
Yahoo mail hacked - eyeareque
http://m.washingtonpost.com/business/technology/yahoo-mail-hacked-what-to-do-if-youve-been-affected/2014/01/31/2857ef8a-8a7d-11e3-833c-33098f9e5267_story.html
======
coldcode
What third party database was stolen? As usual, they never tell you the
details.

~~~
pmorici
More importantly why the heck would you entrust a "third party" with
_passwords_ !? That just seems nuts.

~~~
spullara
This is why Yahoo and others have been trying to force people to use OAuth
instead of collecting passwords for forever. But due to "UX" people often just
grab the passwords and forward them to Yahoo to authenticate.

------
eyeareque
Of my three yahoo accounts that I have, one was compromised. The account that
was compromised has only been used with Craigslist and snapchat. I wonder if
this is related to a snapchat breach?

~~~
swang
Do you have a phone number tied to the Yahoo account?

~~~
eyeareque
I don't believe I have. Would that have made the attack easier?

------
shakeel_mohamed
Yahoo has had email security issue for years now, this is ancient news to me.
I ran away 7 years ago, and I thought I was slow to migrating.

~~~
null_ptr
Not to mention how junky their webmail interface looks. With large image ads
plastered all over, I just can't imagine looking at that every time I check my
e-mail.

~~~
thescrewdriver
It's called adblock. I can't imagine living without Yahoo's tabbed email
interface. Google is creepy enough as it is, the last thing I'm giving them is
my email.

------
Sindrome
What's new? My old yahoo address that I made when I was 12 has been hacked 3
times. All within the last 4 years. I use complex passwords. I don't have any
issues with anything other than yahoo.

A NOTICEABLE amount of the time I log into my yahoo account I get an error or
my email wont load. Sometimes I try to check my mail on my iPad and half the
time my mail wont load.

Yahoo mail sucks.

------
tokenadult
This story is more than two days old already. What's it doing on the HN front
page? (I changed all my more crucial passphrases more than a day ago, just out
of an abundance of caution.)

~~~
a-nom-a-ly
Where did you hear about this? because this is the first I'm hearing about
it... don't be so selfish.

~~~
reeses
I got a very strange text message purporting to be from Yahoo!. I ignored it,
thinking that, at the very least, it was an attempt to grab logins during some
DNS poisoning attack.

------
jmspring
Of the free email providers, why is it that Yahoo seems to be the most hacked
out of any of them. They really need to clean up their efforts.

~~~
mvikramaditya
Could be that the typical Yahoo mail user is less technically savvy than the
users of other email providers and more prone to making mistakes which makes
it easier for the account to be hacked.

~~~
jmspring
I don't know, hotmail, aol, yahoo...I see them all at about the same level of
general ability.

------
aluhut
Wow I had the feeling it mus have been in the 90s when I checked my yahoo mail
account last time but this thing exists since 2004/2007\. Time/designs change
so fast.

~~~
thescrewdriver
There was a major redesign very recently. I prefer it to the annoying gmail
UI.

------
lexalizer
The change password form seems to be buggy. I cannot change my password for an
existing account that has not been compromised.

------
ams6110
Passwords are broken. Everyone should use two factor auth where available, and
demand it where it is not.

~~~
yeukhon
The problem with two-factor is that if user forgets the device the options to
bypass two-factor can be limited and inconvenient. If I happen to be using a
public computer because I need to retrieve something urgently from my email,
Google will make it so hard that I can't access it immediately.
([https://support.google.com/accounts/answer/185834?hl=en&ref_...](https://support.google.com/accounts/answer/185834?hl=en&ref_topic=1099588#phone))

Password seems broken for two reasons:

1\. password requirement varies and is a pain in the ass. Some sites will ask
for at least 8 characters, mix of uppercase and lowercase, one occurence of
non-alphanumeric character and the password is at least certain length. Some
even go as far as no repeating characters or max password length (8-15
characters).

While the intention is great, it makes password so hard to remember and people
are less likely

2\. every website runs its own password management. How the heck can I tell
website X is actually hashing my password and doing it correctly? I can't.

Persona - single identity is probably the way to go. Adding multi-factor auth
will be great. But again, I argue that password by itself is not entirely
broken. If the attacker can access the database directly by ssh into the
server, then there is also a possibility that the app server can be
compromised and therefore alerting app code is just a finger tip away. This is
the highest level of attack and the story is over at this stage.

I personally think password is not entirely broken. It has value. By itself it
may not be as strong as having multi--step authentication. Authenticating
yourself with key-only, or device-key only is the worst thing ever. It's like
running EC2 instance. If I delete the instance's key off my computer, I will
cry.

So keeping infrastructure secure is important. Multi-factor authentication on
the server side is critical. Keeping database apart from app server is too
critical.

~~~
ams6110
I probably should have been more explicit in my comment. I think that
passwords in theory can be OK. In a perfect world where websites use strong
password hashes, and users don't use easily guessed passwords, or share
passwords across sites, or fall for phishing and other social engineering
hoaxes, they work.

The problem is that never happens. I think at this point we need to admit that
human nature being what it is, it will not happen. So we need to move away
from passwords being the sole authenticator for online services.

------
ApacheEcho
Yahoo really has to get a leg up on security. This happens almost every other
week.

~~~
thescrewdriver
Perhaps you could link to some evidence of previous password compromises? It
shouldn't be hard since you claim it happens every other week...

~~~
mmmm
From 2012: [https://dazzlepod.com/yahoo](https://dazzlepod.com/yahoo)

I don't think anyone could say that it happens every week - but it did happen
back in 2012.

