obstacles to slow the penetration long enough for the aforementioned men to get where they are needed.

DomSeptember 30, 2016 10:30 AM

@Clive Robertson

That should of been:

As you say: Men with dogs, guns and such provide physical security. Everything else is at best intrusion detection or served as obstacles to slow the penetration long enough for the aforementioned men to get where they are needed.
It is worth repeating that point as this is something most people seem unable to really understand.
The alarm system provides no security, the alarm response is what does.

@Bruce
Please delete the first draft.

Sancho_PSeptember 30, 2016 10:31 AM

@Clive Robinson

Your comment centers around zero days and HLAs but my feeling is there are dozens, if not hundreds, less sophisticated, much simpler points to get into a huge, decentralized system like Yahoo.
There are too many people involved, in part not motivated, underpaid, outsourced, fired, in slavery (working during weekend, vacation), hardware sold or stolen, et cetera, worldwide, with different culture.
One leak might be enough and secrecy has left the house (whatever "house" is).
Security by obscurity only works between 2 ears.

@http418 (“another industry”)

When I was working in (electronic) safety equipment it was standard procedure to assume the failure of one single part, how to recognize such a failure and often assume a failure of two parts in a row (second failure if the first failure wasn’t recognized in time).
So the first thought was always how to recognize the first failure in time.

Problem was “in time” (think of a cable car, roller coaster, boiler, power distribution).

TedSeptember 30, 2016 10:48 AM

What is your Cyber Security Risk Profile?
http://www.cso.com.au/article/588781/what-your-cyber-security-risk-profile/

“The USA National Institute of Standards and Technology issued a Framework for improving Critical Infrastructure Cybersecurity. In their approach that have four levels of cybersecurity risk management sophistication…"

“For most of us, we are at best in the middle a Tier 2 or 3. The challenge for many organisation’s is then taking this framework and putting this into a practical action plan to improve and move the dial forward. Let me share with you what I believe are 10 commonsense tips.”

NIST Cybersecurity Framework
https://www.nist.gov/cyberframework

“LATEST UPDATES: On September 15, 2016, NIST released the draft Baldrige Cybersecurity Excellence Builder, a self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts. NIST is requesting public comments on the draft document, which blends the best of two globally recognized and widely used NIST resources: the organizational performance evaluation strategies from the Baldrige Performance Excellence Program and the risk management mechanisms of the Cybersecurity Framework.”

DanielSeptember 30, 2016 12:16 PM

I use Yahoo out of a deeply misguided sense of loyalty (Yahoo was the first e-mail I ever had back in the mid-1990s) and they have constantly bombarded me to change my password over the years. And now once again they are asking me to change my password. Thankfully, I don't use Yahoo for anything other than junk mail for the last five years but it is still damn annoying.

BTW, when Mayer was hired I said she was hired for the purpose of destroying Yahoo and I have never seen a single fact to disprove my hypothesis and plenty to support it.

ShazSeptember 30, 2016 1:34 PM

@Ted

It does no good to do risk assessments if the board won't allocate resources to the risks identified in said assessments.

I've been hearing this "new risk tool" and "new risk assessment framework" hooya for years and really bought into it for awhile. I've found that those things just get put on a shelf or in a drawer somewhere and forgotten.

Also, CSO online seems to be more of a FUD spewer these days than presenting actual useful information. If it really was a reputable source they'd have probably caught the "organization's" vs. "organizations" error from your quote. The site is also full of script-based ads and uses smarmy ad networks and "this one weird trick" clickbait articles to catch your attention. It's hard to take any site like that seriously.

Lies, More Lies, and Damned LiesSeptember 30, 2016 2:09 PM

I did a bunch of press interviews after the hack, and repeatedly said that "state-sponsored actor" is often code for "please don't blame us for our shoddy security because it was a really sophisticated attacker and we can't be expected to defend ourselves against that."

+1. I follow Schneier quotes fairly closely and am only bothered by the fact that this quote wasn't making the rounds sufficiently years ago. Setting asside my conspiracy theories of intimate ties between Yahoo leadership, IT staff, and the NSA, I find it especially agregious when this sort of thing comes straight from the government rather than expectedly sleazy corporate ass coverers. Wasn't it remarkable how that Russian hacker made the mainstream media the day after the monumental historic debate that curiously included the highest profile quibble over cyber attribution we are likely to ever see? And before you go blaming Trump for being a yahoo (not the trademarked variety), please interpret his comments as having been made (in THE most public forum) before we 'all' knew about the identity of the specific Russian the next day (or maybe it was 2 days). Which really begs the question- What the fuck EXACTLY about the situation did Trump know during that debate that the public didn't. He gets national security briefings from the secret service. Are we to believe that Trump had zero knowledge of the specific Russian during that debate? Seth and Amy would ask- Realllly?

