
Yahoo discloses hack of 1B accounts - QUFB
https://yahoo.tumblr.com/post/154479236569/important-security-information-for-yahoo-users
======
Arubis
Fittingly, attempting to change my password to a 32-character random string
generated by 1Password returns an error that the password "cannot contain my
email or username", regardless of the contents of that random string (I tried
several).

It does, however, _happily_ accept `passwordpassword` and cheerily move along
to confirming that my recovery email account from 2003 is still valid.

~~~
duaneb
Gonna guess that's a bad message for a password length violation or something
else.

Not that it's much better. Is it so hard to allow 50 character passwords?

~~~
AsyncAwait
if the password is stored properly, (i.e. bcrypt), the number of characters
shouldn't matter at all, be it 50 or 5000.

~~~
sk5t
It sort of does matter for bcrypt, surprisingly:
[http://security.stackexchange.com/questions/39849/does-
bcryp...](http://security.stackexchange.com/questions/39849/does-bcrypt-have-
a-maximum-password-length)

In the interests of hewing closest to cryptographic reality, I design not to
allow a password longer than the algorithm can usefully use.

~~~
dlubarov
I think it's best to allow longer passwords for those who use long phrases.
It's easier to remember the full phrase than a truncated version. You could
show a warning that the extra chars beyond 50-55 will be ignored.

~~~
kijin
Or you could SHA256 the original password and feed the hash to bcrypt.
Remember to use the 64-byte hexadecimal hash, not the 32-byte binary because
bcrypt chokes on null bytes.

Everyone's been saying "just use bcrypt", but bcrypt has too many gotchas to
be the default choice. We really need to work on getting scrypt and argon2
into the most popular programming languages and frameworks a.s.a.p.

~~~
blowski
> Everyone's been saying "just use bcrypt", but bcrypt has too many gotchas to
> be the default choice

This has got to be the underlying problem of modern security. By the time a
best practice is well known, it's no longer best practice.

~~~
dajohnson89
I think that's a good observation. The implication seems to be that we're not
iterating fast enough, or not sufficiently fast in implementing
changes/improvements.

On the flipside, isn't there a risk of moving too quickly? There's a certain
culture of caution because there's something to be said for "if it aint broke,
don't fix it." and even if something is broke, how certain are we that cool
new encryption algorithm is better or safer?

------
niftich
> August 2013

> _hashed passwords (using MD5)_

I don't even know what to say.

> _investigating the creation of forged cookies that could allow an intruder
> to access users ' accounts without a password. Based on the ongoing
> investigation, we believe an unauthorized third party accessed our
> proprietary code to learn how to forge cookies_

How is this possible? Aren't most auth cookies just a session ID that can be
used to look up a server-side session? Did they not use random, unpredictable,
non-sequential session IDs?

~~~
jsjohnst
1) As Yahoo "upgraded" all password storage in UDB (where all login /
registration details are stored) to be bcrypt before 2013, I'm curious how
this was possible.

2) Yahoo doesn't use a centralized session storage. If you know a few values
(not disclosing the exact ones) from the UDB, it's theoretically (guess not so
theoretical now) possible to create forged cookies if you steal the signing
keys. To my knowledge, the keys were supposed to only be on edit/login boxes
(but it's been a while so I may be forgetting something), so this is a pretty
big breach.

~~~
normaljoe
I'm guessing by your handle I know who you are :). Ex-Yahoo super chat
moderating guy here, which should let you know me.

Wouldn't the upgrade require the accounts to actually login to migrate
password? Last I was at Yahoo there was at least 3B junk accounts in UDB. With
out knowing details I am guessing that many of the "compromised" accounts fall
into that bucket.

I get that membership can't just trash junk accounts but marketing was very
aware of them. Paranoids also can't just say a compromised junk account is not
a compromise, they are too paranoid for that.

This unfortunately sounds bad PR wise, with little knowledge of actual impact.
On the flip side I'm pretty sure I am not on the radar of the state actor
since they would more then likely be looking at their own.

~~~
jsjohnst
Just to confirm, purple Yahoo! car in YEF spot ;)

As to your question, no, they didn't need to login due to how the hash
"upgrade" was done (unlike how Tumblr did it around the same time). I was one
of the people in the billion accounts and I definitely have logged in and also
changed my password multiple times (also have very high entropy passwords and
use TFA).

~~~
normaljoe
It wasn't me despite your DR Ycan't photos. :)

Tumblr was indeed what I was thinking about.

------
kstrauser
DO NOT delete your Yahoo account! In their disclaimer when you delete it, they
state:

> "[...] we may allow other users to sign up for and use your current Yahoo!
> ID and profile names after your account has been deleted"

Bummer if you forget that it was the password reset email for your Facebook
account, huh? Instead of deleting your account, purge it of all data:
[https://honeypot.net/purge-your-yahoo-account/](https://honeypot.net/purge-
your-yahoo-account/)

~~~
2sk21
This is a terrible policy. Do other email providers have a similar policy?

~~~
mkj
Probably not that terrible if they only do it for accounts that were created
and never used. Like all the good GitHub usernames that seem to be abandoned.

~~~
hobarrera
GitHub usernames and emails are very different things. You don't get password
reminders sent to your github profile, but you _can_ get those via email.

BTW, no, most email providers never allow the reuse of close account names.

------
alyandon
"Separately, we previously disclosed that our outside forensic experts were
investigating the creation of forged cookies that could allow an intruder to
access users’ accounts without a password. Based on the ongoing investigation,
we believe an unauthorized third party accessed our proprietary code to learn
how to forge cookies."

