Many readers are asking what they should be doing in response to Yahoo‘s disclosure Wednesday that a billion of its user accounts were hacked. Here are a few suggestions and pointers, fashioned into a good old Q&A format.
Image: eff.org
Q: Was my account hacked?
A: Experts I’ve spoken to believe Yahoo has about a billion active accounts. So, yes, it’s very likely your account’s password is compromised, and probably most of the other information you at one point entrusted to Yahoo. According to a statement from the company, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”
Q: I’m not sure if I have a Yahoo account. How do I find out?
A: This is a surprisingly complex question. Thanks to the myriad mergers and business relationships that Yahoo has forged over the years, you may have a Yahoo account and not realize it. That’s because many accounts that are managed through Yahoo don’t actually end in “yahoo.com” (or yahoo. insert country code here).
For example, British telecom giant BT uses Yahoo for their customer email, as did/do SBCGlobal, AT&T and BellSouth. Also, Verizon.net email addresses were serviced by Yahoo until AOL took over. Up in Canada, Rogers customers may also have Yahoo email addresses. I’m sure there are plenty of others I’m missing, but you get the point: Your Yahoo account may not include the word “yahoo” at all in the address.
Q: I created a Yahoo account a few years ago, but Yahoo says it doesn’t exist anymore. What’s going on here?
A: Yahoo has a policy of deactivating or deleting accounts that remain dormant for more than a year. If you haven’t touched your account in years, that’s probably why.
Q: Why would someone want to hack my email account? What could they do with it?
A: Spam, spam, and spam. Oh, and spam. They want to spam your contacts with malware and ads for dodgy products and services. Also, it gives the bad guys direct access to any account that you have signed up for using that email address. Why? Because if the crooks have access to your inbox, they can request a password reset link be sent to your inbox from any Web site you’ve signed up with at that email address.
For more detail on why these lowlifes might want control over your inbox and how they can monetize that access, see one of the most-read pieces on this blog — The Value of a Hacked Email Account. NB: Accounts that are hijacked for use in spam campaigns may also be suspended or deleted by Yahoo.
Q: What the heck is an MD5?
A: It’s an inferior password storage method that too many companies still use to protect user passwords. An MD5 “hash” is computed by taking your plain text password and running it against an algorithm that is supposed to make the output impossible to reverse. For example, the world’s worst password — “password” — always computes to the MD5 hash of “cc3a0280e4fc1415930899896574e118” (see this MD5 generator for more examples).
The problem is that computing power is super cheap nowadays, and MD5s are no match for brute-force attacks that simply compare the result of hashed dictionary words and other common passwords with user password databases stored in MD5 format (i.e., if the MD5 your email provider stores for you is “cc3a0280e4fc1415930899896574e118”, then congrats on using the world’s worst password).
Long story short, there are vast indexes of these pre-computed MD5 hashes — known as “rainbow tables” — freely available online that can be used to quickly crack a large percentage of any MD5 password list.
Q: So if using hashing methods like MD5 is such a lame security idea, why is Yahoo still doing this?
A: Yahoo says this breach dates back to 2013. To its credit, Yahoo began moving away from using MD5s for new accounts in 2013 in favor of Bcrypt, far more secure password hashing mechanism. But yeah, even by 2013 anyone with half a clue in securing passwords already long ago knew that storing passwords in MD5 format was no longer acceptable and altogether braindead idea. It’s one of many reasons I’ve encouraged my friends and family to ditch Yahoo email for years.
Q: I’ve been using Yahoo for years. If this service can’t be trusted, what would you recommend?
A: I’ve used Google Mail (Gmail) for more than a decade, but your mileage may vary. I moved virtually all of my email activity to Gmail years ago mainly because they were among the first to offer more robust authentication and security measures, such as two-step authentication. And they continue to innovate in this space. If you’d like to migrate the messages from your Yahoo account to a Gmail account, see these instructions.
Q: Yahoo said in some cases encrypted or unencrypted security questions and answers were stolen. Why is this a big deal?
