Many readers are asking what they should be doing in response to Yahoo‘s disclosure Wednesday that a billion of its user accounts were hacked. Here are a few suggestions and pointers, fashioned into a good old Q&A format.
Image: eff.org
Q: Was my account hacked?
A: Experts I’ve spoken to believe Yahoo has about a billion active accounts. So, yes, it’s very likely your account’s password is compromised, and probably most of the other information you at one point entrusted to Yahoo. According to a statement from the company, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”
Q: I’m not sure if I have a Yahoo account. How do I find out?
A: This is a surprisingly complex question. Thanks to the myriad mergers and business relationships that Yahoo has forged over the years, you may have a Yahoo account and not realize it. That’s because many accounts that are managed through Yahoo don’t actually end in “yahoo.com” (or yahoo. insert country code here).
For example, British telecom giant BT uses Yahoo for their customer email, as did/do SBCGlobal, AT&T and BellSouth. Also, Verizon.net email addresses were serviced by Yahoo until AOL took over. Up in Canada, Rogers customers may also have Yahoo email addresses. I’m sure there are plenty of others I’m missing, but you get the point: Your Yahoo account may not include the word “yahoo” at all in the address.
Q: I created a Yahoo account a few years ago, but Yahoo says it doesn’t exist anymore. What’s going on here?
A: Yahoo has a policy of deactivating or deleting accounts that remain dormant for more than a year. If you haven’t touched your account in years, that’s probably why.
Q: Why would someone want to hack my email account? What could they do with it?
A: Spam, spam, and spam. Oh, and spam. They want to spam your contacts with malware and ads for dodgy products and services. Also, it gives the bad guys direct access to any account that you have signed up for using that email address. Why? Because if the crooks have access to your inbox, they can request a password reset link be sent to your inbox from any Web site you’ve signed up with at that email address.
For more detail on why these lowlifes might want control over your inbox and how they can monetize that access, see one of the most-read pieces on this blog — The Value of a Hacked Email Account. NB: Accounts that are hijacked for use in spam campaigns may also be suspended or deleted by Yahoo.
Q: What the heck is an MD5?
A: It’s an inferior password storage method that too many companies still use to protect user passwords. An MD5 “hash” is computed by taking your plain text password and running it against an algorithm that is supposed to make the output impossible to reverse. For example, the world’s worst password — “password” — always computes to the MD5 hash of “cc3a0280e4fc1415930899896574e118” (see this MD5 generator for more examples).
The problem is that computing power is super cheap nowadays, and MD5s are no match for brute-force attacks that simply compare the result of hashed dictionary words and other common passwords with user password databases stored in MD5 format (i.e., if the MD5 your email provider stores for you is “cc3a0280e4fc1415930899896574e118”, then congrats on using the world’s worst password).
Long story short, there are vast indexes of these pre-computed MD5 hashes — known as “rainbow tables” — freely available online that can be used to quickly crack a large percentage of any MD5 password list.
Q: So if using hashing methods like MD5 is such a lame security idea, why is Yahoo still doing this?
A: Yahoo says this breach dates back to 2013. To its credit, Yahoo began moving away from using MD5s for new accounts in 2013 in favor of Bcrypt, far more secure password hashing mechanism. But yeah, even by 2013 anyone with half a clue in securing passwords already long ago knew that storing passwords in MD5 format was no longer acceptable and altogether braindead idea. It’s one of many reasons I’ve encouraged my friends and family to ditch Yahoo email for years.
Q: I’ve been using Yahoo for years. If this service can’t be trusted, what would you recommend?
A: I’ve used Google Mail (Gmail) for more than a decade, but your mileage may vary. I moved virtually all of my email activity to Gmail years ago mainly because they were among the first to offer more robust authentication and security measures, such as two-step authentication. And they continue to innovate in this space. If you’d like to migrate the messages from your Yahoo account to a Gmail account, see these instructions.
Q: Yahoo said in some cases encrypted or unencrypted security questions and answers were stolen. Why is this a big deal?
A: Because for years security questions have served as convenient backdoors used by criminals to defraud regular, nice people whose only real crime is that they tend to answer questions honestly. But with the proliferation of data that many people post online about themselves on social media sites — combined with the volume of public records that are indexed by various paid and free services — it’s never been easier for a stranger to answer your secret question, “What was the name of your elementary school?”