So that exactly explains how my Yahoo account was used to send spam despite
having a password that can't be reasonably brute forced (despite them using
MD5). :-/

~~~
ubercore
What do you mean by a password that can't be reasonably brute forced?

EDIT: To clarify, I mean specifically with md5. I'm by no means an expert,
just curious because I had considered md5 so broken that this comment caught
my attention.

~~~
parenthephobia
Rumours of MD5's death have been greatly exaggerated.

MD5's weakness is that it's (relatively) easy to produce two strings which
have the same hash. However, given an MD5 hash, it's not easy to produce a
string which also has that hash.

 _In principle_ , one could intentionally construct two passwords which have
the same hash. It's hard to see how that could be exploited maliciously - any
attacker knows both passwords to begin with. Even then, making colliding
strings that would make acceptable passwords hasn't been done yet, AFAIK: the
shortest colliding strings found so far are 64 bytes long and contain several
unprintable characters.

OTOH, computers are fast enough now that brute-forcing MD5 is practical for
short strings with a limited set of characters, which is what passwords tend
to be. One should use algorithms like PBKDF2, scrypt, and bcrypt which can
increase their complexity as the computation capacity of potential attackers
increases. This isn't because of a particular weakness in MD5, though, and one
should equally avoid storing passwords as SHA-512 hashes, say.

The thing you _definitely_ shouldn't use MD5 for is digitally signing a file
you didn't make, because it's possible that whoever did make it also made
another file with the same MD5 hash, for which your signature would also be
valid.

~~~
manquer
On a side note: You can use such crafted strings as a black box testing tool
to verify if a site does infact use md5 or other weak algorithms to store the
passwords. This can perhaps be used in conjunction with other factors to craft
an attack.

As a corrollary this can also be used as a testing tool by anyone for any
third party site to determine known vulenrablities in their password storage

------
kajecounterhack
Related: former Yahoo security engineer talks about a backdoor Yahoo installed
for the NSA to read private emails...behind their security teams' backs...

[https://diracdeltas.github.io/blog/surveillance](https://diracdeltas.github.io/blog/surveillance)

------
ilarum
In case you are looking for the important information, it seems to be MD5 hash
without salt.

~~~
chillydawg
Bloody hell. Sloppy and incompetent.

~~~
dopamean
I'm genuinely curious how the decision to use MD5 gets made. Who says, "hey,
maybe we should use MD5." And then who responds, "that sounds like a great
idea Bob." Seriously. I've known for years that MD5 is insufficient for
hashing passwords and I'm just some random guy. This kind of thing really
baffles me.

~~~
x0
And nobody ever seemed to say "hey, maybe we should be using something more
secure". Yahoo's been around for how many decades, and the fact they were
still using MD5 in 2013 is just shameful. Yeah if it was some legacy code from
1993 you can probably excuse it, but I just can't believe after 20 years
nobody thought it was a problem.

I'm not really a software developer but I really can't imagine it being a huge
change. Instead of md5(pass) you could probably just change that to
secure_hash(md5(pass), salt), add another column in the database for the salt,
and rehash all the passwords. Customers wouldn't notice. Rehashing the
databases would take a while, but otherwise that's really not a huge amount of
work.

~~~
ashark
Well, you can only rehash if you have the plaintext password. So you have to
wait until they login again, or force a password reset for everyone. In the
former case you're stuck with a bunch of md5 passwords hanging around for any
account that's not very active, and for the latter you'll lose some percentage
of active accounts whose reset process is for some reason no longer
functional. You could mix-and-match the two methods (start with the former,
force the latter on any stragglers after, say, a few weeks) to minimize the
damage, but that's more work and a number that someone somewhere in the
organization finds very important is still probably gonna go down.

(I've never had to do this myself, so these are just the most obvious options
I came up with. Possibly there are others.)

~~~
manarth

      You can only rehash if you have the plaintext password
    

There are techniques to rehash, even without the plain-text password, and
without the user having to login to trigger a rehash.

Drupal 7 used such a technique for upgrades from Drupal 6, migrating from MD5
to a salted sha512 hash, but it's not an uncommon technique.

The old passwords are stored as MD5 hashes in the databases. The MD5 hash is
processed through the same techniques as new passwords: a salt and the new
sha512 hash. Provide a way to identify whether the origin was a password, or
an MD5 hash.

Either way, you end up with a hash. You can identify whether the origin was a
password, or an MD5 hash, but you can neither determine the origin MD5 hash,
nor the origin password, as the new hash is secure. So even if the original
MD5 hash was insecure, the new hash _is_ secure.

When someone attempts to login, you still need to determine which password-
validation to use: hash = sha512(salt + password), or hash = sha512(salt +
MD5(password)), but the security level is the same.

~~~
leereeves
> hash = sha512(salt + MD5(password))

Passing the password through MD5 reduces the complexity to 128 bits, you can't
get that back.

So the security level is not the same, though it may be resistant to some
attacks on MD5.

And it's probably not important for most people, since there are less than
2^56 eight character ASCII passwords.

~~~
manarth

      > "Passing the password through MD5 reduces the complexity to 128 bits, you can't get that back."
    

Assuming that the new hash is secure (and sha512 is generally agreed to be
secure), then, given a specific sha512 hash, the original MD5 hash can only be
determined via rainbow tables, which is a Big-O operation. Even though entropy
is reduced, it's still a significant work to determine the original MD5 hash
(significant in this instance being longer than the heat-death of the Sun,
given current extrapolations of computing performance).