A: Because for years security questions have served as convenient backdoors used by criminals to defraud regular, nice people whose only real crime is that they tend to answer questions honestly. But with the proliferation of data that many people post online about themselves on social media sites — combined with the volume of public records that are indexed by various paid and free services — it’s never been easier for a stranger to answer your secret question, “What was the name of your elementary school?”
Don’t feel bad if you naively answered your secret questions honestly. Even criminals get their accounts hacked via easily-guessed secret questions, as evidenced by this story about the San Francisco transit extortionist who last month had his own account hacked via weak secret questions.
Q: So should I change my secret questions in my Yahoo account? Yahoo says it has “invalidated unencrypted security questions and answers so that they cannot be used to access an account,” but how do I know whether my security questions were encrypted or not?
A: Assuming you still can, yes by all means change the answers to the security questions to something only you know. However, it’s not clear that this is still an option: I tried logging in using the secret questions on two older accounts I have and did not see that option available anymore, so it’s likely that Yahoo has disabled them altogether. Yahoo’s statement on this matter is confusing, and the company hasn’t responded yet to follow-up questions to clarify things.
More importantly, if you have used these questions and answers at other sites, please change those answers at the other sites now. Pro tip: If you must patronize sites that allow password and account recovery via secret questions, don’t answer the secret questions honestly. Pick answers that aren’t obvious and that can’t be found using social media or a search engine.
Q: Yahoo also said that the intruders were able to forge “cookies.” What’s that all about?
A: Yahoo said the attackers had worked out a way to forge cookies, text files that Yahoo places on user computers when they log in. Authentication cookies contain information about the user’s session with Yahoo, and these cookies can contain a great deal of information about the user, such as whether that user has already authenticated to the company’s servers.
The attackers in this case apparently found a way to forge these authentication cookies, which would have granted them to access targeted accounts without needing to supply the account’s password. In addition, a forged cookie could have allowed the attackers to remain logged into the hacked accounts for weeks or indefinitely.
Yahoo’s statement said the company is in the process of notifying the affected account holders, and that it has invalidated the forged cookies.
Q: That sounds pretty bad.
A: Yeah, that’s about as bad as it gets. It’s yet another reason I’m telling people to run away from Yahoo email.
Q: Okay, I don’t need my account anymore, and/or I’ve transferred what I need from that account and no longer want to have an account at Yahoo. Can I delete my account?
A: Yes, you can delete your account. Yahoo has detailed instructions here. But before you do this, consider whether you have created unique relationships with any other Web sites using this email account. If so, you may lose access to those third-party Web site accounts if you no longer have access to the email inbox you used to create that relationship. Take stock of any third-party Web site user accounts you may have tied to your Yahoo inbox, and if you wish to keep those accounts you’ll probably need to log in to them separately and change the contact email address.
Q: What else should I be concerned about as a result of this latest hack?
A: Make sure you have not used your Yahoo password at any other sites or online accounts that you value or that hold potentially sensitive information about you. If you have, change the password at those other sites to unique, complex passwords. And stop re-using passwords: It’s probably the leading cause of account compromises.
Also, be on the lookout for an uptick in possibly much more targeted email phishing and malware attacks. When attackers have a lot of details about you (like the ones Yahoo said were stolen in this hack) it makes it much easier for them to craft convincing email lures. Be especially wary of clicking on links or attachments in emails you were not expecting, and never respond to login or password reset requests sent via email that you did not initiate.
If your mobile phone number was associated with your Yahoo account, that number may receive SMS phishing or “smishing” attacks as a result. The standard warning about clicking links applies to unbidden text messages as well.
Enable any and all security measures available to you at your current or new email provider. The most important steps you can take are adding a backup email account that you can use to receive messages or password resets if you somehow lose access to your account (i.e., someone figures out your password and seizes control over your account), and taking advantage of two-step or two-factor authentication. With this new feature enabled, thieves would have to know your username, password, and have access to your mobile device or impersonate you to your mobile provider in order to hijack your account. For more on which providers offer this vital security feature, see twofactorauth.org. If you’re sticking with Yahoo despite all of the above, please make sure to take advantage of their two-step feature, called Yahoo Account Key.
Didn’t Yahoo allow e-mail addresses to be re-registered if enough time had expired? Should probably be mentioned in the article that you’re at risk of others taking over any third-party accounts your old Yahoo e-mail is still associated with if you forget to change the e-mail address there.
