Yahoo - hacked

fryup

...how concerned should we be???

YAHOO SAID AN attack on its network in 2014 accessed data from at least 500 million users and may have been “state sponsored”.
“Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen,” a statement from the US Internet giant.
The stolen data includes users’ names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions for verifying an account holder’s identity.

and it happened two years ago and they're only revealing it now hmmmm:cool:

http://www.thejournal.ie/yahoo-hack-2992161-Sep2016/

GLaDOS

People still use Yahoo?

_Kaiser_

GLaDOS wrote: »

People still use Yahoo?

Beat me to it! I only know one person with a yahoo account

Don't get me wrong, it's still a serious breach, but I wouldn't think there'd be that many people on this side of the water affected.

fryup

well i use yahoo mail from back in the day, never felt a need to change it...until now

Grayson

fryup wrote: »

...how concerned should we be???



and it happened two years ago and they're only revealing it now hmmmm:cool:

http://www.thejournal.ie/yahoo-hack-2992161-Sep2016/

I've been involved with the response to a big hacking event. The thing that struck me was that the information wasn't protected. At a minimum all personal information should be salted and hashed .

As far as I'm concerned it's not a matter of if a company will get hacked but rather when. When they're hacked they should be certain that all personal information is useless. Companies aren't doing enough to protect their customers and the law should make it so they have to disclose the methods they use to encrypt their information.

Ten Pin

Grayson wrote: »

Companies aren't doing enough to protect their customers and the law should make it so they have to disclose the methods they use to encrypt their information.

A lot of websites don't have secure pages for personal info eg callback requests where you enter name etc.

Similar with payment card details on a non-secure page. And then they have the usual "we take your privacy / data security seriously"..." stored on secure servers"...in the next paragraph.

Harvey Normal

Mr.S wrote: »

2 step verification.

/thread.

It's a pity the thread has ended because I was going to argue that wouldn't work.

Irish Guitarist

They say it was state sponsored but then they say they're working with law enforcement. Does this mean they're talking about a state that isn't the USA? Or does 'state sponsored' just sound better than saying some spotty fourteen year old hacked them?

_Kaiser_

Irish Guitarist wrote: »

They say it was state sponsored but then they say they're working with law enforcement. Does this mean they're talking about a state that isn't the USA? Or does 'state sponsored' just sound better than saying some spotty fourteen year old hacked them?

"state sponsored" in this context would refer to unfriendly foreign nations

Source: too many political thrillers

Slydice

fryup wrote: »

...how concerned should we be???

How concerned:
Well a shed tonne of linkedin user accounts got released their earlier this summer and the technology they used was able to break the passwords.

It's the same trick bitcoin miners use to get a computers graphics card to do all the math for them.

Should be able to break the yahoo passwords too from what I understand.

So, now it's a case of wait and see if/when the hack gets put online.


Edit: An extra annoying thing is that this sounds like "who was your favourite teacher" questions and answered were also hacked. So like, if ya used those for gmail or hotmail and all that, the password reminder thing might allow people break into your account.

Something that might help:
So, I'm not sure, I've heard 2 step verification has been compromised somewhere but no harm turning it on for all your social media and email and all that.
After a quick google, here's a relative new guide on setting up 2 step verification on a bunch of sites:
http://www.imore.com/two-step-authentication

Harvey Normal

Mr.S wrote: »

For 99% of people it would though.

This is a breakin to a database. It's not social engineering or guessing individual passwords.

pickarooney

What do hackers stand to gain when every idiot is publishing the tedious minutiae of their existence in the public domain anyway?

I'm pretty sure I've an old Yahoo account with the password lost in the mists of time. It wouldn't have anything connected to it though, precious little useable information there to be mined.

Ush1

Jesus, some bastard will be reading all my thousands of penis pill spam mails!

Atoms for Peace

Yahoo serious!

Grayson

pickarooney wrote: »

What do hackers stand to gain when every idiot is publishing the tedious minutiae of their existence in the public domain anyway?

Name, address, telephone number, mothers maiden name, password etc...

The fact is that for me to hack you using social data is very easy. You're right that a lot of people post crap online all the time. but to have a few hundred million of these details readily available is very handy.

Here's a handy site that searches data dumps to see if your email address was contained in them.

https://haveibeenpwned.com/

B.A._Baracus

You'd be surprised how many websites or online services that get hacked. Most keep it quiet.

I worked for a place which I won't name, but long story short they build and maintain websites and they were the victim of ransomware. a few servers got hacked and so many websites got taken down.

4068ac1elhodqr

Flickr & Tumblr might be YaPoo (unbranded/non-prefix) owned services that may share your Yahoo password.
Always worth using a fictitious DOB's/Recovery Information, with any of these type of logins that don't really require it.

Probably also not a good idea to store your entire photo collection up in the iCloud,
as the pleasant looking Pippa M, may have just recently realised.

OldMrBrennan83

This post has been deleted.

fryup

i reckon the holy grail for every budding hacker out there is..paypal

do you reckon it could happen???

Esel

Harvey Normal wrote: »

This is a breakin to a database. It's not social engineering or guessing individual passwords.

It should prevent the hacked passwords being used anyway.

Star_Nupa

I just wish Yahoo! would rebrand completely, change/add services or just die already.

