103 comments

  1. Q: Okay, I don’t need my account anymore, and/or I’ve transferred what I need from that account and no longer want to have an account at Yahoo. Can I delete my account?

    A: Yes, you can delete your account.

    Yahoo has detailed instructions here. But before you do this, consider whether you have created unique relationships with any other Web sites using this email account. If so, you may lose access to those third-party Web site accounts if you no longer have access to the email inbox you used to create that relationship. Take stock of any third-party Web site user accounts you may have tied to your Yahoo inbox, and if you wish to keep those accounts you’ll probably need to log in to them separately and change the contact email address.

    Didn’t Yahoo allow e-mail addresses to be re-registered if enough time had expired? Should probably be mentioned in the article that you’re at risk of others taking over any third-party accounts your old Yahoo e-mail is still associated with if you forget to change the e-mail address there.

  2. Yahoo: “Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts.”

    You: “Yahoo says this breach dates back to 2013.”

    The Yahoo statement seems to make clear that the hack occurred in 2013 and only in 2013. Your “dates back to” makes it sound like it might have been ongoing since 2013. If that is not the case, better wording would have been “occurred in 2013.”

    If that is the case and the hack only occurred in 2013, anyone who has established a Yahoo account after 2013 or changed their password on an existing account since then is OK… until the next hack at least. Is that correct?

  3. And why is every one of my posts always marked as “awaiting moderation.”

  4. This confuses me, but,
    No one company that does email, pas the 90’s has said your email is private. Even Eudora said they would show ads based on your services and responses. Part of their money making schemes to stay in business. That helped produce the spam industry. It’s just some are more upfront about what they will allow. Others will allow wholesale theft of space or give away the information for little value.
    My only complaint is three years to discover their list was compromised? Ccome on…

    • “Even Eudora said they would show ads based on your services and responses.”

      That was only for the free version. The paid version never had ads.

  5. So what do you do if your account has been hacked and you cant reset the password?

    I get the infamous “Uh.-oh… Looks like we cant recover your account online. Please visit our help site to get back in” error. It just loops back to this error and the help site is no help at all. I did have recovery options set to my cell phone but the help site doesn’t let me get that far.

    Is there a way to contact Yahoo support?
    Is there any kind of legal recourse I can file against Yahoo for account compromise and lax security standards?

  6. Carl Sagan said that there were billions and billions of stars. I bet the same could also be said of email addresses. Is the real problem using spam to get control of your computer or getting access to your financial data. In the first case they are casting a net to catch victims. In the second case aren’t they targeting specific people. How can they possibly pick those stars in the billions of billions stars there are?

  7. In regards to ATT, my understanding is that if you change your att pw then you automatically change you Yahoo pw.

  8. goyscript subterfuge

    The yahoo email service hack happen before the 8 november president elections. Then mr trump was help by the russian government.

  9. “Q: I’ve been using Yahoo for years. If this service can’t be trusted, what would you recommend?”

    Register your own domain name and get e-mail from one of the paid e-mail providers. Alternatively, you may use Gmail with your custom domain.

  10. One important defense against “Rainbow Table” attacks is to “salt” the password. That means that each user has a randomly-chosen string stored with the user credentials and pre or post pended to the password before hashing. This means an attacker needs a separate “Rainbow Table” for each user, which significantly increases the effort required, as the attacker can’t use precomputed tables anymore.

    Not using salt was the key mistake made by eHarmony and LinkedIn when they were hacked a few years ago. A rookie mistake if there ever was one.

    If you want to avoid mass hack attacks, it might also be a good idea to get your email from your own web server, rather than one that hosts millions of other users.

    • Isn’t that what Hillary did?

      • There is nothing wrong with having your own email server. That was never the issue. The issue was that someone in her position in government was running an email server for the specific purpose of bypass government security as a means of conducting illegal activity.

        • “The issue was that someone in her position in government was running an email server for the specific purpose of bypass government security as a means of conducting illegal activity.”

          Sorry to go back to the whole post-truth thing so close to the real election )(the Electoral College), but the issue was that it was a violation of government regulations for any employees, even Cabinet secretaries, to use private e-mail, run by themselves or commercial services, for government business, and in particular for classified information.

          Only the Trumpies and the Russians ever claimed that she was carrying out any other illegal activity, and never produced any believable evidence…. as with virtually all of the character attacks on Sec. Clinton.

          • One must have some vestiges of character, in order to have one’s character attacked.

          • Nice 2 year old insults from a grown adult.
            I think you forgot about the media emails and the pre-requested questions to various media outlets.
            I see you are still in the blame game, sore loser.

      • Yes, it is what Hillary did. But she is obviously, in her own right, a high-value target. I’m not, and nobody is likely to want to penetrate the server for my web site just to get one person’s email password.

        Besides, I am not violating any rules or expectations by using a private server (or actually one operated by a hosting vendor).

        Two-factor is only an improvement if the 2nd factor can’t be easily subverted. I think the jury may still be out on that.

      • Yes, that is what Hillary did, but she was a high-value target, and it may have been worth someone’s time to undertake the effort. Nobody is going to expend any significant effort to hack into a server, like mine, that handles email for me, my wife, my daughter, and one of my brothers. We’re not high value targets.