Attacks against MD5 are based around knowing the original MD5 hash. In this
instance, the original MD5 hash is unknown, so there is no mathematical
shortcut to finding a collision.

~~~
leereeves
In this case an attacker isn't looking for a _collision_ (which would mean
creating two passwords with the same hash, and what hash that is doesn't
matter).

The attacker needs a password with a specific hash, and the best reported
attack for that is around 2^128.

~~~
manarth
Agreed, that the best reported rainbow-table attack on MD5 is 2^128 (i.e. the
complete range of possible MD5 hashes).

Personally, I'm willing to chance that my password will be discovered via a
brute-force attack within the next 0.65 billion billion years [1]

[1] [http://bitcoin.stackexchange.com/questions/2847/how-long-
wou...](http://bitcoin.stackexchange.com/questions/2847/how-long-would-it-
take-a-large-computer-to-crack-a-private-key)

~~~
leereeves
I think it does make sense to be cautious.

A new preimage attack could be discovered - or might already have been,
secretly.

------
ausjke
I'm speechless.

More and more are migrating to cloud these days, I expect more and more
epidemic leakage will come.

I host everything myself except for email, which is always a headache but
contains more private info than all others I manage combined. Maybe it is time
to run a small email server again but it is easily said than done, gosh please
give me something like a working PGP or whatever for safe emails(PGP is dying
from what I read)...

~~~
cimi_
> PGP is dying from what I read... Can you please provide some references for
> this? What are the alternatives?

~~~
huskyr
[http://arstechnica.com/security/2016/12/op-ed-im-giving-
up-o...](http://arstechnica.com/security/2016/12/op-ed-im-giving-up-on-pgp/)

------
CiPHPerCoder
If anyone else has screwed up and used MD5 for passwords and doesn't know a
good way to migrate towards something secure:
[https://paragonie.com/blog/2016/02/how-safely-store-
password...](https://paragonie.com/blog/2016/02/how-safely-store-password-
in-2016#legacy-hashes)

------
AdmiralAsshat
Well on the upside, if you changed your password as a result of the hack from
a few months ago, you should theoretically be safe against this one which
happened in _2013_.

Those security questions, on the other hand, are still fair targets.

~~~
SomeCallMeTim
I had a Yahoo account entirely to use a Yahoo email list; I used to have it
for Yahoo chat, but I haven't used that in years.

So I ignored the hack a few months ago. I also never got notified that I was
vulnerable.

Just now I tried to log in to see if my password had been invalidated. Nope.
It was my old insecure "pattern-based" password (myprefixYAHOO) that I use
nowhere any more. Probably short enough to have brute forced with MD5 in a few
minutes at most.

And yet...no spam sent from my account. No spam _in_ my account (except some
kind of announcement from "Aabaco, the new name of Yahoo Small Business" from
a year ago. Just some of the mail from the email list that petered out over
two years ago as the list transitioned into a Meetup group.

So I guess Yahoo either has considerably more than 1B users, or there were
simply _so many_ compromised accounts that they didn't bother trying to use
all of them to send spam.

Changed the password just now to something secure "just because", but it's
hard to care.

~~~
Endy
It's more that there's more then 1B accounts out there - remember that this
isn't just "yahoo.com" that got affected, it's Yahoo, YMail, RocketMail,
yahoo.co.jp (a HUGE community btw), and several others which all fall under
the "Yahoo accounts" umbrella. Not every account was hacked by any means;
terrifyingly, the number of accounts isn't nearly what you'd expect as a
percentage of "Yahoo accounts".

~~~
jsjohnst
Yahoo! Japan is separate from Yahoo! "worldwide". They actually run separate
parallel infrastructure for many things, so I highly doubt YJP was part of the
one billion accounts.

------
ponco
I almost hope the data is made somewhat public so Troy /
[https://haveibeenpwned.com/](https://haveibeenpwned.com/) can get a hold of
it and provide the public with reassurance.

~~~
inopinatus
By now I suspect you can simplify it down to just matching on the RHS for any
domain registered to Yahoo.

~~~
longwave
A number of ISPs have used Yahoo to provide mail services in the past, so it's
probably not quite as straightforward as that.

~~~
manarth
And not just small ISPs, but major ISPs, such as BT (with 32% of the broadband
market-share in the UK).

------
myared
One day, this will be Google announcing they've had a breach of this size. Not
looking forward to that day.

~~~
d0lph
At the very least they probably wouldn't be using md5.

------
phantom_oracle
there's a couple of things that these major providers getting pwned teaches
you:

1) their security isn't good just because of their scale/size (that begins to
seem more and more like a false-assumption nowadays)

2) migrating your email to a new provider is quite difficult (consider that
the average person will have just 1 - or 2 - email accounts and they link
EVERYTHING to it)

3) the price of ads/convenience is no longer worth it. I'm assuming at least a
sizable minority of internet users are using ad-blockers these days. They
can't get your eyeballs, so they package and sell your data. Granted, you can
probably now get the same (raw) data on the black market by paying a fraction
in bitcoin and you'll get to see those billions of emails telling people
someone attacked their farm in farmville from 2009

Lastly (and I really hope this happens), Yahoo implodes/collapses (cause the
average Joe won't migrate willingly) and leaves a vacuum for their 500+
million email users. Hopefully the smaller providers (Proton, Migadu, Posteo,
Tuta, etc.) get at least 10% of these users and the email-cartel is broken
(somewhat).

~~~
Endy
If Yahoo goes down, I won't have email; or at best I'll maybe keep a Zoho. I
hate Google's mail interface, I hate the way they make 'conversations' out of
discrete emails, and I especially hate their lack of folders. I use GMail
begrudgingly at work, and only when necessary, and every time, I look at it
and go, "what dipshit ever thought this was a functional way to deal with
email?" As a dedicated Windows user, I'm more likely to use iCloud than GMail
if Yahoo goes down; but I doubt that.

I like Yahoo email as a user. Yes, they've made mistakes, and I accept that.
I'd prefer their mistakes over Google's superiority complex.

