
Yahoo Triples Estimate of Breached Accounts to 3B - coloneltcb
https://www.wsj.com/articles/yahoo-triples-estimate-of-breached-accounts-to-3-billion-1507062804
======
RcouF1uZ4gsC
I think the issue right now is that private user information is viewed as an
asset, not a liability. If we could find a way to make it more of a liability,
companies would be less likely to collect it just for the sake of having it,
and they would be more proactive in securing it.

~~~
avivo
Alternatively, if it's truly an asset, can it be taxed as an asset? If I give
a company a car, that is taxed. If I give a company my data which is worth
more than a car, it isn't.

Is it possible that current accounting/tax law can be interpreted so that
these are viewed similarly?

~~~
fny
Using the black market as a standard, your identity-related information isn't
worth enough to be taxable.[0][1][2]

The more common data you give away is worth even less. Your "gift" is akin to
giving away a few grains of sand to a glassmaker who provides a free grain
counting service.

Now let's say you dumped a lot sand that we could value at $10K. Any smart
sand-counting glassmaker will claim his once "free" sand counting costs $10K,
which amounts to an equal, zero-profit trade.

[0]: [http://www.bankrate.com/finance/credit/what-your-identity-
is...](http://www.bankrate.com/finance/credit/what-your-identity-is-worth-on-
black-market.aspx)

[1]: [https://qz.com/460482/heres-what-your-stolen-identity-
goes-f...](https://qz.com/460482/heres-what-your-stolen-identity-goes-for-on-
the-internets-black-market/)

[2]: [http://www.businessinsider.com/heres-how-much-your-
personal-...](http://www.businessinsider.com/heres-how-much-your-personal-
data-costs-on-the-dark-web-2015-5)

~~~
soared
Value is derived from user data when its used to target ads. Black market data
is never used for that purpose, so its value is much lower. (A company would
never take the risk of using black market data)

~~~
fny
You (and every other responder) miss larger the point of my comment. Let's use
Google as an example. Your clicks throughout the internet, like sand, don't
amount to much of value. It's a very unrefined, raw material, with limited
quantity. Even if Google were forced to value that raw material, they can
argue they're trading it in equal exchange for whatever service they offer
you, so there would still be no tax.

In any situation, _potentially derived value is not taxable_. A car is worth
whatever a car was bought/sold for, not including some hypothetical such as
whatever I could make by driving it for Uber/Lyft. What matter's here is what
will actually occur in the transaction. If Equifax chooses to sell its data,
that income will be taxed at whatever price Equifax chooses to sell the data.

Note this doesn't change that your "gift" of peanuts of data is not taxable
because (a) your data alone isn't worth squat, (b) even if it was, you got
something in exchange for it.

~~~
notjoemama
I'll go one step further in saying the discussion framed around clicks being
interpreted as a product is incorrect altogether. I think user metadata is
part of a users identity and the friction we run up against is whether it
ought to be legally protected. It's currently not illegal to sit outside a
restaurant and records information about all of its patrons. You'd certainly
be in hot water if you tried to do that at any federal building. At some level
we know collecting that data is wrong because it can be used against us. Even
the judicial branch knows this and requires the storage of user data to be
encrypted by security agencies. That's not conclusive proof but evidence of
our general outlook on the legality of tracking people.

If we agree in a truly free society then collecting and monetizing metadata
should be illegal. If we don't mind giving up that freedom then there's
nothing wrong with companies creating a profile on you and tracking you no
matter where you go and what you do. But the internet has spoken and we're
gladly, albeit unknowingly, giving up any right of protection. I find it
worrisome to think of what society will be like in another 50 years if nothing
is done to curtail the fleecing of user data.

~~~
rhizome
Aren't you describing the market research industry? Intent is the value,
predicting intent is the goal.

------
kiernanmcgowan
3 billion - we live in an age where half the population of the earth can exist
on a service, and everyone is vulnerable.