Don’t feel bad if you naively answered your secret questions honestly. Even criminals get their accounts hacked via easily-guessed secret questions, as evidenced by this story about the San Francisco transit extortionist who last month had his own account hacked via weak secret questions.
Q: So should I change my secret questions in my Yahoo account? Yahoo says it has “invalidated unencrypted security questions and answers so that they cannot be used to access an account,” but how do I know whether my security questions were encrypted or not?
A: Assuming you still can, yes by all means change the answers to the security questions to something only you know. However, it’s not clear that this is still an option: I tried logging in using the secret questions on two older accounts I have and did not see that option available anymore, so it’s likely that Yahoo has disabled them altogether. Yahoo’s statement on this matter is confusing, and the company hasn’t responded yet to follow-up questions to clarify things.
More importantly, if you have used these questions and answers at other sites, please change those answers at the other sites now. Pro tip: If you must patronize sites that allow password and account recovery via secret questions, don’t answer the secret questions honestly. Pick answers that aren’t obvious and that can’t be found using social media or a search engine.
Q: Yahoo also said that the intruders were able to forge “cookies.” What’s that all about?
A: Yahoo said the attackers had worked out a way to forge cookies, text files that Yahoo places on user computers when they log in. Authentication cookies contain information about the user’s session with Yahoo, and these cookies can contain a great deal of information about the user, such as whether that user has already authenticated to the company’s servers.
The attackers in this case apparently found a way to forge these authentication cookies, which would have granted them to access targeted accounts without needing to supply the account’s password. In addition, a forged cookie could have allowed the attackers to remain logged into the hacked accounts for weeks or indefinitely.
Yahoo’s statement said the company is in the process of notifying the affected account holders, and that it has invalidated the forged cookies.
Q: That sounds pretty bad.
A: Yeah, that’s about as bad as it gets. It’s yet another reason I’m telling people to run away from Yahoo email.
Q: Okay, I don’t need my account anymore, and/or I’ve transferred what I need from that account and no longer want to have an account at Yahoo. Can I delete my account?
A: Yes, you can delete your account. Yahoo has detailed instructions here. But before you do this, consider whether you have created unique relationships with any other Web sites using this email account. If so, you may lose access to those third-party Web site accounts if you no longer have access to the email inbox you used to create that relationship. Take stock of any third-party Web site user accounts you may have tied to your Yahoo inbox, and if you wish to keep those accounts you’ll probably need to log in to them separately and change the contact email address.
Q: What else should I be concerned about as a result of this latest hack?
A: Make sure you have not used your Yahoo password at any other sites or online accounts that you value or that hold potentially sensitive information about you. If you have, change the password at those other sites to unique, complex passwords. And stop re-using passwords: It’s probably the leading cause of account compromises.
Also, be on the lookout for an uptick in possibly much more targeted email phishing and malware attacks. When attackers have a lot of details about you (like the ones Yahoo said were stolen in this hack) it makes it much easier for them to craft convincing email lures. Be especially wary of clicking on links or attachments in emails you were not expecting, and never respond to login or password reset requests sent via email that you did not initiate.
If your mobile phone number was associated with your Yahoo account, that number may receive SMS phishing or “smishing” attacks as a result. The standard warning about clicking links applies to unbidden text messages as well.
Enable any and all security measures available to you at your current or new email provider. The most important steps you can take are adding a backup email account that you can use to receive messages or password resets if you somehow lose access to your account (i.e., someone figures out your password and seizes control over your account), and taking advantage of two-step or two-factor authentication. With this new feature enabled, thieves would have to know your username, password, and have access to your mobile device or impersonate you to your mobile provider in order to hijack your account. For more on which providers offer this vital security feature, see twofactorauth.org. If you’re sticking with Yahoo despite all of the above, please make sure to take advantage of their two-step feature, called Yahoo Account Key.
Can this stupid company just disappear already?
Agreed! But they are doing us a great service as a “honeypot” of sorts, showing us what to look for in a better email provider, and what to think about when setting up new accounts.
Best.Comment.Ever.
This is great, thanks Brian.
If you don’t have a Yahoo email account but are a member of a Yahoo Group (they have a variety of private and public discussion groups) using non-Yahoo email addresses do you think that those accounts are effected as well?
