Hacks Are Always Worse Than Reported: All Of Yahoo Email Was Hacked In 2013. All. Of. It.
from the yes-all-of-it dept
Given recent and massive stories about data security breaches by some very, very large players in the technology and financial spaces, we have developed a mantra that you should have on repeat in your head any time you read stories about a breach: however big the breach is reported to be initially, it’s always bigger. We formulated that 12 years ago and it has continually held true. We saw it with Equifax. We saw it with Deloitte. And you will also likely recall that 2013 and 2014 were not banner years for data security at a little company called Yahoo. Hacks of Yahoo’s email platform were reported initially to be in the hundreds of thousands in terms of the number of accounts compromised. As Verizon began negotiating the purchase of Yahoo, that number crept into the hundreds of millions. Eventually, Yahoo settled on a billion compromised accounts resulting from the hacks.
The Verizon deal went through, with a hefty price reduction as a result of the security breaches. And so it’s under the Verizon umbrella that Yahoo informed the public this past week that the need for numerical quantification for the two security breaches has been rendered moot. Because it’s much easier to just say, “Yahoo email was compromised.” As in: all of it.
In 2016, Yahoo disclosed that more than one billion of about three billion accounts had likely been affected by the hack. In its disclosure Tuesday, the company said all accounts were likely victimized. Yahoo included the finding in a recent update to its Account Security Update page, saying that it found out about the wider breach through new intelligence obtained during the company’s integration into Verizon Communications. Outside forensic experts assisted in the discovery, the company said.
“It is important to note that, in connection with Yahoo’s December 2016 announcement of the August 2013 theft, Yahoo took action to protect all accounts. The company required all users who had not changed their passwords since the time of the theft to do so. Yahoo also invalidated unencrypted security questions and answers so they cannot be used to access an account,” Yahoo said Tuesday.
Also important to note is that the yahoos at Yahoo were only able to correctly inform the public as to the specific number of accounts breached in these attacks once the use of numbers no longer mattered. Tooting its own horn about the actions it took to protect “all accounts” when it didn’t even know that “all accounts” had indeed been compromised violates PR rule number 1: don’t request praise in the middle of a crisis. The crisis, in this case, is why anyone should have a Yahoo email account at all moving forward, given how laughably bungled this whole mess has been handled.
But the larger point harkens back to the introduction: remember the mantra. These things are always, always way worse than initially reported. Why companies engage in this sort of slow-motion bandaid-pulling is beyond me, but it sure seems to be the playbook.
Filed Under: disclosure, email, hack
Companies: yahoo
Comments on “Hacks Are Always Worse Than Reported: All Of Yahoo Email Was Hacked In 2013. All. Of. It.”
So the moral of the story is...
If you’re not using end-to-end encryption, then your trans-net communication details will become public.
As will your cheesecake photos because fappening.
Re: So the moral of the story is...
Not good enough.
If I hack your account and all of your messages are dutifully encrypted, then I STILL have access to all of the metadata. That’ll tell me who you’re communicating with, how often, and how much you have to say to each other. It may also reveal your geolocation, your mail client/web browser, your work/sleep patterns, and other useful information. And it certainly gives me enough data to start phishing you, particularly if you use a web browser as your mail client.
By the way: NEVER use a web browser as your mail client. If you do, you’ll make my task far easier and quicker, because webmail is an anti-security pattern.
So yes, encryption on the wire is good, and encryption in messages is good, and no, you should not blithely presume that if you have both that you’re safe. You’re not.
Abandon Ship
I have had a Yahoo email account since around the early 2000s and was loathe to switch just because everything went through that and it was a bit nostalgic. When the breach was first disclosed last year I immediately bought my own domain name, signed up for a single Microsoft Office 365 E3 subscription and transferred all my email to that. Haven’t looked back since.
At $25 a month I get my own custom email, encrypted cloud storage, a full Office suite and a ton of features I will likely never use but are there if I need them.
Re: Abandon Ship
And free NSA spying.
Re: Re: Abandon Ship
That’s included with all email services these days.
Re: Re: Re: Abandon Ship
Unless you want to roll your own private email server and try to maintain it, or use something like tutanota or protonmail, but those are a bit of a pain to use and lack features.
I’m willing to accept the risk with Microsoft, especially since the way their Enterprise tenants are structured you own all the services/data you put on there. Microsoft has policies and technical limitations in place that prevent them from accessing your data without your permission. Especially the OneDrive encrypted storage. That was a big selling point for me when I found that out.
Re: Re: Re:2 Abandon Ship
I find your excess of faith disturbing.