Yes, a good chunk of these are probably duplicates for business / spam / anon
accounts, but this is where the world is trending. How long is it until
facebook or google have a massive breach?

~~~
craftyguy
If that's the case, I think the bigger news then is that yahoo actually had 3B
users!

~~~
jsjohnst
Nobody ever said they are active users or unique individuals. I know for
example I personally created hundreds of accounts on Yahoo! over the years.

~~~
sillysaurus3
Why make hundreds of accounts?

~~~
BOBOTWINSTON
To troll hundreds of different niche internet groups of course.

------
hlmencken
> A massive data breach at Yahoo in 2013 was far more extensive than
> previously disclosed, affecting all of its 3 billion user accounts, new
> parent company Verizon Communications Inc. said on Tuesday.

Imagine the buyers remorse

~~~
JBReefer
Does anyone have insight on how this works? Do you just sue the pants off of
the execs, or the lawyers who did due diligence, or the SREs maybe? Do the
clawback the difference in goodwill + legal costs from the selling investors?

Is there recourse at all?

It'll probably the some poor schmuck SRE getting the blame, like always,
right?

~~~
paragraft
There'll be a small chunk of the purchase price left in escrow for a year for
any extra liabilities that weren't discovered in DD. They'll be claiming that.
But it won't be much.

------
garethsprice
Looks like both Equifax (2.5m additional accounts) and Yahoo chose today as a
good day to bury bad news (the papers being filled with Las Vegas, Puerto
Rico, etc). Slimy moves from their PR teams.

~~~
bluetwo
As well as the grilling of Wells Fargo and Equafax executives in congress.

------
propman
We need jail time...they knew Security was compromised and hid it even from
their own cto, they knew accounts were hacked and they hid it for years

------
jmount
There never is a break-in where they get 1/3 or 1/2 of the accounts. It has to
be nearly all or some much smaller faction. (my own presumption based on the
idea nothing large does mere 2 to 3 way replication or partition)

~~~
kingnothing
It depends. It's possible a company could catch a breach while the data is
being dumped to s3/russia/wherever and cut it off before everything is
extracted.

Another possibility is that only one particular system is breached, which
wouldn't actually affect all users of a given company. If Facebook were
hacked, it's possible that only the ad-buy system is compromised and not their
entire user store, for example, thus exposing only people who have purchased
ads and not all users.

~~~
mschuster91
> Another possibility is that only one particular system is breached, which
> wouldn't actually affect all users of a given company

And a third possibility, especially given today's trend to distributed
systems, is that the attacker gains access to one shard (or its dump) only.

~~~
jmount
I am assuming shards are much smaller than 1/3rd of all the data.

~~~
vertex-four
If you store EU user data in the EU and other user data somewhere with less
restrictive privacy laws, an attacker could get hold of one or the other
reasonably.

On the other hand, yeah, it's much more likely the entire account database was
dumped.

------
kylehotchkiss
When I was on Facebook today, I saw an ad with a photo of a minivan, and some
copy about finding a new vehicle. The ad was posted by Yahoo. When I clicked
it, it took me to the search result for minivans. This company feels like an
AI experiment.

------
dcgudeman
_A spokesman for Oath, the new name of Verizon’s Yahoo unit, said the company
determined last week that the break-in was much worse than thought, after it
received new information from outside the company._

Can they claw back money from Yahoo shareholders because of this?

~~~
empath75
Possibly from the remnants of yahoo called altababa

------
bogomipz
On a related note Equifax stated yesterday that they identified an additional
2.5 million accounts that were breached:

[https://www.nytimes.com/2017/10/02/business/equifax-
breach.h...](https://www.nytimes.com/2017/10/02/business/equifax-breach.html)

Is proper audit capability just not seen as important at these companies?

~~~
runesoerensen
To be fair Equifax's adjustment was relatively minor, and they did disclose
that they were still investigating the matter.