For a very long time, registering *any* Yahoo account automatically provisioned a mailbox. So even if you haven’t been using the mail portion of your account, it is likely still there lying dormant. It looks like the current registration process has an option where you can elect to use an external email address rather than creating a Yahoo one, but I don’t know how long that has been the case.
That being said, even if you have an account that does not have a Yahoo email address associated with it, you should still be able to activate one at any time. So if an attacker compromises such an account, they can do that as well. And if it is an account that the real user hasn’t been using for email, they get the added bonus of stealth. The actual user probably won’t go looking at the inbox, or even realize it exists.
You didn’t mention salting and stretching those MD5 hashes !
neither did Yahoo 🙁
DOH !!!!
Yahoo security key is not the same as two-step verification. You have to choose either to use Yahoo security key, or two-step verification. As best I understand it, two-step verification requires a password and a phone (every time you login, a second one-time-use-only password is texted to your phone), And Yahoo security key only requires a phone (it doesn’t require a password at all, just that you press “yes” on the phone if it’s really you, and no if it’s not)
I strongly recommend two-step verification over Yahoo security key.
By the way, I was given the option to delete my security questions, but it says that you are unable to create new ones. I don’t know what they’re thinking.
They are just letting you know you won’t be able to use this to reset your account anymore (which is a good thing).
It’s not a good thing for me, because I use complete nonsense gibberish as my answers, which is secure (and keep everything in 1Password). It’s only good if you use truthful simple answers that could be easily determined.
The only thing Yahoo can do right is Fantasy Football so unfortunately I can’t get rid of my Yahoo account. I stopped using it for email a long time ago. The fact that they stopped allowing users to forward email recently is very bad. Do they actually think they will keep users just by making it hard to leave? I setup a permanent vacation response to tell them that this email is not being checked and is instantly deleted by a rule.
Setup a gmail.com address and have it POP mail from your Yahoo account and start changing your email addresses on websites as you visit them over the next year. Then in 2018 you will be able to be rid of Yahoo completely if you don’t do Fantasy Football. 🙂
“If you haven’t touched your account in years, that’s probably why.”
The best thing you can do is just NOT use their system. Yahoo is yesterday’s news. Anything else is just advertising.
I received a fake text message just this morning, I have had this email for a long time, I just love starting over. How about people just have respect for others and their stuff and stop hacking…sounds like such an easy concept instead of all this security stuff. Money/greed is the root of all evil.
Yahoo! needs to go extinct. The bulk of their professional talent jumped ship to Google, Amazon, and Facebook years ago. About the only thing Yahoo! is useful for now is Kardashian and Jenner and Jennifer Lawrence News Updates.
Were the MD5 passwords salted or not? Surprised this isn’t answered anywhere.
I’m confused. If the hack happened in 2013 and I’ve already changed my Yahoo email password multiple times since then (most recently, last month), do I need to change it again to safeguard my account now? Surely the hackers will only have the old account information as it existed on the Yahoo servers back in August 2013?
I have the same question. I haven’t seen this answered anywhere yet.
It’s kind of a moot point. Considering Yahoo’s track record, you’re best off to assume that your CURRENT credentials are compromised. Take the necessary steps to protect yourself and begin the process of moving away from such an antiquated service.
It depends. Do you still use your 2013 Yahoo! password for any other accounts? A lot of times, the value of a stolen password is that it works in other accounts owned by the same person. While your Yahoo! account isn’t really at risk (you’ve changed the password several times), any other accounts you used your old password on are more vulnerable now.
If the account has been compromised chances are the compromise continues or could continue. Brian’s suggestion to “run” away from Yahoo and find another provider is about the best advice there is. C
What do you think about this issue with mail provider GMX?
What do you mean “about this issue with mail provider GMX?” Was there a breach? Are you asking about their service? If it’s the latter, I’ve been using gmx for the last 5 years. Love it. Very few spam emails. The big negative is they do not offer 2FA (two-factor authentication) and have plans to do so anytime soon (I emailed them and asked).
Many many ecommerce companies blacklist that domain. You may run into issues getting denied services or sales because of it.
Does anybody know if they possibly gained former account info? I’m mainly concerned about the security questions I had, as the passwords I would have used there would be long gone.
Is there a website or software solution that can determine and identify all online accounts for which I’ve used my Yahoo! email address, or variations thereof, as a “log in” name or identifier?