Yahoo: “Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts.”
You: “Yahoo says this breach dates back to 2013.”
The Yahoo statement seems to make clear that the hack occurred in 2013 and only in 2013. Your “dates back to” makes it sound like it might have been ongoing since 2013. If that is not the case, better wording would have been “occurred in 2013.”
If that is the case and the hack only occurred in 2013, anyone who has established a Yahoo account after 2013 or changed their password on an existing account since then is OK… until the next hack at least. Is that correct?
And why is every one of my posts always marked as “awaiting moderation.”
This confuses me, but,
No one company that does email, pas the 90’s has said your email is private. Even Eudora said they would show ads based on your services and responses. Part of their money making schemes to stay in business. That helped produce the spam industry. It’s just some are more upfront about what they will allow. Others will allow wholesale theft of space or give away the information for little value.
My only complaint is three years to discover their list was compromised? Ccome on…
“Even Eudora said they would show ads based on your services and responses.”
That was only for the free version. The paid version never had ads.
So what do you do if your account has been hacked and you cant reset the password?
I get the infamous “Uh.-oh… Looks like we cant recover your account online. Please visit our help site to get back in” error. It just loops back to this error and the help site is no help at all. I did have recovery options set to my cell phone but the help site doesn’t let me get that far.
Is there a way to contact Yahoo support?
Is there any kind of legal recourse I can file against Yahoo for account compromise and lax security standards?
Carl Sagan said that there were billions and billions of stars. I bet the same could also be said of email addresses. Is the real problem using spam to get control of your computer or getting access to your financial data. In the first case they are casting a net to catch victims. In the second case aren’t they targeting specific people. How can they possibly pick those stars in the billions of billions stars there are?
In regards to ATT, my understanding is that if you change your att pw then you automatically change you Yahoo pw.
The yahoo email service hack happen before the 8 november president elections. Then mr trump was help by the russian government.
“Q: I’ve been using Yahoo for years. If this service can’t be trusted, what would you recommend?”
Register your own domain name and get e-mail from one of the paid e-mail providers. Alternatively, you may use Gmail with your custom domain.
One important defense against “Rainbow Table” attacks is to “salt” the password. That means that each user has a randomly-chosen string stored with the user credentials and pre or post pended to the password before hashing. This means an attacker needs a separate “Rainbow Table” for each user, which significantly increases the effort required, as the attacker can’t use precomputed tables anymore.
Not using salt was the key mistake made by eHarmony and LinkedIn when they were hacked a few years ago. A rookie mistake if there ever was one.
If you want to avoid mass hack attacks, it might also be a good idea to get your email from your own web server, rather than one that hosts millions of other users.
Isn’t that what Hillary did?
There is nothing wrong with having your own email server. That was never the issue. The issue was that someone in her position in government was running an email server for the specific purpose of bypass government security as a means of conducting illegal activity.
“The issue was that someone in her position in government was running an email server for the specific purpose of bypass government security as a means of conducting illegal activity.”
Sorry to go back to the whole post-truth thing so close to the real election )(the Electoral College), but the issue was that it was a violation of government regulations for any employees, even Cabinet secretaries, to use private e-mail, run by themselves or commercial services, for government business, and in particular for classified information.
Only the Trumpies and the Russians ever claimed that she was carrying out any other illegal activity, and never produced any believable evidence…. as with virtually all of the character attacks on Sec. Clinton.
One must have some vestiges of character, in order to have one’s character attacked.
Nice 2 year old insults from a grown adult.
I think you forgot about the media emails and the pre-requested questions to various media outlets.
I see you are still in the blame game, sore loser.
Yes, it is what Hillary did. But she is obviously, in her own right, a high-value target. I’m not, and nobody is likely to want to penetrate the server for my web site just to get one person’s email password.
Besides, I am not violating any rules or expectations by using a private server (or actually one operated by a hosting vendor).
Two-factor is only an improvement if the 2nd factor can’t be easily subverted. I think the jury may still be out on that.