~~~
kej
> I especially hate their lack of folders

GMail supports labels as folders. When you create a new label it will ask you
if you want to nest the label under another label and you can do this
repeatedly to make a nested folder structure.

Crucially, this will show up as nested folders via IMAP.

~~~
Endy
No, no - I understand that you can think this, and that they claim it, but
from a UI angle, it's wrong. I hate the implementation of labels.

They don't actually disappear when I click on inbox. When I want my inbox, I
want just that folder - all filtered content goes elsewhere and disappears
until I want it. That's not GMail's way.

~~~
kej
I have a giant folder hierarchy in my gmail, so I assure you this can work.

In your case it sounds like you're taking a message with the "Inbox" label and
adding the "some/folder" label, which will indeed still show it in both
places. If you _move_ the message, which removes "Inbox" and adds
"some/folder" it will no longer show up in the Inbox.

------
copser
Wait, according to this,

""" Based on further analysis of this data by the forensic experts, we believe
an unauthorized third party, in August 2013, stole data associated with more
than one billion user accounts. We have not been able to identify the
intrusion associated with this theft. We believe this incident is likely
distinct from the incident we disclosed on September 22, 2016. """

this incident occurred in 2013 and 2016, or they needed three year to figure
this hack out. How is this possible?

------
anigbrowl
It baffles me that Yahoo continues to live an independent existence. It's like
a Terminator that never had a clear mission and now just wanders around
randomly banging into things.

------
uptown
When credit cards are compromised, the responsible party is usually
responsible for providing identity theft protection. Why not tech firms that
seek to store sensitive personal information? Maybe it'd scale back the desire
for every firm to collect as much personal info as you'll provide them.

~~~
djsumdog
To be fair, that identity theft protection is lip service/worthless bullshit.

~~~
shawn-furyan
True, however, it does put SOME price on data collection, rather than leaving
it in the realm of pure externality. The deterrent of cost is the benefit, not
the protection itself.

On the other hand, adding a price may embolden deep pocketed organizations to
'pay to absolve' for losing data to hackers on an ad hoc basis as a cheaper
alternative to strong security and limiting data collection scope. In that
case, the impotence of ID theft protection hurts a lot more.

------
WA
Nobody in here mentioned it: phone numbers were leaked, too. Which I consider
even worse.

I wanted to sign up for Flickr, but the Yahoo login requirement was a big
turnoff, because it requires a phone number. This nagged me so much that I
never did it.

Turns out: right decision. Because my 8 year old phone number isn't target of
spam yet.

~~~
newscracker
Phone number being a requirement for signup is bad. There are providers who
mandate a valid phone, which they verify through SMS or call, even for paid
accounts and services (not just for the payment processing step). Whenever
possible, I avoid signing up for such services.

------
taurath
Its scary to think about the consequences if the only reason Yahoo knew they
got hacked was that they are more, and not less competent at security. Do you
think the security team {insert retailer, other nontech company with a login
screen here} is somehow MORE competent?

------
wapz
I logged into my yahoo email in chrome in an incognito tab and it logged into
someone else's account. This was probably in 2014 (it could have been in
2013). I wonder if this was related at all.

~~~
danielweber
What's likely is that two people were logging in at once and they ended up
with the same credential because someone didn't realize that a servlet is a
singleton.

~~~
wapz
Thanks. I posted to reddit asking what happened but no one ever answered. I
thought it had to do with someone leeching my wifi or something causing some
"saved data" from IP or something crazy like that. The other user was also
living in Japan (I sent him an email on his own account telling him what
happened but didn't stick around to see what happened). No, I didn't read his
emails but when I looked at "new" expecting mine I saw a few emails about
something in Fukuoka Japan (probably where he is or close to where he is).

------
_navaneethan
"We analyzed this data with the assistance of outside forensic experts and
found that it appears to be Yahoo user data"

How the forensic experts could have analysed? based on the log data? my
another question is, just assume if yahoo is trying to dump the experts, can
it be possible? or else, still the experts be experts to make sense out of it?

~~~
aboru
Is this english?

------
camus2
Notice that this is yet ANOTHER hack, not the one HN was talking about a few
month ago. also notice they were still using MD5 passwords AND without salts
... None of these hacks have been disclosed directly to their users, I never
got an email saying I may have been hacked and I should reset my password,
irresponsible.

~~~
LeoPanthera
This "new" one happened before the previously disclosed hack.

------
dfar1
What a hot mess. I am glad I mostly ignored their services over the years.

------
harigov
I hope they stopped depending upon those security questions if that is part of
the leak. On a side note, this seems like a great time to be an abuser. One
can collect so much information about users - they may actually have more data
than any govt in the world.

~~~
NoPiece
I hope everyone stops relying on security questions!

~~~
jonathantm
_What is your mother 's maiden name?_

T3m92uGKhWMRV7Um0WVF50LKQNowpoe0FWwWryL2r9jkuAHyLTCY8QoY79iMiSjo6CHCZGWl

~~~
Klathmon
Which only works until you call in asking for a password reset and when they
ask you the question you just say "I just hit the keyboard a bunch".

~~~
mikestew
No, I pull up the answer out of 1Password and read it off to them.