~~~
bogomipz
2.5 million people is minor?

~~~
runesoerensen
_> 2.5 million people is minor?_

It's _relatively_ minor. Equifax's preliminary estimate was off by less than
2%, Yahoo's ~300%.

------
chirau
The biggest surprise here is that Yahoo has 3 billion accounts.

They are probably counting my 25+ Craigslist accounts I guess. And just maybe
all the 'princes' I've been over the years. Lol

------
danvoell
Just an ancillary comment but Yahoo has a whole bunch of password
requirements. So much so that my passwords don't cut it and I can never
remember my password. And/or I need to validate every new device. Is this all
just for show? Its insult to injury that they force all these things and then
they get broken into.

~~~
snakeboy
Hopefully your experience is characteristic of most yahoo users, and this
breach is less effective because people are using a unique password for their
breached account.

------
throwaway613834
Somewhat off-topic, but does anyone know what top-level domains are in
practice "safe" to use for email addresses if we're going to migrate to our
own domain?

I mean "safe" in the sense of being unlikely to cause confusion or problems
with less-than-well-written software (or humans).

Obviously .com is okay, and I haven't heard of problems with
.edu/.gov/.org/.net, but I'm a little afraid of getting a domain for email
addresses that isn't a well-established 3-letter TLD, on the off chance that
someone has hard-coded a requirement like this in their code. I'm not sure if
I'm just being paranoid about this though. Any suggestions on what's
considered safe?

~~~
oneweekwonder
> I'm not sure if I'm just being paranoid about this though. Any suggestions
> on what's considered safe?

Maybe a bit, I don't think it is based in paranoia, you have technical
reasons. Just recently had to strip tld from uri's, and boy was that harder
then excepted!

That being said domains like co.uk, co.jp been around for a long time. I will
stay away from "fancy .named" domains, but country level names should work
fine.

Would love to hear other opinions as well.

~~~
throwaway613834
Good point about ones like .co.uk! Hadn't thought about that.

------
fitzroy
On the bright side, the estimate is unlikely to triple again.

~~~
devy
Yeah, I doubt Yahoo! has 9 billion user accounts.

~~~
kakaorka
I never expected it to have 3 billion in the first place :)

~~~
shallot_router
I'm not too surprised at the 3 billion. I'm just wondering how many of those
correspond to real people.

------
nashashmi
There is an unpatched server at some IP address long forgotten and no longer
used by Yahoo but still nevertheless works. The page still shows the Yahoo
portal with news on the front page from when Yasser Arafat was alive. I
believe the page has not been updated since 2003.

The IP address is in the 200 range. I used to remember the IP address for many
years due to photographic memory even though I had only seen it briefly once.
But I just cannot dig up that memory anymore.

------
Taylor_OD
Does anyone have a good solution to deleting a Yahoo account? I've got one
that is 99.9% spam mail now but I've never deleted it because If I remember
correctly someone else could open up that email in my name and continue to get
my emails. They also don't support automatic email forwarding if I remember
correctly. It remains as the dark spot of my email accounts.

------
graycat
So, let's see: We have a server farm and it is working along. We want to know
right along, in real time, if it is sick or healthy. So, we do some
monitoring.

There are two kinds:

(1) The first kind looks for problems never seen before. Here we get to use
data of two kinds, (i) when the system was healthy and (ii) when the system
was sick and we detected the problem, understood it, found out why, and tried
to prevent that problem in the future.

(2) The second kind looks for problems never seen before, that is, _zero-day_
problems. Here we have no data on the problems but likely do have a lot of
data on when the system was healthy or at least seemed to be, not just on the
day of the data collection but also later.

In both cases we have two ways to be wrong:

(A) Say that the system is sick when it is healthy -- a false alarm.

(B) Say that the system is healthy when it is sick -- a missed detection.

So, from (A) and (B), we get two rates and want both to be low.

We can get data on many variables at high data rates.

Now, what do we do?

Okay, it's a problem in, say, data analysis, data science, statistics, AI/ML,
right?

Hmm .... What do we do?

Uh, be warned: If the false alarm rate is too high, then the monitoring will
be ignored.

------
methodover
This still is a huge concern for us web app developers. Most people re-use
their email addresses and passwords across multiple sites. One breach at one
internet company affects all the others.

IMO, password reuse is the #1 web application security problem in the world
right now, and there's very little in the way of accepted industry standards
to mitigate it.

------
kristopolous
The statistical analysis on the password database here would be fantastic!
You've likely got demographics, geolocation, age, when the password was made
(going back maybe 20 years!) and more. It'd be a great research tool if it
ever leaks.

------
tamrix
I swear if your company is about to go under, the executives are just selling
off the data, calling it a breach, making some bank and giving an excuse to go
close down which wouldn't be their fault.

------
misterbowfinger
all of my fake email accounts are compromised!!!

------
Top19
I tried to enable MFA on a Yahoo account I was helping someone with at work 24
hours ago.

Their MFA is still SMS-based, which I’m pretty sure is a bad thing. They don’t
allow an app like Duo (although they do reject VOIP numbers which I guess is
good).