Yes, that is what Hillary did, but she was a high-value target, and it may have been worth someone’s time to undertake the effort. Nobody is going to expend any significant effort to hack into a server, like mine, that handles email for me, my wife, my daughter, and one of my brothers. We’re not high value targets.
But those, like eHarmony and LinkedIn who have lots of accounts and used a single iteration of MD5 with no salt are BEGGING for trouble
Interestingly while the Russians were hacking the DNC, the RNC, the US Government, etc., there has been no evidence to date that Hillary Clinton’s servers were ever hacked. She was smarter than all them.
The evidence is the fact that the whole world knows about her server. If it had been done correctly, no one would have ever known anything about it.
Her server being hacked was not at issue anyway. The issue was that her server existed combined with the way she used it.
“The evidence is the fact that the whole world knows about her server. If it had been done correctly, no one would have ever known anything about it.”
What use would a hidden email server be to anyone? No-one would know what email address to reach it at, nor would the secret server be able to email anyone without revealing it’s existence.
You viewing it through the eyes of a home user or a typical office user. When it’s the highest levels of national government, things change.
2 factor authentication is very simply the best privacy
innovation in recent years when combined with standard android encryption, from a normal user case perspective.
@Brian Does anyone have an idea about the status of Yahoo Japan? Could they have also been hacked?
Another party also interested in an answer or clarification for this.
Maybe mention Flickr’s connection to Yahoo?
I changed my yahoo password 3 weeks ago, this morning i received the email by yahoo regarding the 2013 breach, 30 mins after i received that email my ebay account was compromised through my email and a load of digital download games were purchased, my yahoo email in recent activity showed my account was accessed this morning from liverpool
If a non-Yahoo account (in this case, eBay) was compromised after the Yahoo! information was sold, whether or not you changed your Yahoo! password wouldn’t matter if your eBay account had a similar but unchanged password.
How Many Times Has Your Personal Information Been Exposed to Hackers?
http://www.nytimes.com/interactive/2015/07/29/technology/personaltech/what-parts-of-your-information-have-been-exposed-to-hackers-quiz.html
A list.
Two hacks, more than 1 billion accounts
http://www.cbsnews.com/news/yahoo-hack-law-enforcement-believes-state-actor-us-official-says/
Yahoo didn’t say if it believes the same hacker might have pulled off two separate attacks. The Sunnyvale, California, company blamed the late 2014 attack on a hacker affiliated with an unidentified foreign government, but said it hasn’t been able to identify the source behind the 2013 intrusion.
(Versus “the Russians” using a teen script kiddie in mom’s basement phishing attack on Podesta)
In both attacks, the stolen information included names, email addresses, phone numbers, birthdates and security questions and answers. The company says it believes bank-account information and payment-card data were not affected.
But hackers also apparently stole passwords in both attacks. Technically, those passwords should be secure; Yahoo said they were scrambled twice — once by encryption and once by another technique called hashing. But hackers have become adept at cracking secured passwords by assembling huge dictionaries of similarly scrambled phrases and matching them against stolen password databases.
That could mean trouble for any users who reused their Yahoo password for other online accounts. Yahoo is requiring users to change their passwords and invalidating security questions so they can’t be used to hack into accounts. (You may get a reprieve if you’ve changed your password and questions since September.)
Security experts said the 2013 attack was likely the work of a foreign government fishing for information about specific people. One big tell: It doesn’t appear that much personal data from Yahoo accounts has been posted for sale online, meaning the hack probably wasn’t the work of ordinary criminals.
That means most Yahoo users probably don’t have anything to worry about, said J.J. Thompson, CEO of Rook Security.
Deleting your Yahoo account is probably more dangerous than keeping it active. Unlike Gmail, Yahoo allows usernames to be recycled. That means after 30 days, someone can register an account with your name and pretend to be you.
See https://www.wired.com/2013/06/yahoos-very-bad-idea/
Heck, Yahoo even created a marketplace that allows hackers to pay $1.99 and get first dibs on your email address: https://watchlist.yahoo.com/
Ahhhhhhhb
Why hackers need your yahooo
Acccount???? For what….i think people are too
Paranoid about hacking, cmon who gives sh…
Let they hack and takemy email account.so what
…man dont cry lets focus onreal things in life.