There are online tools available to search breached user databases that have been posted to the web — haveibeenpwned.com, for example.
There is no tool for searching where your e-mail address has been used specifically… this would require that every service make public their list of usernames. Be glad that such a thing does not exist. It would just make it easier for criminals to figure out where to use your information.
Boy I hope not 😉
I just read this url (http://www.wikihow.com/Switch-from-Yahoo!-Mail-to-Gmail) as per the link in this article and see these 2 statements:
“Be aware that you may not be able to import from Hotmail or Yahoo mail. As long as these email service providers do not provide POP3 access to their servers, you might not be able to import.”
“Will the transfer be permanent?
All that Gmail does is link all of your accounts from different e-mails (whether Yahoo, or a different Gmail) and syncs them all into one easy to access page/main account. You can stop Gmail from syncing accounts whenever you wish, and even while Gmail is using your Yahoo mail, you can still access your Yahoo account as you have done previously. Basically, you’ll still keep your Yahoo account. The author just meant ‘transfer’ as though the article was for people who are transferring from using Yahoo, to using Gmail and wasn’t talking about actually transferring the account.”
So it seems that the contents still remain in yahoo email account if we follow what this article (http://www.wikihow.com/Switch-from-Yahoo!-Mail-to-Gmail). I am looking for a way to transfer all of my important emails from Yahoo into Gmail or something else and then delete/close my yahoo account forever (of course, I will update my contact info at other merchants to new email id, etc.).
What is the best and easy way to transfer or copy emails from Yahoo to another source?
So if we keep money in bank then
Trojan will steal..
If we pay with our debit or credit card
Wrong place.
Then card will be copied…
What else?? Now e-mail
What next ???
Everywhere we go we have to look pur shouldiers.
This life is so horrible.. you can loose all just moment.
Thos is really grazy life.
Can we read about good news???
What about happiness??
Where is happiness???
Right here, brother:
http://www.telegraph.co.uk/travel/galleries/The-worlds-happiest-countries/denmark/
happiness?? surely you jest.
the rich have eaten all that’s not nailed down. they’re coming with pry bars for the rest, too.
Is this possibly related to the yahoo issue of yahoo inbox vanishing e-mails? Last time mine were not restored- it was the 4th e-mail kidnapping in 2 months.
I have been using Gmail for ten years but I am looking to move on soon. This is because in those ten years Google has become so large and all encompassing that there are privacy problems for me. In the UK, their acquistion of the DeepMind AI company has given them access to Health Service patient records which is a step too far for me.
That’s on top of having an Android phone that knows where I am all the time, photos, Google drive etc.
Yah, healthcare files haven’t ever been accessed improperly… Why not let google take a shot at securing the files, it can’t get much worse than how it is now.
I just closed my Yahoo account. This says it all…
Given a choice between Yahoo who obviously does not give a darn about your information and Google who is obsessed with your every detail I am hard pressed to see one as preferable over the other.
Makes me long for those olden days where all you needed was a stamp or a quarter to communicate.
I still use Yahoo Mail. I probably have over 50,000 emails stored, including many in folders, which I search and reference frequently. I can’t move that somewhere else.
Good luck to the hackers in figuring out which of those billion accounts is mine. I have a very long password (>25 characters). I will be among the last of the accounts, out of the billion, to be MD5 cracked. I don’t have to outrun the bear, I just have to outrun most everyone else.
Also, I use two-factor authentication for any login from a new location. I deleted the useless security questions long ago. I use an “on-line” birthday that greatly differs from my actual birthday.
Also, I have no contacts. Spammers will not get much from me. I learned the hard way years ago when a javascript hack went into my contacts and sent spam to all my contacts. I emailed every contact and apologized. Then deleted all my contacts. If I want contact info I search for it.
The forge cookies hack is the main thing that concern me. That is bad.
MD5 is trivial to crack even with a 25 characters password, if Yahoo didn’t salt the password they have it for sure right now.
If they did salt it, they probably still have it as it is still fairly simple to break md5’s.
If you have that much email; you might consider moving to your own mail server, so you can be in control and have backups of your mail. 🙂
A major problem with Yahoo’s statement about its security questions is that most users no longer have a way to see what security questions Yahoo was using for them, so unless they happen to remember which arcane questions Yahoo asked them years ago, they can’t tell whether any other sites are currently using the same security questions.
