Yahoo Admits: All 3 Billion Email Addresses Hacked
Yahoo has admitted that a hacking incident in 2013 affected three billion user accounts. That's three times more than it originally disclosed and means every account was affected.
The incident was one of two Yahoo hacks revealed last year. The first, announced in September, involved 500,000 accounts being hacked in 2014. The second, announced in December, was said to have involved a hack of a billion accounts in 2013.
It's the 2013 attack that Yahoo now says it believes "all Yahoo user accounts were affected." It's keen to stress that it only recently discovered that the number was bigger than originally reported. That timeline is important, given Yahoo was taken over by Verizon. Underplaying the extent of the attack could have raised financial regulation issues.
Security Answers Revealed
In the latest announcement, Yahoo doesn't say exactly what data was taken from each account, but says it believes it did not "include passwords in clear text, payment card data, or bank account information." (Source: oath.com)
It appears the stolen data includes the passwords in encrypted form, along with email addresses, birth dates and security questions and answers in plain text. Yahoo notes that upon announcing the attack last year it required all users to change their password and invalidated the security questions.
Lawsuits Proceeding
As is so often the case with hacking, the danger is not necessarily that the attackers were able to access user data such as emails. Instead, their likely actions would include selling the list of emails to spammers, using the security questions and answers to try to break into accounts on other services, and attempting to decrypt the passwords - again, to try out on other services.
While normally users are warned to avoid reusing login details on multiple sites, that may be avoidable for some security questions that ask for factual information such as a mother's maiden name.
Yahoo is already facing at least 41 lawsuits over the breach that are seeking class action status. The new revelation makes that more of a concern. If the class action status was granted, any damages settlement could theoretically apply to everyone who has ever had a Yahoo account. (Source: reuters.com)
What's Your Opinion?
Should Internet companies face criminal penalties for security breaches, or should this be left to civil damage suits? Are security questions a suitable way to protect accounts? Should all customer data be stored in encrypted form?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
Encryption of data
If passwords can be encrypted, I don't see why security questions are not encrypted as well - especially from a standpoint of leaking data. It may require some extra programming to encrypt and decrypt the data - but if the programming itself was modular this would be an easy fix especially for a company that size.
Answering security questions
Why do people answer security questions with factual information? Mother's maiden name could be 'abc123' or '/colorpurple/'
The only requirement is YOU know what the answers are.
True but somewhat irrelevant
True but somewhat irrelevant in this case since both questions and answers were exposed.
Mother's maiden name & other data *is* sensitive
It is relevant because mother's maiden name & certain other data are common information required to access credit.
Chief (above) is correct. I use a password manager that, in addition to holding the user ID and password for a site, allows me to type the security questions and answers I gave for that particular site. I always use some jumbled phrase that gives no hint as to the actual answers to the security questions.
Oh, and...
Yahoo! should be sued into oblivion.