~~~
normaljoe
Download Yahoo Mail app and setup. They call their MFA Account Key and it uses
the Mail app to push similar to Duo. I think other apps include Account Key,
but it was just being pushed out when I last worked with Yahoo. The SMS is
just a bootstrap and once you have the app you can pick your second
authenticator as login.

------
projectant
Why is it that when a disaster happens numbers are gradually revised upward?

~~~
takeda
In case of hurricanes and other natural disasters most people die later due to
lack of water, electricity etc.

In case of Equifax, Yahoo etc it is because they simply lied to not look as
bad, but then they need to provide accurate information.

IMO if someone broke to a database it should be considered that all data was
accessed and all data should be treated as compromised.

Unless break in was to a subsystem and just that subsystem then all data in it
should be considered compromised.

~~~
projectant
I tend to agree.

Just come out at the start honestly and say, "All 3 billion accounts affected
at Yahoo", or whatever.

I feel angry when I see the numbers gradually going up, I think one reason is
because I see it like they're trying to dupe us, or "cook the frog slowly".

I understand they have to protect "shock" to their stock price, or reputation,
or prevent panic, but honesty is still valuable, right?

When you have a natural disaster, surely there are experts who have already
mapped out such situations and they can say, roughly 20,000 homes will be
destroyed in an event like this. Wouldn't it be good to start off at a big
estimate and then revise down?

I hate to think this is to some extent driven my the media's need to "drip
drip" out a story, instead of giving people the truth.

------
Dolores12
We should assume that all their data were leaked unless proven otherwise.

------
tryingagainbro
related to this: I got a "someone has your password" from Google and they
blocked access...diff country, different device.

My question: Now I assume that one way or another they got that from Google or
from one of the many hacked forums /websites (yeah, I used the same
id+password in many sites). Do they try to login manually or try 10000 at a
time via bots? I doubt they they went manual since they must have millions of
accounts. id my user name was cpowell or hclinton I suppose but....

------
make3
wow yahoo is such a piece of trash now

------
trishmapow2
[https://github.com/njuljsong/wsjUnblock](https://github.com/njuljsong/wsjUnblock)
Make WSJ & NYTimes Great Again

~~~
runeb
And people wonder why companies have to resort to hoarding user data for
monetisation…

~~~
tripzilch
Stop crying. They can and will do it regardless.

The unethical data-hoarding predates the paywalls (and circumvention) by a
large margin.

------
ausjke
Since nowadays the leakages are measured by Billions here and there with
critical info exposed, plus facebook/google etc can track your move and even
your thoughts/opinions,your daily life in general, so I assume we officially
entered a world of no privacy with no turning back. I think we need a new
technical design to cope with this indeed, something like a new style of
identity with biology info used, and dynamically generated tokens and such,
and the browser be in anonymous mode by default, etc.

------
Raynak
Only 38 doesn't seem so bad now.