~~~
Klathmon
Sorry, I meant to imply that the support person will hear the explanation and
let you reset the password without the actual answer.

~~~
mikestew
Fair enough, as I believe I've had that happen. Random string for one of my
financial institutions, needed to reset something. Pull up 1PWD, with random
string at the ready and...they asked me questions that could have been pulled
from a copy of my credit report. I didn't ask, so I'm not entirely sure, but I
wonder if they didn't look at the answer, said to themselves "fuck that" and
went with Option #2.

------
mkhpalm
Guys... let's just delete our Yahoo accounts. That company can't go bankrupt
fast enough. It will sell our data for quarters.

~~~
camus2
Is it possible to extract all emails+contacts from yahoo without paying ?
furthermore my paypal account is linked to yahoo.

~~~
jacobolus
Yes, you need to scrape their webpages. 10 years ago when I pulled everything
from my Yahoo acct, there were several choices of open source scripts which
could do it.

~~~
newscracker
No, it's no longer necessary to resort to scraping the webmail pages. You can
easily setup a client like Mozilla Thunderbird for IMAP with Yahoo and get all
your mails and folders on to it for free. I have done this recently and it has
been working. Only the ad-free webmail from Yahoo is a paid option.

------
ben174
This is a time where a decent password manager comes in handy. I can look in
my password history to see what my password was in August 2013, and see if
that password is still in use anywhere else, then change the password on those
sites.

~~~
serf
honest question: if you're going to the extent of already using a password
manager, why isn't every site getting a unique password?

~~~
fencepost
In my case, it's because I still have some very old accounts in there.
Accounts that predate not only this password manager (LastPass) but the
previous one (KeePass) and which in fact go all the way back to something that
started with "Yet Another (YA)" back on a Palm device.

I really ought to go through and do some janitorial work in there, but some of
those are for sites that actually still exist and for which those logins are
likely still valid. I don't care enough about them to go log in on each and
change passwords, but I also don't want to simply delete them and leave yet
another orphaned account.

~~~
kingosticks
Lastpass can report which sites are sharing the same passwords (and also which
are not using a random password generated by it). For some sites it even
automates the password changing for you. It doesn't work for all sites
(including this one) but it saved me a load of time just recently.

------
SixSigma
Let's not forget that high ranking officials in the US govt. used Yahoo to
send classified information to print at home.

------
dingbat
security is important, but lets not forget the strides theyve made in making
meaningful connections with their audience via collaborative relationships
with powerful leaders such as Katie Couric

------
tomc1985
For the longest time my yahoo account (which I had not checked on in many
years) reported at least a dozen open sessions originating from IPs in Russia
and Eastern Europe, and unlike my legit sessions I was unable to kill them in
the control panel (the site would bug out)

So yeah, Yahoo's been hacked. Duh...

Finance and Flickr are about all Yahoo is good for any more, and I think my
portfolio page loads (instead of 404'ing) maybe 1/2 the time I request it...

(God I really hope they dont mess with flickr though...)

~~~
brennen
I'm really not sure how they could do flickr more damage than they already
have.

------
jondubois
I'm using Yahoo mail and when I logged in, they gave me a link to their
security notice. About 'Hashed passwords', it says:

"At the time of the August 2013 incident, we used MD5 to hash passwords. We
began upgrading our password protection to bcrypt in the summer of 2013.
Bcrypt is a password hashing mechanism that incorporates security features,
including salting and multiple rounds of computation, to provide advanced
protection against password cracking."

WOW. So basically they did not even salt their passwords until 3 years ago! I
knew about the importance of salting password hashes since I was like 17 years
old and this mega billion-dollar corporation did not.

Also, they claim:

"Hashing is a one-way mathematical function that converts an original string
of data into a seemingly random string of characters. As such, passwords that
have been hashed can’t be reversed into the original plain text password."

Which in the case of MD5 is a deceptive claim; even a basic dictionary attack
could probably reverse at least 50% of all their accounts' MD5-hashed password
(assuming most people use one-word passwords with maybe a few digits at the
end).

~~~
d33
It's one thing to know it and the other to deploy it. You don't know how
messed up their system might be - it might actually be a very difficult change
if it's tied to other components with some crazy kludges. Looks like they
didn't prioritize them well enough. And if you're looking for an example of a
company that's way too afraid of changing anything in their system because
it's too much of a mess, consider PayPal an example...

------
djhworld
Yahoo is so frustrating

I got the email this morning regarding the hack, I've not used Yahoo for a
long, long, long time, so figured I would go and delete my account.

So I log in, password in 1password is incorrect, no big deal I go to reset it.
They send me an email, I reset the password then go through the account
deletion process. It tells me my account is "deactivated" and will be deleted
in 90 days

...Once that was done I just so happened to look through my emails to see what
Yahoo had sent me in the past and I saw that I had undergone the exact same
procedure (deleting my Yahoo account, presumably after news about another
hack) about 3 months ago but completely forgotten about it.

So what I must have done today was relogged into my 'deactivated' account that
I 'deactivated' back in September, which caused it to become active again,
then issued a 'deactivate' request again, so now I have to wait ANOTHER 90
days for it to be deleted.

I've made a note of this fact this time to avoid relogging into Yahoo again...

~~~
keehun
If your account name is related to identifiable to you in any way and could
potentially be used to spoof your identity, you shouldn't delete it because
Yahoo will let a new user take your account's address.