It’s a kind of Catch-22: I need to see my security questions on Yahoo to determine whether the same questions and answers might be at risk elsewhere. But Yahoo won’t let me see them anymore.
Hi Brian,
Feel like doing an AMA on Reddit?
https://www.reddit.com/r/IAmA/comments/5igzqj/ama_request_someone_who_works_in_cyber_security/
Putting your browser in a Sandboxie shell may be an effective layer of defense in case you click on a malicious link or browse any malicious content. I’ve used it for years. It can be especially good for the majority of computer users who have little or no knowledge of computer security and resist learning. safetyon.info.
Last time I checked (3 weeks ago), Yahoo is no longer supporting security questions and prompts you to delete them, when you review the security settings there.
—
Delete security questions from your account
Remove security questions as recovery info on your account by deleting them from your Account Information page. Instead, add an email address or phone number to verify and secure your account.
! Can’t create new or edit exisiting questions – Your only option is to disable your current security questions. Once you’ve done this, you will not be able to view or create new questions.
Go to your Yahoo Account Settings.
Click Account security.
Click Disable security questions.
– You’ll be brought to a new page with your security questions.
Click “Yes, secure my account.”
Click Continue.
I already changed my password a few months ago from the earlier breach. This latest breach happened in ’13. Do i need to change it again?
I understand that most people here see no use for Yahoo, but I have two uses that work well. I belong to two fairly obscure but international Yahoo Groups. I think the groups could switch to Google something-or-other, but unwillingly. These are the kinds of groups that discuss rootstock or a compelling detail about Captain Vancouver’s crew.
And personally, I have used My Yahoo for RSS feeds for many years and like it a lot. Are there other good options? I use my yahoo email for both, but nothing else.
If the problem was that someone somehow forged cookies – how did this provide them with the md5 of passwords? Did Yahoo automatically append the md5 of the password to the URL if you gave it a valid session cookie? Or did they forge cookies until they found one for an admin account that had the rights to download whole databases?
One recommendation which is never made is to delete asap old emails, not just simply send them to the trash!
It is really important to delete recover-password emails, as you are leaving clues about your other accounts.
E.g. you using yahoo to recover your login/pw to access abcd.com or xyzmail.com.
When you see that some sites (in this example abcd.com) are still emailing passwords in clear text, some even not requiring to change it after first login, or a recover URL without any time limit…
Is privacy out of the scope of security? I wonder why you’d recommend GMail over encrypted mail services.
Privacy and security are two very different things and should not be confused with eachother. The closest you can get to privacy with email is to run your own email server and that isn’t even all that private. Email has never been private. It never will be. Your using someone else’s server. A server that you have no control over. A server that someone else owns.
Few people ever really come to grips with these things and actually understand why these companies give it for free.
I understand where you’re coming from, but I think you’re wrong to think encrypted email services are equal to unecrnypted services (especially services who don’t care about your privacy and have been working with governements in the past), just because full privacy is extremely difficult to achieve (if possible at all).
Encryption is still better than nothing.
That being said, trusting any service that claim to encrypt your data is wrong, I agree. But they are reputable services out there. I’m not saying names because people will think I’m advertising, but you already know the ones I would name.
And are we so sure privacy and security are two different things? Aren’t the two linked in many case? Isn’t protecting your privacy also protecting other areas of your life/work? And vice versa.
Encryption is certainly a way to go. Although it’s hard for me to put any real amount of faith in it. If encryption actually meant so much (even 2fa), we simply wouldn’t see so many of the issues we see. I’m not saying to disregard encryption or 2fa. I’m saying that it is too easy for it to be used as an advertising path that provides a false sense of security.
When the bad guys have access to the servers, it no longer matter what method you use to login. When they have that kind of access, they will see any password you change it to. Encryption at that point means nothing.
As Brian has suggested, you should be able to achieve BOTH security and privacy. Atleast as far as what is being sold to you. But they are still two different things. You can have security without privacy (bullet proof transparent glass), privacy without security (a cardboard box), or both (armed policemen outside your underground bunker).
Why would you assume you can’t have both? I use GPG-based encryption on top of Gmail for important/secret communication. Do you entrust both to your provider?
I use Flickr ( a Yahoo company), what password options do I have? What steps would you recommend?