TedSeptember 30, 2016 2:54 PM

@Shaz

It does no good to do risk assessments if the board won't allocate resources to the risks identified in said assessments.

What kind of resources do you believe would be needed? At what point do you think the board would want to know?

I had started looking into CRISC, and ended up there somehow.

CRISC Knowledge Statements
1. laws, regulations, standards and compliance requirements
2. industry trends and emerging technologies
3. enterprise systems architecture (e.g., platforms, networks, applications, databases and operating systems)
4. business goals and objectives
5. contractual requirements with customers and third-party service providers

41.

http://www.isaca.org/Certification/CRISC-Certified-in-Risk-and-Information-Systems-Control/Pages/Job-Practice-Areas-2015.aspx

Bodyguard of LiesSeptember 30, 2016 3:44 PM

@Lies, More Lies, and Damned Lies

The Russian in the news media right now was in no way behind the hacks. He runs a web proxy, through which some of the attacks came.

He has been willing to work with FBI, etc.

Normally people use his proxy service to bypass corporate content blockers, to watch porn, etc.

neillSeptember 30, 2016 4:29 PM

i always wonder WHY noone ever analyzes outgoing traffic from their servers?

it's usually just inbound that gets firewalled & analyzed ... but that will never flag a zero day ... nothing will ...

that's how i got more info about hacking attempts than the httpd, SQL or cisco logs ... just sample a few MB throughout the day from here & there ... and don't trust a "filter", look at it with your own eyes ...

PeanutsSeptember 30, 2016 9:14 PM

@neill Servers should never initiate outbound traffic, the red flag is in tolerating any, ever

@with Ted The board which finds lob risk being hold onto by IT, has fired one few IT staff member. Neither IT or the Board own risk, the line of business does, they are the only ones who can fund remediation

lines of businesses with no skin in the game to fund remediation are also unaccotable

@pegr your comment is spot on correct

@Dom yea 500 million records at minimum 275 bytes per record is a lot of data going out while everyone was oblivious I.e no alarm, Manning would have a hard on or be wet I'm unsure

Effectively Yahoo had no security controls of measurable worth

@shaz don't know your situation in your org, do you own the risk ? Should you merely be possessing the risk intel, Or be thinking along the line of requiring business that does to accept the risk and shouldn't they drive its remediation with your role only to be to shoot down bad ideas?

@qwerty Keen observation

@65535 totally completely agree. Verizon data center disclosure success criteria are designed to suppress accountability to the paying org by killing any chance the org can become aware of a zero day revelation or exploitation.

For any one in doubt, should 1)ask for the emerging cyber threat playbooks customized for your operation, 2) provide them with your Spkunk Arcsight ip and port and ask for a copy of relevant threat incident messages traffiic syslogs to come over the b2b connection to your SIEM, but ask when they decline, 3) For a review of their threat model or security plan to verify you see your contact info phone numbers and alert emails ready to use. 4) Ask for a review of each of your apps in the relevant cyber threat playbook. 5) Ask to see their sideline or inline WAF implemented polices, profile learnings and exceptions

Their biggest customers are Lucky to get anything but a laugh

@Clive it's deeply disturbing that they never planned to be aware of threat, . Not being able to take the site down is a consequence of ignorance from having no plans
@Rober.Walter Horse burned in the barn, a paint of coat on a decaying corpse and burned barn is just pathetic .

ab praeceptisSeptember 30, 2016 9:36 PM

Robert.Walter

"Yahoo, 10 Mio spent on security" - I take this to be a very significant and telling statement. Security equals budgets. And that is indeed how most corps and even state agencies see it.

History tells us a lot about quantity vs. quality approaches. The short answer is "incompetent a**holes".

ab praeceptisSeptember 30, 2016 9:54 PM

Dom

I'm largely with Clive Robinson on that one. One can hardly put everything into a couple of sentences but as far as that is possible, Clive Robinson has done it quite well.

Does an alarm system provide security? Depends on context. If the bad guys are low level and the alarm system going off drives them away, it *does* provide security. On the other hand the dogs and armed guards may fail (for whatever reason) to provide security.