------
draw_down
I thought "didn't they already announce this recently?" Nope, that was a
different one. Boy oh boy.

~~~
freddyc
My thoughts too. I was "yawn .... holy hell another billion accounts". It will
be interesting to see where Verizon lands on this.

------
icpmacdo
When are the mutlibillion dollar lawsuits that cause these idiots to get it
together with security

~~~
elaineo
Unfortunately, lawsuits are rare unless a user can demonstrate that the hack
led to measurable harm.

------
hvo
MD5 in 2016?.I hope yahoo can save itself and tech community all this
embarrassment by just going out of business one and for all.Folks at the helm
of affairs at yahoo are incompetent. And it is about time government started
to persecute incompetent CEO.

~~~
bobbles
It occurred in 2013

~~~
pluma
Unsalted MD5 has been demonstrated to be vulnerable to collisions since 2005.
Rainbow tables existed way before 2013. There's no excuse for a tech company
of this size.

~~~
raverbashing
UNsalted _anything_ has been phased out earlier in a lot of other places

------
fname
Maybe that can get Verizon another $1B discount.

~~~
mtgx
I'm hoping Verizon kills the deal. It would send a powerful message
(unintentional on Verizon's part, but irrelevant) that a major data breach +
installing NSA's rootkit on your servers could one day cost you _billions of
dollars_ , as well as give you a forever tainted reputation.

[https://motherboard.vice.com/read/yahoo-government-email-
sca...](https://motherboard.vice.com/read/yahoo-government-email-scanner-was-
actually-a-secret-hacking-tool)

------
dom0
By now it's probably easier if Yahoo just published the (short) list of
services that weren't owned through-and-through right under their noses, and
notify users unaffected by any breach (0 rows returned).

------
barking
I'd forgotten my yahoo password but wanted to change it. They sent a code to
my phone and I was able to do that.

Then I tried to set up 2 factor authentication but I am unable to do it. It
keeps rejecting the same phone number as being either invalid or not
recognised as a contact, no matter which format I choose to enter it. I've
dropped the interational prefix, added it, added and dropped the plus sign,
added and dropped the 0 after the international prefix etc etc.

I'd dump yahoo altogether except it's the email for my paypal for over a
decade and i can't change that.

~~~
Tepix
I've changed my paypal email twice in the past already when I started getting
too much spam.

Regarding 2FA at Yahoo!, I've also had issues... SMS stopped arriving
altogether and I had to disable it.

~~~
barking
Paypal says I can't change it because it's my primary email address. I prefer
using authenticator anyway rather than sms 2fa and yahoo don't offer that it
seems

~~~
slig
Maybe you have to add a new email to your paypal account, then change it to be
the primary and then delete the old one.

~~~
barking
You're right! Thanks very much.

------
blauditore
In the context of (unsalted) MD5 passwords: If they have a large legacy base
of MD5 hashed ones, how would one "move" those to a stronger hash function?

I can imagine something like re-hashing the existing one with a better
algorithm and some salt, and storing new ones solely using the new algorithm +
salt. But that introduces some additional complexity because every hash needs
information about how it was hashed (MD5 + X vs. just X).

Is there an established best practice for this?

~~~
syncsynchalt
Yes, there is.

The one I prefer, which you've mostly laid out, is: new passwords are entered
as bcrypt(pw) and then stored as "B-$result", old passwords are re-hashed as
bcrypt(hash) = bcrypt(md5(pw)) and stored as "M-$result", then your auth
function works as follows:

    
    
        def auth(user, pw):
          hash = get_hash(user)
          if hash starts with "B-":
            return hash == bcrypt(pw)
          else if hash starts with "M-":
            return hash == bcrypt(md5(pw))
          else:
            # remove this once you've rehashed your entire database
            return hash == md5(pw)
    

The naïve solution is to skip the "B-"/"M-"/"" annotation but if you do that
you've introduced a situation where attackers can login to old passwords using
md5 leaked from another source.

~~~
HappyTypist
The other solution (that Yahoo used) is use bcrypt(md5(password)) which allows
them to rehash all existing passwords without logging in.

~~~
blauditore
I think that's what he described, plus adding a prefix in order to indicate
it's been re-hashed.

~~~
syncsynchalt
That's exactly right, thank you!

------
wdr1
If you collect user PII & get hacked, you should be obligated to pay for the
damages. Specifically, covering the user for identify theft monitoring for
10-15 years.

------
jlgaddis
I just attempted to log in to an old @yahoo.com account that I haven't used in
probably five years or more.

On the login screen, there was a short notice about this breach (with a link
to more details), and after logging in I was prompted to create a new
password, and update recovery emails / phone numbers.

That doesn't negate any of this shit that happened, obviously, but maybe
they're at least gonna try to make things better (we can hope, anyways).

------
witty_username
Anybody getting "NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED"?

Chrome says "The server presented a certificate that was not publicly
disclosed using the Certificate Transparency policy. This is a requirement for
some certificates, to ensure that they are trustworthy and protect against
attackers."

Probably my Chrome version is too old I guess? (probably not, it's 53 which is
only a little behind the latest).

~~~
lorenzhs
Your Chrome version is indeed to old. There's an issue with Symantec
certificates and Certificate Transparency in Chrome 53. Just update it.

------
AndrewMock
Being a Fortune 500 CISO must be so easy. Corporate expectations are evidently
low enough that you probably don't have to show up for work.

------
nkkollaw
It's amazing that they're telling users to change their password/security
questions 3 years after the hack.

------
hbosch
So, the scuttlebutt last time was that they disclosed the hack due to a
potential Verizon buyout forcing their hand. Seems as though this could be the
same thing, generally speaking.

Can anyone enlighten me as to how Verizon compels Yahoo to disclose this
information? Or rather, how does Verizon know about these intrusions, if they
do?