------
jlebrech
3 Billion, 12 year olds that didn't know how password security worked, me
included.

------
blackflame7000
Yahoo probably has the record for cumulative total of spam in users inboxes.

------
hitekker
On the plus side, I only use my one email account with yahoo for spam.

~~~
megous
Perhaps I can go through my spam folder and disable all those
irina781@yahoo.com types of accounts.

------
asnyc
More than half of the people in the world still don't have internet access ! I
believe the estimate of 3 B includes all yahoo accounts created until 2013 -
maybe an opportunity to indicate the clout it once had.

------
magd
And Yahoo Finance wants to trade stocks now. Really?

------
danm07
That's like half the world's population!

------
tqi
Interesting to see the comments here. One thread arguing that free services
should be incentivized against collecting/profiting off user data, followed by
a thread lamenting the WSJ content paywall...

------
ezioamf
All personal data should be public (in effect it is public after all leaks).
Personal data should not be used for user authentication.

------
jamesrom
What's a couple of billion between friends?

------
orangepenguin
I feel a little sad that pay-walled articles make it to the top of HN. I'm
sure the article is interesting, but a lot of us can't actually read it.

~~~
mattbeckman
Here's a bookmarklet I use sometimes:

    
    
      javascript:window.location.href='https://m.facebook.com/l.php?u='+encodeURIComponent(window.location.href);

~~~
derwiki
Real LPT in the comments!

~~~
Sohcahtoa82
This isn't reddit. Keep that meme-y crap out of here.

------
ktta
Bypass -
[https://www.facebook.com/flx/warn/?u=https%3A%2F%2Fwww.wsj.c...](https://www.facebook.com/flx/warn/?u=https%3A%2F%2Fwww.wsj.com%2Farticles%2Fyahoo-
triples-estimate-of-breached-accounts-to-3-billion-1507062804)

~~~
basch
[https://outline.com/http://www.wsj.com/articles/yahoo-
triple...](https://outline.com/http://www.wsj.com/articles/yahoo-triples-
estimate-of-breached-accounts-to-3-billion-1507062804)

~~~
michel-slm
better than the Facebook trick! Thanks

~~~
snowpanda
There's also this for my Firefox friends:

[https://addons.mozilla.org/en-
US/firefox/addon/bypasspaywall...](https://addons.mozilla.org/en-
US/firefox/addon/bypasspaywalls/)

It does a whole range of sites.

------
hendersoon
To put this number in perspective, there are ~7.5 billion humans currently
living on the earth.

~~~
ProAm
Wait for the day that Facebook is hacked.

~~~
shallot_router
I'd be pretty surprised if an attacker could actually get away with a lot of
sensitive, actionable bulk user data from Facebook. DMs would probably be way
too big in total, unless they just looked for DMs of high-profile people.

As for passwords, they're probably not stored in a very crackable format
(probably some kind of super-bcrypt-esque algorithm with a pepper). Of course,
they could hijack the login procedure and harvest passwords in real-time until
they're detected. That would still be really bad depending on how long they
can evade detection - maybe millions of passwords - but at least it wouldn't
be retroactive. And the password dump could still be bad for people looking to
target individuals within the dump.

Maybe advertising data could be trimmed down enough to dump the whole thing?
Every ad that accounts have clicked?

~~~
slig
> Of course, they could hijack the login procedure and harvest passwords in
> real-time until they're detected.

Facebook makes it really hard for people to log off. Unless one is using a
shared computer, I doubt she types her password more than a couple times a
year.

------
foxfired
I know many mention facebook or google being hacked will be an even bigger
deal. But I wonder, with all the online spaces google/facebook has under
control (ads, analytics, cdns, dns, crawlers, your phone, etc.) if they
suspect a breach, they could literally disable any website or device that
tries to share that information.

If it happened in the past, well, who will know?

~~~
programbreeding
Nothing would stop someone from being able to share it via the darknet. Tor,
Freenet, Zeronet, etc. There's no way that news would be able to be stopped.