Re: Re: Re:3 Abandon Ship
It’s not an excess of faith, it’s a risk assessment. As I said, I’m willing to accept the risk. I won’t live my life afraid of using technology because it might be compromised. If I did I would have to give up all internet access and computer technology because if you’re online your data is likely compromised because you’ve likely used a service that has been compromised. And Windows has something like 80%+ of global OS market share. If the NSA is using Microsoft for spying then 80% of computer users are being spied on already.
I do my research and make sure I’m aware of the risks before I use something new and take as many feasible precautions as possible.
Re: Re: Re:4 Abandon Ship
So you value market share over security.
To each his own, I suppose.
Re: Re: Re:5 Abandon Ship
Sorry if I wasn’t clear. I don’t value market share more, I’m just pointing out that if your assumption is correct and the NSA is using Microsoft software and services for spying, the fact that Microsoft happens to have a large market share means that whether people use their Office 365 services or not, they are probably still being spied on because most everyone uses Windows as their OS.
And before we get into the “well just use a different OS” debate, no that is not always a viable option. I’m an avid PC gamer and linux and wine just don’t work well enough to support that.
Re: Re: Re:2 Abandon Ship
Our government is connected into the providers systems. Has been since the 50’s.
If you communicate online, they can get at it.
Re: Re: Re:3 Abandon Ship
Which, if true, makes all of the above completely moot. The only way to make sure you aren’t being spied on is to do absolutely nothing online. Which in today’s world is virtually, if not literally, impossible. So whether I use Microsoft, Yahoo, AOL, tutanota, lavasoft, protonmail, or any other service, it’s all compromised and makes no difference which service I choose.
Re: Re: Re:2 Abandon Ship
lack features? email almost but doesn’t quite make it to the recipient or what?
Re: Re: Re:3 Abandon Ship
No, mostly things like limited custom domains. I have several and to use them I would have to pay extra. For the same price or less I get my own email server that I control plus all the other features of Office 365.
Re: Abandon Ship
How do you KNOW the cloud storage is encrypted?
Re: Re: Abandon Ship
Because it’s an enterprise class service used by organizations and companies that have to be HIPAA and PCI compliant.
This isn’t their hotmail service I signed up for, it’s the full enterprise grade service complete with my own Exchange tenant in the cloud.
Re: Abandon Ship
Out of curiosity, why them, vs. Google?
Re: Re: Abandon Ship
I liked the feature set Microsoft offered over Google’s mostly.
Re: Re: Re: Abandon Ship
Thanks for responding.
On the plus side:
The company does not have to spend a lot of developer hours when offering an application where you can check whether your mail account has been affected by such a hack.
People actually still use Yahoo? I have an account, but the only thing it leads to is my fantasy football team management.
Thanks 26, NSA, GS, and Poindexter and DARPA
The failocracy rules, idiocracy would be an order of magnitude up from where we are
Equifax
House Energy and Commerce Committee: Digital Commerce and Consumer Protection Subcommittee hearing, “
Oversight of the Equifax Data Breach: Answers for Consumers” (also on C-SPAN), yesterday, Oct 3, 2017
Senate Banking, Housing and Urban Affairs full committee hearing, “An Examination of the Equifax Cybersecurity Breach” (also on C-SPAN), today, Oct 4, 2017 (morning)
Senate Judiciary Committee: Privacy, Technology and the Law Subcommittee hearing, “Equifax: Continuing to Monitor Data-Broker Cybersecurity”, today, Oct 4, 2017 (afternoon)
Re: Equifax
They have just been hired in a no bid contract to do identity verification by the IRS
Bigly!, WINNING!
Re: Re: Equifax
In this morning’s hearing before the Senate Banking Committee, I believe Nebraska’s Senator Ben Sasse was the first to have questions about this news item.
He was not the only one.
Re: Re: Equifax
For the record (and in case anyone here hasn’t seen it), yesterday’s widely reported story—
“IRS awards multimillion-dollar fraud-prevention contract to Equifax”, by Steven Overly and Nancy Scola, Politico, Oct 3, 2017
I don’t believe Politico was mentioned by name in this morning’s committee hearing. Rather, iirc, there was just a generic mention of “news” there. But this Politico story has been widely cited elsewhere, including in David Kravet’s story yesterday at Ars Technica.
Re: Re: Re: A matter of experience
Well, I mean it’s suggested that you use one thief(ideally a former one) in order to catch other thieves because they know the tricks, perhaps the IRS figures that a company that failed spectacularly in their security and which hid this fact as long as they could knows all about securing your personal data and informing you when it’s been violated.
Surely they’ll have learned their lesson and will do better this time, right?
Re: Re: Re:2 A matter of experience
See North Dakota Senator Heidi Heitkamp’s remarks, beginning roughly about 1:47:00 in the C-SPAN video (note this hyperlink doesn’t advance all the way to 1:47:00).
