
Yahoo hack warning: What happened and should you be worried? - smokinn
http://www.telegraph.co.uk/technology/2017/02/16/yahoo-hack-warning-happened-should-worried/
======
cm2187
How could someone forge a cookie after stealing the source code? Did yahoo use
a hardcoded private key in the code? Then any developer at yahoo could have
broken into an account. That cannot be right.

~~~
niftich
It doesn't answer your question precisely, but I asked a similar (albeit more
incredulous) question a few months back [1] and got a thread full of educated
speculation from current and former Yahoo devs.

[1]
[https://news.ycombinator.com/item?id=13180234](https://news.ycombinator.com/item?id=13180234)

------
smoyer
"After disclosing two distinct hacks late last year, one of which implicated a
billion users, Yahoo ..."

This is a weird place to use implicated as it makes the reader think those
billion users are to blame for the hack. If that's true, it's a human-scale
DDOS - no IoT devices needed.

~~~
mmaunder
Grammatical error, along with many others in the article. Nothing sinister
about it.

~~~
WillPostForFood
Implicate has a negative connotation in common usage, and for that reason
probably isn't the best choice, but it really just means "entwine." In that
more traditional sense, the wording makes sense, it is saying they were caught
up in the hack.

------
publicarray
I don't think it's a new hack it's just that the internal investigation has
lead to more findings of the already talked about cookie hack:
[https://www.tripwire.com/state-of-security/featured/more-
yah...](https://www.tripwire.com/state-of-security/featured/more-yahoo-users-
warned-of-malicious-account-access-via-forged-cookies/)

------
djhworld
Remember that if you deleted your account the last time a breach was reported,
DO NOT attempt to login to that account to check, as this will reset the
decativation window of 90 days before permanent deletion.

I made that mistake last time, "deleted" my yahoo account when there was a
breach, promptly forgot about doing that, then about 75 days later another
breach was announced, so I logged in to "delete" my account....now I have to
wait another 90 days before it's gone.

~~~
a1a
I'd recommend deleting all content associated with the account and removing
the address from any third party site (recovery etc).

I would however never actually delete the account.

My concern with deleting the account is that it exposes you to some really
nasty impersonation attacks. It is free to keep. Just keep it.

~~~
ma2rten
I don't know about Yahoo, but most services will not allow to reregister a
previously deleted account.

~~~
JustSomeNobody
I vaguely recall that yahoo does recycle old email addresses.

------
avenoir
Has anybody ever seen Y! Confidential link pop-up in the bottom right corner
of some Yahoo! articles which seemed to redirect to an internal corporate
site? It came and went away at least a dozen times and in some instances it
stayed for days.

~~~
ryanlol
[https://www.google.com/search?q="Y%21+Confidential"](https://www.google.com/search?q="Y%21+Confidential")

Certainly lots of very confused people keep seeing it.

~~~
normaljoe
Most of the answers seem to suggest this is some sort of tracking or malware.
It is not but you still shouldn't be seeing it. That is only suppose to be
seen by Yahoo employees and the internal links are there so they can report
bugs easily. It's also present on betas but shouldn't been seen on the
outside. It looks like somebody messed up and let it go to prod without having
an employee check.

------
paulpauper
Yahoo has been useless to me and others for years. It's just a holding company
for Ali Baba, that also has an email service and a Japanese website.

------
raverbashing
I wonder how many people got that "a forged cookie may have been used" email.
I suppose they're sending it even if the chance is remote

------
nthcolumn
Dear Yahoo user,

We are writing to inform you about a data security issue that may involve your
Yahoo account information. We have taken steps to secure your account and are
working closely with law enforcement.

What happened?

In November 2016, law enforcement provided Yahoo with data files which a third
party claimed was Yahoo user data. We analysed this data with the assistance
of external forensic experts and found that it appears to be Yahoo user data.
Based on further analysis of this data by the forensic experts, we believe
that an unauthorised third party stole data associated with a broader set of
user accounts in August 2013, including yours. We have not been able to
identify the intrusion associated with this theft. We believe that this
incident is likely distinct from the one that we disclosed on 22 September
2016.

What information was involved?

The stolen user account information may have included names, email addresses,
telephone numbers, dates of birth, hashed passwords (using MD5) and, in some
cases, encrypted or unencrypted security questions and answers. Not all of
these data elements may have been present for your account. The investigation
indicates that the stolen information did not include passwords in clear text
form, payment card data or bank account information. Payment card data and
bank account information are not stored on the system that we believe was
affected.

What we're doing

We are taking action to protect our users: We are requiring potentially
affected users to change their passwords. We invalidated unencrypted security
questions and answers so that they cannot be used to access an account. We are
constantly enhancing our safeguards and systems that detect and prevent
unauthorised access to user accounts. What you can do

We encourage you to follow these security recommendations: Change your
passwords and security questions and answers for any other accounts on which
you used the same or similar information used for your Yahoo account. Review
all of your accounts for suspicious activity. Be cautious of any unsolicited
communications that ask for your personal information or refer you to a web
page asking for personal information. Avoid clicking on links or downloading
attachments from suspicious emails. In addition, please consider using Yahoo
Account Key, a simple authentication tool that eliminates the need to use a
password on Yahoo altogether.

