SEARCH
diglloydTools™
Half a BILLION User Accounts Compromised
Side note: I’ve never like Facebook (in part because it is a system that a police state must adore) and in part because Facebook pages are invariably visual garbage heaps. But I’ve also wondered how they can make so much money charging for difficult to document ad-to-finished-sales and amorphous benefits. Well, it helps to greatly overestimate usage.
..
The yahoos as Yahoo have compromised at least 500 million (half a BILLION) user accounts by poor security, allegedly by a state-sponsored actor; potentially the biggest data breach on record.
Of course Yahoo is “not to blame”, since it was done by hackers, possibly from a foreign state. Right? WRONG.
Yahoo stored unenencrypted user data, including all sorts of personal data that should be stored encrypted, but was not—gross security incompetence to maintain a dossier on every user. According to the Wall Street Journal:
The internet company, which has agreed to sell its core business to Verizon Communications Inc., said Thursday that hackers penetrated its network in late 2014 and stole personal data on more than 500 million users. The stolen data included names, email addresses, dates of birth, telephone numbers and encrypted passwords, Yahoo said.
Yahoo said it believes that the hackers are no longer in its corporate network. The company said it didn't believe that unprotected passwords, payment-card data or bank-account information had been affected.
...
Yahoo said the stolen passwords were encrypted, but computer-security experts said a determined attacker could unscramble passwords—especially simple passwords—using commonly available “cracking” software. Once cracked, hackers could break into Yahoo accounts and—if the password happened to be reused on another web service—possibly other websites too.
MPG: “believes”? Is that faith-based and/or some evasive statement. Many people re-use the same password for many things, so “possibly other websites” is a huge risk.
When a name, date of birth, telephone number are stored unencrypted, that’s a very nice start to identity theft—core information all handy. Moreover, even the encrypted passwords were apparently done wrong, because using the same 'salt' and other factors can make password cracking far more difficult.
How about a $100 fine per user, plus unlimited liability for anyone who suffers identity theft as a result? Seems fair. This kind of flagrant security incompetence is unacceptable. Hackers break in, and always will. So even mildy sensitive data should never be stored unencrypted and should be compartmentalized (name and email are public and not worrisome, but if a dossier on a user is stored, those too should be encrypted to avoid having a nice complete record).
Password security
Which brings me to password security: get 1Password and use it religiously. NEVER re-use the same password for more than one purpose.
James G writes:
Yahoo apparently is run by utter morons. Maybe that's where Apple has been recruiting programmers of late. That none of this stuff was encrypted (or encrypted with a Captain Crunch secret decoder ring) is just unbelievable. And that it happened two years ago and we are just now hearing about it is even worse.
Bruce Schneier has not weighed in on this yet, but if the breach was done by "state actors" i.e. China or Russia then this enormous data trove has very serious implications for US national security. Imagine having access to a database that has personal information in the private accounts of tens of thousands of security-cleared NSA and CIA operatives, aerospace engineers, software and hardware engineers, employees of power plants and pipelines, and on and on. It may take awhile but with data mining and cross checking against other databases a serious entity with time and money can assemble a detailed profile of pretty much anyone they want. And the same process could yield hits that they otherwise would never have expected. It makes it all that much harder for the US to infiltrate those "state actors" and gives those state actors even more ability to phish and F&%$#K us all up.
I never had a Yahoo account as I found everything that company did to be complete drivel. But my advice to friends has been to go in to your account, change your password and then delete everything and never use it again.
MPG: It makes perfect sense that Apple hired yahoos for the destruction of Apple Mail. Humor aside, I also never had a Yahoo account because Yahoo was and is the biggest turd of an internet destination that I was aware of. The security implications are indeed immense.