I often find out that many have an insufficient and too simplistic understanding of security. Plus: there are too many dogmas around. Things like "obscurity is not security".+

Maybe the single most important factor I very often see misunderstood or not even seen at all is this: There is no security per so and for itself. security **always** needs a context, most importantly it needs an "against what" part. Because that's the very core of security. It's somewhat like "love"; there is no love without an "whom" (or what). And *that* (the "against what") is also the reason why we need to ask the question for the worth of the hopefully secure.

So the correct order is: I want security against X, Y, and Z and the value of the item to protect is v. (value not necessarily in terms of $).

Note: I didn't ask the "against whom" question because that's in the "against what" question.

neillOctober 1, 2016 3:43 AM

@Peanuts

if the bad guys use a zeroday SQL you'll just see a POST on the inbound, and a server response outbound ... nothing unusual ... till you capture the traffic and realize the response is too big ...

... or you see what "jones" said a POST with FF V.40 ... unusual

my "feeling" is every traffic on my server is BAD unless i know why it is there

CantankerOctober 1, 2016 10:41 AM

Five or six years ago, my friends had yahoo accounts that got hacked and I would get spam mail and it appeared to turn out that they put an easy password in and someone just guessed their passwords.

A bunch of yahoo friends and maybe a few hotmail friends spammed me unintentionally this way.

After the first one or two, I had to do some thinking and self-checking, but I came to the conclusion that Yahoo was *not* paying attention to email login security.

I don't think this problem was created when the good looking googler arrived. I think this was brewing for some good time.

TedOctober 1, 2016 11:38 AM

Could Yahoo be in trouble with the SEC?
https://www.washingtonpost.com/news/the-switch/wp/2016/09/28/could-yahoo-be-in-trouble-with-the-sec/

[…] “Since offering its guidance on disclosing breaches in 2011, the SEC has not penalized any company for failing to do so. And several companies do not report breaches, Phan said. Sony, for example, which suffered a massive breach of its records in 2014, never filed a notice with the SEC over that incident.”

“That, according to Warner, is also a problem. Warner asked SEC chairman Mary Jo White to "evaluate the adequacy of current SEC thresholds for disclosing events of this nature" in his letter. He is also calling for the government to set some sort of minimum cybersecurity standard for companies, and for a national data breach disclosure law.”

TedOctober 1, 2016 11:41 AM

SEC Names Christopher Hetner as Senior Advisor to the Chair for Cybersecurity Policy
https://www.sec.gov/news/pressrelease/2016-103.html

“Washington D.C., June 2, 2016 — The Securities and Exchange Commission today announced that Christopher R. Hetner has been named Senior Advisor to the Chair for Cybersecurity Policy. In this role, Mr. Hetner will serve as a senior advisor to Chair Mary Jo White on all cybersecurity policy matters.”

[...] "Mr. Hetner has more than 20 years in information security and technology. He joined the SEC from Ernst and Young (EY) where, from November 2012 to January 2015, he led the Wealth and Asset Management Sector Cybersecurity practice. At EY, his team advised and delivered cybersecurity and risk management capabilities across major clients."

PeanutsOctober 1, 2016 4:26 PM

@ Neil if your allowing servers to initiate outbound traffic no measure of paranoia or security controls will save you.
Implicit in your non requirement is the impossible to patch human element of stupid. Like browsing to yahoo for email on the web server. Like being a fool for whatever social engineering attack of the day that an admin can type.

I never said you'd be done if you stop servers from initiating traffic, but if you don't, you enable endless high risk avoidable consequence behaviors

but security depth in defense means preventing what can't be patched, namely stupid

Stupid can't be patched

DroneOctober 2, 2016 7:32 AM

A modern system capable of serving the likes of Yahoo today IS going to be successfully attacked at some point. Such a system has inevitable unknown zero-day exploits waiting to be discovered. So you have live with this fact while still being diligent to protect the system itself, and (this is critical) being sure to encrypt all user data and passwords. Encrypting so nobody but the user can access the data removes the incentive for sophisticated attackers to spend the time and resources attacking you (there's no meat on them bones).

The problem here is Yahoo Cannot securely encrypt their user's data. This is because Yahoo's own systems need access to all their user's data so they can spy on them, that's how Yahoo makes money.

Then there's the issue of Yahoo hiding the fact for two years that their user's data was stolen. That means Yahoo is Scum; but most of them out there in the "Cloud" like Yahoo are pretty scummy too.