~~~
mobilefriendly
Some states like CA have a legal requirement to notify in the event of a
breach, so hiding this event is illegal.

~~~
manarth
The article is from Yahoo, it's a notification from Yahoo, announced by their
head of security. They're not hiding the event.

~~~
empath75
Seems like they hid it for a few years.

------
rakibtg
While i was new to programming and i read some articles about why not to store
password in clean text, a google was enough to taught me about blowfish
algorithm and the concepts of higher costs hashing benefits! Well my life
first program was more secure then Yahoo i guess, storing password in MD5 too
bad Yahoo...

~~~
blauditore
Your life first program was about hashing passwords? Mine was about printing
"hello world".

------
cpplinuxdude
What's I dislike the most about this situation is that I cannot even shut down
my yahoo email account, as it could be re-created by someone else, i.e
hijacked.

It's also terrible that such bad password policies are being pushed onto
users, yet no guarantee of security is associated with them.

------
anton_tarasenko
Yahoo's press release with details:

[http://www.businesswire.com/news/home/20161214006239/en/Impo...](http://www.businesswire.com/news/home/20161214006239/en/Important-
Security-Information-Yahoo-Users)

~~~
rbcgerard
LOL this is rich:

"...identified data security issues concerning certain Yahoo user accounts."

Certain...more like all up to that point?

~~~
Endy
Not by several orders of magnitude.

~~~
mypalmike
Are you saying yahoo has... trillions of users?

~~~
Endy
Trillions of accounts, based on reputable sources. Users and accounts are
different.

~~~
tlb
[citation needed]

------
automatwon
1 billion accounts. I'm curious: Has there been a bigger data breach, in terms
of user volume?

------
nsxwolf
What good is requiring you to change your password on the next login? How do
they know it's not just being re-compromised? There are a lot of accounts that
are orphaned, but the contents are exposed and still a threat to the original
owners.

Why not just lock the accounts?

------
prirun
Alternate (and to me, more believable) explanation: this is a great way to get
all of Yahoo's inactive users to sign in, bump the "active in the last year"
user count, and goose the company's valuation.

------
hacker_9
_sigh_ this is really shitty news. In a time when governments are deciding
more invasive surveillance is in everyone's best interest too, it's probably
never been more profitable to be a hacker.

------
fluxcap
This just proves that Silicon Valley is full of geniuses. I mean, look at how
cleverly Yahoo kept it a secret for so long! Well, at least the Valley's
rapacious landlords got paid.

------
iamrobinhood123
Everything will come to light. All our info is being stored somewhere. One
day, people who know you will be able to easily search a database of all your
information for specific things.

------
jupp0r
What happened that made them disclose this > 3 years later?

------
MarkMc
So when did Yahoo stop using MD5 as the password hash? 2014?

~~~
manarth
Have they stopped? ;-)

------
EGreg
I didn't know Yahoo had 1B accounts. Most must not be active, otherwise how
could they be so small financially compared to Facebook and Google?

------
somewords
FYI - the tumblr link for the notice redirected me to a "You have viruses
installed on your computer" site. Hacker News just got phished.

------
kumarski
Sales and marketing automation companies just got a huge boost in their
capability to do SMTP validation.

Time to go check HANSA on the onion.

------
drelihan
How does yahoo have a billion accounts???

------
carbocation
I cannot tell from this disclosure -- have they updated their algorithm beyond
MD5 at this point?

~~~
astrodust
Maybe they're using double MD5 with a salt of "$uper$ecure".

------
intralizee
I don't know why anyone would still be using Yahoo as their email provider at
this point.

~~~
makr17
I don't use the account, but I was required to create one in order to get
internet connectivity at home via AT&T...

------
voltagex_
What alternatives to Flickr do I have? I think I pay $25/US/year at the
moment.

------
disposablezero
Yahoo - AOL email for grandparents, owned by Verizon, destined to be
maintained by Taos.

------
reiichiroh
This is the same Yahoo that wants us to switch to a LESS secure password-less
Yahoo Key?

------
cdevs
Security question : mothers maiden name?answer: 1q&#*v83%?ghd53

Date of birth : 01/01/2011

~~~
normaljoe
Using a random answer doesn't help against an attack it the security questions
are stored in plain text. I'm not saying storing security questions as a hash
is any better practice since these questions just need to go away. I am saying
that most likely they aren't stored as hashes so a phone operator can query
you hence random is only as good as something like BarkBarkRuffRuff for a
maiden name.

~~~
qntty
I think the point is not to reuse these common security question answers
between sites

------
adam12
First thing I did was control-F "sorry", "apolo", "inconv".

nothing

------
edem
Is this __another__ 1 B users or the previous one which was already posted?

------
dimino
I thought we knew about this already, is there more info than before?

~~~
dingdongding
This is a separate breach

------
JustSomeNobody
What value does Yahoo have for Verizon now, the brand is so tainted?

~~~
nly
I'm not sure Average Joe really associates these hacks with incompetence or
negligence. Those nasty hackers are making victims of poor Yahoo.

~~~
elaineo
That's why Yahoo made the point of blaming a "state-sponsored actor". You
would expect a giant tech company to be able to defend itself against random
hackers, but what if it was the government of Russia?? That's why Sony
Pictures blamed North Korea for what was, in the opinions of security experts,
the work of an insider.

------
cmurf
OK so I'd like to invite the pure free market types to explain how this gets
fixed without any government, including no lawsuits. Because I keep hearing
from free market types that 100% of phishing victims are ignorant and
basically deserve what happens to them, if they can't learn that they're being
duped they deserve to be duped, they somehow think wholesale loss of trust
ends up being focused only on specific companies rather than entire
technologies. And so on.