SemenInMyEyes

In 2016 web security and privacy is becoming more and more important. Passwords have serious issues nowadays and I will explain for the uninitiated the problems for lack of anything better to do on this fine Sunday afternoon.

Back in the day web services stored passwords in plain text. This means if a hacker could access the web sites database they could access your password and then use it to log into your account. This is very annoying.

The solution to this is to use a password hash. Next the industry was not storing the password itself but a hash of the password. A hash is a function which converts your password from it's base form into a hashed form. For example if your password is "password" the SHA1-hash is something like of this is 5122612419293634068225076888f58.

When you enter the word password the site checks if it is correct by checking if the SHA1 hash of the password is the corresponding value they have stored. If it matches then you can log in. If not they cannot.

So what happens if the hashed passwords are stolen. Well typically this is a problem however they do not have access to the password. For example if a website is hacked the hacker cannot use the hash to log in. If I use the hash as a password in this example the login will fail. This is because if I enter 5122612419293634068225076888f58 the website will hash this value again and get something different like pretend 812371231237123123. However this is not the correct password. So the problem is solved right? Wrong.

We have just slowed the hacker down. Now the hacker just needs to try to find which password when SHA1 hashed corresponds to the stored value. As computers speed up and get fast this becomes easier and easier. If the web service requires 8 character passwords the hacker will iterate through all possible passwords starting at "aaaaaaaa" and ending at "zzzzzzzz". If your password does not contain any uppercase or special characters this is very fast. If it contains special characters it is safer. For example just using the 26 lowercase letters there are only 208827064576 possible passwords which for modern computers is not that much. If you increase it to all special characters it is orders of magnitude higher but still not enough. A password like $/98BA assuming 96 possible characters is still insecure as hackers have the resources to find the plaintext now.

Anyway the real issue is people who use ****e passwords. A dictionary attack is a where a list of hash values of common words is used. Lots of people use bad passwords and only simple words. Common things like "iloveyou" have known SHA-1 hash values and therefore the hacker on getting a list of hash values just searchs for known weak passwords.

Another issue is if lots of people use the same password they will have the same hash value. This is bad and speeds up the hacker. In order to mitigate this a salt is added to the password. This is a random string like "asdj821" added to your password. It makes your password stronger and less vulnerable to a dictionary attack. It also disguises users who have the same password in the database. For example if two users are using "password1". Lets say the SHA1 of "password1" is "92849jfw89ef892". Then in the database those two users have the password "92849jfw89ef892". Hacker can easily see these values are the same using a control f on the dictionary file.

So websites will typically add extra text to your password that the user himself does not know. So lets pretend a website has two users both using "password1". On signup the webservice will also assign a random salt to the users. So user 1 has a salt "1DAS" and user 2 has a salt "(NNUD". The website takes the passwords for each user and adds the salt to the password. So the website for user one makes the string "password1DAS" and "password1(NNUD" for user 2. The SHA-1 hash for each value is calculated. Pretend for the first user it is 1nu239123n18923n12389123n and the second user it is 1m2w918dj189jed83289jd238dj2d3892. Just examples. Now if the database is stolen we don't know the users are using the same password and more importantly password1DAS is unlikely to be added to a dictionary and freely available. So we are all safe now right?

Unfortunately not. In 2006 this was secure but in 2016 with the massive availability of computation power brute force attacks are more feasible. The problem is to compute a SHA-1 hash is very fast and we can now make larger dictionaries and crack passwords quick. Some systems can crack 1000000 SHA-1 hashes per second. What is the solution to this. Make the hash function slower. For example if you can reduce the number of guesses per second form 1000000 to 1 you have re secured your system. This is kind of what bcrypt does. Now websites are using bcrypt instead of SHA1. Please note the numbers quoted may not be accurate but it is the principle which I am explaining which is correct.

So salted passwords with bcrypt are now the new standard. However as the internet grows and grows more and more people are using the same passwords on multiple websites. The problem is if one site is hacked all of your other accounts can be compromised if they are using the same password.

You should be using different passwords across websites so if one is hacked the rest of your accounts are safe. But oh no how will you remember your 50 passwords for all your accounts. Use a password manager to remember your passwords such as lastpass or keypass. You still need to remember the master password and the master password should be long.

Long passwords are the safest bet. Use a master password that is easy to remember such as
"I$w0uld$really$l0ve$t0$give$Enda$a$bl0wjob$while$J0an$licks$my$arse$".

Now you still have one last thing to make your online identity secure. Enable two factor authentication(2FA) if you can. This means that even if you enter the correct password you can be sent a code by SMS for example which always changes. The code is valid for a short time interval and expires and new one is generated. This makes you very safe online.

Grayson

JP Liz V1

Not working now, I cant log in to my emails with Yahoo, hacked again?

ScumLord

Aawww.. member yahoo?

Grayson

JP Liz V1 wrote: »

Not working now, I cant log in to my emails with Yahoo, hacked again?

Just as well, the NSA is probably reading them.

Kadser

So much for changing your email last week!

Cienciano

GLaDOS wrote: »

People still use Yahoo?

Yeah, me. Had an email from the 90s, no need to change it, still works fine

Star_Nupa wrote: »

I just wish Yahoo! would rebrand completely, change/add services or just die already.

Why?