So the lesson here is: While there are (arguably) good reasons for doing so, if you're going to use a "free" ad-driven "Cloud" service like Yahoo! Mail, don't use it for anything you would not want to share with criminals or other nefarious actors. And of-course, use a decent password and change it (along with one or more security questions) from time to time; just like you would on any account.

Nobody ImportantOctober 2, 2016 11:47 PM

So let me see if I understand the bottom line in this password breach.

The breach occurred in 2014, so the password file the "actors" have is frozen in time from 2014. Anybody who changed their password since 2014 should have nothing to worry about.

Also, any NEW accounts created after 2014 would not have been part of this breach, so users of those accounts don't have to worry either.

Am I right?

It seems that the panic/frenzy/earth-shattering headlines about 500 Million passwords being stolen don't really make that clear.

(and luckily, Yahoo thinks I am about 10.667 years younger than I actually am)

Clive RobinsonOctober 3, 2016 2:31 AM

@ Nobody Important,

and luckily, Yahoo thinks I am about 10.667 years younger than I actually am

That atleast is better than the Yahoo's thinking you are the 666 ;-)

internal use onlyOctober 5, 2016 10:31 PM

Exclusive: Yahoo secretly scanned customer emails for U.S. intelligence - sources
http://www.reuters.com/article/us-yahoo-nsa-exclusive-idUSKCN1241YT

Yahoo Inc last year secretly built a custom software program to search all of its customers' incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.

The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events.

And the follow-up...

Yahoo Spying On Emails: Edward Snowden Urges Users To Close Account After Reuters Intelligence Report
http://www.ibtimes.com/yahoo-spying-emails-edward-snowden-urges-users-close-account-after-reuters-2426300

NemesisOctober 7, 2016 7:26 PM

I received an email recently from "Me" to my other email along with a CC list of my family, wifes family, medical and legal contacts, and 2 X girlfriends. the IP originated in Eastern Europe and the perps used Ekomp.com email.

All email addresses were on Yahoo. They had this happen 2 years ago? Who are they working with to secure it, Barney Fife and Andy Taylor in Mayberry with an old Commodore computer??


Never had any issues with Google at all..Yahoo has "lost" emails when you send them, completely crashed and screen disappears when typing a message and does NOT save a draft immediately, and also has delayed emails from send to delivery for up to 2 - 3 days in the past! Yahoo is crap and I rarely ever use it now.

Not only that, my wife had one of those Associated Content article pages with lots of articles over 4 - 5 years..The pay was hardly anything, but not only did Yahoo stop paying, they closed and deleted the entire site in 30 days. If you didn't save all your content you lost it, gone forever. Some writers were on there for 10 years and not everyone signs into yahoo every 30 days! Who would want to after they turned to garbage several years back? So lots of people lost their articles..

BOO Yahoo

a2October 11, 2016 3:38 PM

So periodically changing passwords provides some "statistical" benefit to a user who is stuck using service of unreliable security...?

Thanks for the usable captcha

a2October 11, 2016 3:50 PM

Does anyone know of another industry, past or present, that goes in assuming failure (not just planning for it but assuming it)?
In the absolute "perfectionist" sense of "failure", all actvities "fail".

a2October 11, 2016 3:59 PM

Maybe it's better to be on the clean-up and "I told you so" side where I don't really have to worry about being on the hook for when something goes wrong.
The letter in a bottle in the bank security box, with the bank box key implanted in your abdomen, hopefully found during forensic dissection, "Nope. This one is not a cyborg. But look at this..."

Access Hollywood, We Can Rebuild Him, We Can Run On This

witnessJanuary 6, 2017 5:57 PM

Yahoo needs a CLASS ACTION LAWSUIT filed against their FRAUDULENT "SECURITY" claims!!!!

Yahoo "Security" is a JOKE!!!!

Why do they even require anyone to "Sign in" when criminal hackers attack comment/posts and steal other people's free speech and NEVER SIGN IN, legitimately!!!!

Shame on both Yahoo's deceit and the criminal scum who perpetuates evil against good and decent citizens!!!

Probably a bunch of sexual predatory losers who have to CON DECENT WOMEN to win them over!

Don't these losers know that REAL MEN DON'T HAVE TO LIE to get decent women? Obviously criminals have NO MORALS---probably serial cheaters and pathological liars, too!!!! They are all in that same sinking ship of fools!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.