

Yahoo Japan Data Breach: 22M Accounts Exposed (10% of all Yahoo accounts) - shirkey
http://www.informationweek.com/security/attacks/yahoo-japan-data-breach-22m-accounts-exp/240155216

======
btn
Claiming that this affects "10% of all Yahoo accounts" or that the breach in
June 2012 is related is disingenuous---Yahoo and Yahoo Japan connected in
brandname only ("Yahoo" accounts are not valid "Yahoo Japan" accounts, and
vice versa).

~~~
shirkey
I agree -- in the headline, I took the number directly from the article as
they stated "[t]he potential data breach affects 10% of Yahoo's user base."

Another article clarifies that the total number of Yahoo Japan accounts as 200
million, so it was actually 10% of all Yahoo Japan accounts. My apologies for
contributing to that impression.

------
bluehex
I have a Yahoo Japan ID. The day after this was announced I got an email from
Yahoo japan with a subject that translates "Requesting regular password
changes." I expected some kind of explanation or apology but the email didn't
even mention that there was a breach. It just went on about how I should
change my password from time to time and keep my passwords safe by not using
on other sites etc. Given the news I found it kind of rude for them to act
like nothing happened, yet ask me to be more careful with my password.

パスワードを定期的に変更しましょう！ Let's be sure to change passwords from time to time!

パスワードの管理には気をつけて！ Be careful with your password management!

etc....

It reads like a direct translation of an English communication, and feels
culturally out of place.

~~~
tagawa
The same thing happened to me a couple of weeks ago. Got a patronising mail
from dinos.co.jp (ディノス) saying they were increasing their security measures
and that I should change my password. I went and checked a few news sites and
sure enough, they'd just had a massive breach. Disgraceful to not disclose it
in their mail, IMO.

Ironically, they also preached how important security is -
パスワードは、お客様の財産を守る重要な情報です (passwords are important information that protect your
assets).

------
ghshephard
It had never occurred to me that "User IDs" were all that confidential. At the
very least, the MTA pool will usually let you know (Just checked, Yahoo's MTA
does), so, if you are patient, and don't trigger its anti-DOS mechanisms
(usually by using a botnet to slowly, ever so slowly query them) - you can
brute force quite a few account names.

~~~
rurounijones
Japan's IPA (Information-technology Promotion Agency) include in their general
application development guidelines that user ID's should not be email
addresses for the exact reason that they "are easy to guess".

I spent some time arguing that this was a silly requirement but in the end I
had to change my program to use non-email address user IDs (which no one can
remember as they are specific to this application... )

------
jmathai
This sort of thing happens pretty regularly though nothing of this scale.
While I was at Yahoo! we dealt with 3M compromised accounts.

I feel for all the engineers involved in resolving this issue. We had a team
of 3 or 4 working on the resolution for a few weeks.

It's normally the result of a successful phishing attack. The affected users
probably have no idea their accounts were compromised.

~~~
hkmurakami
out of curiosity, how do you go about "resolving" such a situation?

~~~
jmathai
At Yahoo! there's a dedicated security team that handled identifying the exact
cause and worked with us to resolve it.

To identify compromised accounts we looked for profile photos matching a
certain md5. The attackers were using the accounts for viagra links and
updated compromised account profile photos with one of about 50 photos.

Once we identified the accounts they were "quarantined". But the attackers got
smart and started shifting a pixel so that the md5 wouldn't match our set of
known bad photos.

There were other patterns we identified to isolate the compromised accounts
but it was ongoing which meant as we cleaned up accounts the attackers
adapted.

For the 3M accounts a bit was flipped in their account. The membership team
which handles logins handled the first step of the compromised user signing
in. They redirected the user to a specific page that took them through a
password reset flow. It wasn't the standard password reset flow. After all, we
couldn't know if it was the attacker or the user logging in.

This was all a while back but it was more or less something along those lines.
It was not fun.

------
mathrawka
The article has a few things that aren't correct, as posted by other users.

If you are using Yahoo! Japan, check out the feature I was in charge of...
alerting you when you have a login event on your account from a new device,
and possibly locking your account: <http://login.yahoo.co.jp/alert/intro>

------
ezraroi
Wow.... i can't imagine what if something like this will happen to Google or
Facebook. If it happened to Yahoo, why not to them?

~~~
w1ntermute
Yahoo! Japan is an entity separate from Yahoo!. It is a joint venture between
Yahoo! and SoftBank (a Japanese telecom).

And to put this in context, IT in Japan is about a decade behind the West.

~~~
robertlaing
This is a gross generalization.

Sure, plenty of companies are behind. But quite a few are too in the US...
[http://www.pcworld.com/article/249951/if_it_aint_broke_dont_...](http://www.pcworld.com/article/249951/if_it_aint_broke_dont_fix_it_ancient_computers_in_use_today.html)

I'm also not sure that "new" means more secure in this kind of context either.
LinkedIn ain't exactly ancient and had a similar breach last year.

~~~
rurounijones
I would characterize the comment as more like "Attitudes towards development
practices are a decade behind" (rather that the tech itself necessarily) which
sounds pretty accurate[1] for most Japanese companies that are not part of the
newer "Gree" wave.

[1] Anecdotal data etc etc.