So how are these externalities dealt with where there is no such thing as
insurance for this type of breach? There's no way to put the toothpaste (my
private information in the form of answers to personal "security questions")
back into the tube (only my brain or nearby sphere of influence).

And this goes along with IoT devices that aren't having their known exploits
patched by their manufacturers. Similar problem different details.

So without broad laws that say this is wrong and here is a mechanism to attach
a tangible cost to this information so a proper risk assessment is done, I
imagine we keep seeing this happen with essentially no punishment beyond what
Yahoo already is getting punished for.

~~~
Canada
> including no lawsuits

Are there are "free market types" who actually believe there shouldn't be any
form of sanctions whatsoever for causing harm? I've talked to quite a few
hardcore libertarians, and I've yet to encounter anyone who takes it that far.

~~~
dmix
Even anarcho-capitalists, the most hardcore libertarians, believe heavily in
the court system.

So I'm not sure what the OP means "without lawsuits". Because lawsuits would
most likely be their answer here. Also maybe competition from other email
vendors who take your security seriously and doesn't leak 1 billion emails? Or
pressure from investors not to create that type of liability?

Pretty obviously a strawman, it's far easier to win such an argument with
silly caricatures of libertarians as an opponent... someone who believes that
all companies should be able to do whatever they want, without any
consequence!

Only the most extreme niche of the already niche group of anarcho-capitalists
believe in private courts or private law enforcement. Which does not at all
reflect mainstream libertarian thought. Who instead wish for a "minimal"
state, which at a very minimum means centralized courts.

I've heard economists argue that economies and societies do not exist without
some form of a legal system (chiefs, kings, courts, etc). It's the very core
of human co-existence to be able to resolve disputes in a fair and just way.

~~~
cmurf
Seems that anarchy is contrary to government, and out of necessity a
government is needed to have a court. Those pure free market types I'm
referring to self describe exactly as anarcho capitalists and say all disputes
are resolved by insurance, exactly zero government. If there's a court, maybe
that's a venue the insurance companies all agree upon. But if you don't have
insurance or don't have good enough insurance you don't get as much
representation or as much of a payout and that's your choice, sometimes life
is unfair and you get screwed over.

And as it's describe to me I almost immediately start thinking of Gangs of New
York and axes. It's such a total departure from anything remotely civil I can
only imagine this leading to a bunch of heads being chopped off. But hey,
there's insurance for that too I guess.

~~~
dmix
Quoting Mises who is the Marx of anarcho-capitalism:

> To be opposed to the state is then not necessarily to be opposed to services
> that have often been linked with it; to be opposed to the state does not
> necessarily imply that we must be opposed to police protection, courts,
> arbitration, the minting of money, postal service, or roads and highways.
> Some anarchists have indeed been opposed to police and to all physical
> coercion in defense of person and property, but this is not inherent in and
> is fundamentally irrelevant to the anarchist position, which is precisely
> marked by opposition to all physical coercion invasive of, or aggressing
> against, person and property.

and

> An important point to remember is that any society, be it statist or
> anarchist, has to have some way of resolving disputes that will gain a
> majority consensus in society. There would be no need for courts or
> arbitrators if everyone were omniscient and knew instantaneously which
> persons were guilty of any given crime or violation of contract. Since none
> of us is omniscient, there has to be some method of deciding who is the
> criminal or lawbreaker which will gain legitimacy; in short, whose decision
> will be accepted by the great majority of the public.

[https://mises.org/library/society-without-
state](https://mises.org/library/society-without-state)

(Note: not defending this stuff, just pointing it out for sake of discussion).

Elsewhere someone pointed out the book "Anarchy, State, and Utopia" which has
a better overview of what libertarians believe in. Which is a "night-watchman"
state, a minimalist government which includes courts, police, and border
control.

[https://www.amazon.com/Anarchy-State-Utopia-Robert-
Nozick/dp...](https://www.amazon.com/Anarchy-State-Utopia-Robert-
Nozick/dp/0465051006/)

------
platinumrad
Plain md5 again. Nice.

------
forf
Oh no! All of those free offers could be stolen from me!

------
overgard
"passwords hashed with MD5" Jesus seriously?

------
zmmmmm
Sorry, there's no shielding Marrisa Mayer from this. Yes, she had only been
there a year or so. But that's long enough she should have been on top of
security. Yes, she's just killing time until she leaves now anyway. But, the
symbolic statement is still important - she should resign.

~~~
rckclmbr
> Yes, she had only been there a year or so

Uh, it's been 4 years... I know, time flies.

~~~
kej
GP means that she had only been there a year or so when the leak happend.

------
netrap
I guess this is the final nail in the coffin...

------
swehner
Easier to list who was _not_ affected??!!

------
GoodieBear
This Yahoo company seems pretty cavalier.

------
serashioda
Thank goodness I use gmail?

------
myf01d
> MD5 hash

JUST

------
DougN7
This occurred in 2013.

------
adultSwim
When did they know?

------
szul
MD5 hash? Jesus...

------
CodinM
RIP

------
LargeCompanies
They can have 17 years of junk mail as that's all I ever used yahoo for

------
sciurus
This is being discussed at
[https://news.ycombinator.com/item?id=13180101](https://news.ycombinator.com/item?id=13180101)

------
jwatte
nelson_ha_ha.gif

------
jasonmp85
Anyone up for trying to get a corporate death penalty law on the books?

~~~
djsumdog
We should at least be able to execute them in Texas.