Adapted from the closed-caption transcript:
Re: Re: Re:2 A matter of experience
Googling around…
“IRS: New Equifax contract a stopgap as we switch vendors”, by Joe Uchill, The Hill, Oct 4, 2017
I still have the second panel in this afternoon’s Senate Judiciary subcommittee hearing queued up. Probably won’t get around any time soon to watching today’s House Ways and Means Committee’s Oversight Subcommittee “Hearing on the Internal Revenue Service’s Information Technology Modernization Efforts ” (Oct 4, 2017).
Re: Re: Re:3 A matter of experience
Well, I suppose it’s to the IRS’s credit then that the contract was basically forced on them and they’re trying to switch to another company, a process that will hopefully be much easier after the gigantic freakin’ hack of Equifax and their… ‘relaxed’ response to reporting it.
Re: Re: Re:4 A matter of experience
“GAO: IRS did not have to award $7.25M contract to Equifax”, by Steven Overly and Nancy Scola, Politico, Oct 5, 2017
Re: Equifax
C-SPAN link for this morning’s House Financial Services Committee hearing.
Re: Re: Equifax
That C-SPAN video seems to end early — before the hearing resumes after the second recess.
Right now, I’m watching the rest of the hearing via YouTube. Currently, that YouTube video is embedded on the House Financial Services Committee homepage. I’m slightly surprised that video isn’t currently embedded on the committee’s hearing webpage.
I created my old yahoo email account solely to sign up for mailing lists with monetary kickbacks. The hackers can have that if they really want it.
Never trust a yesterday company to host a service that you can host yourself.
If they knew
If they knew that the hack included all accounts why didn’t they reduce the price more? Like half of what was offered.
Yahoos email service is dead or at least should be because of that breach and they don’t have that much more than that.
Imo bad move on Verizons side.
Wonderful. Also totally expected. I was always pretty sure that Yahoo wasn’t telling the whole story, and that they’d lost it all.
Also pretty sure that most of the e’mail they’d have seen was likely about 95% marketing and other spam making the privacy considerations close to nil. The real haul was all the reused passwords on other accounts which are entirely the user’s own fault.
I had a handful of yahoo accounts… over half got the notification that the nation state hacker had gotten into them.
Once I heard about the culture that was cultivated & the outright working around the security team I couldn’t leave them behind fast enough.
People thought I was silly to purge them all & shut them down. Given how bad the hack had been & how long it took them to fess up, I suspected it was way worse.
We can no longer trust any reported numbers involving hacks offered up by those who were compromised, they always lie & undersell the extent. They failed at the most basic levels & still want to make it look like it was no big deal.
There are plenty of alternatives out there, it only took me about 10 minutes to figure out which accounts secured other accounts as backups & then invent replacements.
The really horrible thing is, even generating a password that would take years to crack is pointless when encrypting the data isn’t done or uses the cheapest fastest way.
I’m kind of thorn on how much of a data breach is a problem considering even companies with the best security practices out there can still fall victim to an unsuspecting employee inserting a heavily contaminated usb stick. That said, breaches that bad and comprehensive (Yahoo, Equifax) should immediately spell the end of the company. Either by people flocking out or via government shutting it down for good. Yahoo is walking fast towards the end but Equifax got awarded new no-bid contracts worth millions by the govt.. So, yea, expect your data to be violated ad nauseam forever and nobody moving to fix it.
so the difference is?
“We got hacked and your data was stolen.”
vs.
“Your data can be shared with any of our 3rd party associated companies.”
"why anyone should have a Yahoo email account"
Because of yahoo groups and the niche communities that live in them.
I *hate* the neo interface but the inertia behind these groups is regrettably too much to force a change to a different platform.
Neither shocked nor dismayed... A bit gassy though.
I say we all go back to good old fashioned ink on paper snail mail…
At least when the government spied on you back then, the agent had to physically get your mail and sort through it…
That was exercise and that probably saved taxpayers millions in unnecessary health problems for these poor and probably now fat agents…
And you didn’t have criminals in Eastern Europe and Russia stealing your mail…
Unless that’s where you were sending it…
Come on folks… Who’s with me on this?…
Nobody?
Megh… Figures… Techy crowd…
Oh well…
But seriously… Is anybody surprised anymore?
I think we need to just start reporting on companies that haven’t been hacked in X number of days…
Maybe come up with an award… The “NoHacky”… Eh?
Well, I’m getting back to working on the future of mail… A cybernetic carrier pigeon drone with Siri technology, that you scream the subject of your letter at and then send it on it’s way… When or if it arrives it delivers the message using a form of primitive interpretive dance.
So far I’ve managed to duct tape a bunch of pigeons to drones… Next step is teaching them to dance…
Don’t be dismissive… The Internet sounded stupid when it was new and look how long it’s taken to become this stupid.