First internet is not real ….its not real world
Its virtual world. …..cmon guys too much matrix
Movies…..lets just relax.
Lets be real…ok ifsomeone hacks in my email
Account i dont care couse this is not my fall
Thats it. If the world is like hell..we live in
Then let itbe… youcant expectong good in this
World. So what we can do.
BIBLE SAYS…if u get slap on face turn other sude aswelll
Lol….so continue. I would say if thief steal from you you go and steal from thief. Be man people stand yourself…dont come to cry…email and internet not real…soget overn
Why is there no mention of Yahoo MFA? I’ve used their multi-factor authentication (code txt to cell phone) ever since they offered it. Doesn’t this provided bullet proof protection in this breach situation?
The statement says that for “potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”
—————————————
2FA (MFA) so obviously is not much of a problem to get around.
“…bullet proof protection…”
Not so much…..
A: I’ve used Google Mail (Gmail) for more than a decade, but your mileage may vary. I moved virtually all of my email activity to Gmail years ago mainly because they were among the first to offer more robust authentication and security measures, such as two-step authentication.
Brian, do you have any opinion on Proton Mail?
I have had a Yahoo account almost ever since Yahoo was invented. It must have been hacked multiple times, besides the hacks we know about. In order to back up one’s account, it asks for a cell phone number. But that number then becomes part of a person’s personal data which can be hacked. I won’t give it out, but why does Yahoo think that that number adds to the security of the situation?
I received an email indicating that some email address I had with yahoo was part of this breach. The only account that I can think of having with Yahoo was an account that was supposed to be deleted. The email gives no information on the user name of the breached account and gives no contact information on whom I can contact to find out what account this is. It tells me to change my password and security questions but how would I do this for a deleted account? Would I have to change such information on a deleted account or was my account not deleted by Yahoo? Does Yahoo have any customer service email address or phone number where I can call to get more information? It sounds like either they didn’t delete my account with them or someone created a fraudulent account associating it with my email address. I cannot think of any other account I’ve had in the past with Yahoo or an account that may have been acquired by Yahoo so I’m assuming it was this account that was supposedly deleted.
I’m fairly new to IT Security but it seems to me, it would be much better recommending an email service such as Proton Mail rather than Google. Wasn’t Google involved with the collating and handing over of all data to NSA as per the Snowden scandal (along with Yahoo, Facebook etc?)
I’ve got nothing to hide myself, but if comapnies are known to be harvesting our details, then personally, I’m going to avoid them.
Stop using Yahoo, this is the best advice I can give 🙂
I don’t use Yahoo mail but Flikr linked up with them several years ago, much to my dismay. So, I have to have a Yahoo account to be able to utilize Flikr. Can I though, delete the email account [which I never use, I use only my .mac account] without having to delete the whole of Yahoo?
I have a very old Yahoo mail account – got it as part of DSL service from SNET (well, maybe SBC or maybe AT&T). Kept it around because a few minor things were tied to it.
When I log in to my Yahoo account and try to change the password, it tells me that password changes are handled by AT&T and sends me to an AT&T page. I successfully changed the password – but apparently this isn’t propagated to the map or smtp accounts I use for mail! A few days later, and my old password continues to work on those.
What a mess….
Worse than I thought. The new password hasn’t propagated to Yahoo *at all* – I can still log in with the old one and have access to everything about the account (other than changing the password – so I have a new, secure password that lets me change … itself.)
Wonderful.
— Jerry
Just out of curiosity, can a bot belong to multiple botnets?
And if, where is the limit?
> in some cases encrypted or unencrypted security questions and answers were stolen
> Yahoo’s statement on this matter is confusing, and the company hasn’t responded yet to follow-up questions to clarify things.
I hope you’ll press Yahoo for more information. Currently there’s no way for a user to find out whether their security questions and answers were stolen, nor what their security questions were.
Should website owner be sued for leaking customers information? A recent law Chinese government make is that all website owner need to secure their customers data, for any leak the business might be in sued.
I have 1 tip for all those who’s Yahoo account have been hacked. Move to Gmail. Its far better in every area. I was with Yahoo for years, I have been with Gmail for about 6 months now and so far I love it!