For more information

For more information about this issue and our security resources, please visit
the Yahoo Account security issues FAQs page available at
[https://help.yahoo.com/kb/index?locale=en_AU&page=content&y=...](https://help.yahoo.com/kb/index?locale=en_AU&page=content&y=PROD_ACCT&id=SLN27925&actp=productlink).
Protecting your information is important to us and we are constantly working
to strengthen our defences.

Yours sincerely,

Bob Lord Chief Information Security Officer Yahoo

------
trome
Jeez, how do they still have a positive net worth? Like seriously, obviously
their users & user data is worthless, they don't care about it getting stolen,
nor do they seem serious about fixing their dilapidated, insecure systems.

This is just a case of poor management, if Google, Facebook, Twitter and
others can figure out how to secure their sites, Yahoo can.

~~~
sandworm101
And you think those other sites are more secure? The differences are slight.
Giant public websites are tricky. It is very hard to deploy real security
across such a large team/platform. Even if you make the effort, some security
measures simply wont fly, especially in regards to change control or network
segmentation. This sort of bug is only one level of the issue.

Open up any random NIST, ISO or even PCI doc to see what is involved above and
beyond bug squashing.

~~~
bogomipz
I took the OPs comments as referring to the fact that management either:

a) didn't know the company was hacked.

b) claimed they didn't know they were hacked,

c) didn't bother to do proper discovery to quantify the extent of the hack
until years later.

~~~
sandworm101
And that would have been covered under nist or iso or any other resonable
standard. My point is that once you look into these companieas, get beyond the
tech stuff, virtually none implement proper security on such large
deployments.

~~~
bogomipz
>"virtually none implement proper security on such large deployments."

Can you provide a citation for this? Otherwise it seems you are suggesting
because Yahoo was lacking that this means all SV tech giants are lacking.

~~~
sandworm101
Well, without ndas make it hard to find actual reports, but take ashley-
madison. Millions of users, talk of a billion-dollar ipo, and the post-hack
report by the canadian and austrailian privacy ministers found they had no
formal security plan.

~~~
digler999
so according to your logic, one massive hack means all sites are insecure ?

~~~
sandworm101
No.. working as a compliance attorney, along with all the industry contacts
that entails, allong with a steady stream of reports such as the OP (also
target et al) gives me grounds to say that proper security is not an industry
norm, that the opposite is more likely.

In doubt? Ask around for how many organizations have a dedicated ciso or
privacy officer.

~~~
bogomipz
And Yahoo the company we are discussing has a full time CISO, now at Facebook:

[http://www.businessinsider.com/alex-stamos-leaves-yahoo-
to-b...](http://www.businessinsider.com/alex-stamos-leaves-yahoo-to-be-
facebook-chief-information-security-officer-2015-6)

As does Google: [http://www.csoonline.com/article/2928798/security-
leadership...](http://www.csoonline.com/article/2928798/security-
leadership/googles-new-cybersecurity-chief-or-chef.html)

As does Twitter:
[https://www.linkedin.com/in/mcoates](https://www.linkedin.com/in/mcoates)

as does Uber: [https://newsroom.uber.com/joe-sullivan-joining-uber-as-
first...](https://newsroom.uber.com/joe-sullivan-joining-uber-as-first-chief-
security-officer/)

As does Apple: [http://www.reuters.com/article/apple-encryption-executive-
id...](http://www.reuters.com/article/apple-encryption-executive-
idUSL2N16Q23O)

As does Amazon:
[https://www.rsaconference.com/speakers/stephen_schmidt](https://www.rsaconference.com/speakers/stephen_schmidt)

So I would say its pretty common. Just because its not common at the Ashley
Madisons and Targets doesn't mean its uncommon elsewhere.

~~~
sandworm101
Lol, that is like 1% of the industry. For every facebook there are 100s of
smaller shops with websites taking money and handling pii. Being not-facebook
doesnt mean you arent in the big leagues with millions of customers.

~~~
bogomipz
And that 1% of the industry is exactly the context for these comments, the
company being discussed here is Yahoo. I guess you didn't read the part where
I specified "SV tech giants"?

------
libeclipse
Is there a better source? That link just mentions it in the title and then
plugs other articles they've posted for the rest of it.

EDIT: This seems like a better source:
[http://www.telegraph.co.uk/technology/2017/02/16/yahoo-
hack-...](http://www.telegraph.co.uk/technology/2017/02/16/yahoo-hack-warning-
happened-should-worried/)

~~~
OJFord
And it ends in a quick how-to for deleting your Yahoo account!

That's surely a death knell for Yahoo, as if it needed another?

~~~
remx
You can delete your account here:
[https://edit.yahoo.com/config/delete_user](https://edit.yahoo.com/config/delete_user)