        But those, like eHarmony and LinkedIn who have lots of accounts and used a single iteration of MD5 with no salt are BEGGING for trouble

      • Interestingly while the Russians were hacking the DNC, the RNC, the US Government, etc., there has been no evidence to date that Hillary Clinton’s servers were ever hacked. She was smarter than all them.

        • The evidence is the fact that the whole world knows about her server. If it had been done correctly, no one would have ever known anything about it.

          Her server being hacked was not at issue anyway. The issue was that her server existed combined with the way she used it.

          • “The evidence is the fact that the whole world knows about her server. If it had been done correctly, no one would have ever known anything about it.”

            What use would a hidden email server be to anyone? No-one would know what email address to reach it at, nor would the secret server be able to email anyone without revealing it’s existence.

            • You viewing it through the eyes of a home user or a typical office user. When it’s the highest levels of national government, things change.

  11. 2 factor authentication is very simply the best privacy
    innovation in recent years when combined with standard android encryption, from a normal user case perspective.

  12. @Brian Does anyone have an idea about the status of Yahoo Japan? Could they have also been hacked?

  13. Maybe mention Flickr’s connection to Yahoo?

  14. I changed my yahoo password 3 weeks ago, this morning i received the email by yahoo regarding the 2013 breach, 30 mins after i received that email my ebay account was compromised through my email and a load of digital download games were purchased, my yahoo email in recent activity showed my account was accessed this morning from liverpool

    • If a non-Yahoo account (in this case, eBay) was compromised after the Yahoo! information was sold, whether or not you changed your Yahoo! password wouldn’t matter if your eBay account had a similar but unchanged password.

  15. Two hacks, more than 1 billion accounts

    http://www.cbsnews.com/news/yahoo-hack-law-enforcement-believes-state-actor-us-official-says/

    Yahoo didn’t say if it believes the same hacker might have pulled off two separate attacks. The Sunnyvale, California, company blamed the late 2014 attack on a hacker affiliated with an unidentified foreign government, but said it hasn’t been able to identify the source behind the 2013 intrusion.

    (Versus “the Russians” using a teen script kiddie in mom’s basement phishing attack on Podesta)

    In both attacks, the stolen information included names, email addresses, phone numbers, birthdates and security questions and answers. The company says it believes bank-account information and payment-card data were not affected.

    But hackers also apparently stole passwords in both attacks. Technically, those passwords should be secure; Yahoo said they were scrambled twice — once by encryption and once by another technique called hashing. But hackers have become adept at cracking secured passwords by assembling huge dictionaries of similarly scrambled phrases and matching them against stolen password databases.

    That could mean trouble for any users who reused their Yahoo password for other online accounts. Yahoo is requiring users to change their passwords and invalidating security questions so they can’t be used to hack into accounts. (You may get a reprieve if you’ve changed your password and questions since September.)

    Security experts said the 2013 attack was likely the work of a foreign government fishing for information about specific people. One big tell: It doesn’t appear that much personal data from Yahoo accounts has been posted for sale online, meaning the hack probably wasn’t the work of ordinary criminals.

    That means most Yahoo users probably don’t have anything to worry about, said J.J. Thompson, CEO of Rook Security.

  16. Deleting your Yahoo account is probably more dangerous than keeping it active. Unlike Gmail, Yahoo allows usernames to be recycled. That means after 30 days, someone can register an account with your name and pretend to be you.

    See https://www.wired.com/2013/06/yahoos-very-bad-idea/

    Heck, Yahoo even created a marketplace that allows hackers to pay $1.99 and get first dibs on your email address: https://watchlist.yahoo.com/

  17. Ahhhhhhhb
    Why hackers need your yahooo
    Acccount???? For what….i think people are too
    Paranoid about hacking, cmon who gives sh…
    Let they hack and takemy email account.so what
    …man dont cry lets focus onreal things in life.
    First internet is not real ….its not real world
    Its virtual world. …..cmon guys too much matrix
    Movies…..lets just relax.
    Lets be real…ok ifsomeone hacks in my email
    Account i dont care couse this is not my fall
    Thats it. If the world is like hell..we live in
    Then let itbe… youcant expectong good in this
    World. So what we can do.
    BIBLE SAYS…if u get slap on face turn other sude aswelll
    Lol….so continue. I would say if thief steal from you you go and steal from thief. Be man people stand yourself…dont come to cry…email and internet not real…soget overn

  18. Why is there no mention of Yahoo MFA? I’ve used their multi-factor authentication (code txt to cell phone) ever since they offered it. Doesn’t this provided bullet proof protection in this breach situation?

    • The statement says that for “potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”
      —————————————
      2FA (MFA) so obviously is not much of a problem to get around.

      “…bullet proof protection…”

      Not so much…..

  19. A: I’ve used Google Mail (Gmail) for more than a decade, but your mileage may vary. I moved virtually all of my email activity to Gmail years ago mainly because they were among the first to offer more robust authentication and security measures, such as two-step authentication.

    Brian, do you have any opinion on Proton Mail?

  20. I have had a Yahoo account almost ever since Yahoo was invented. It must have been hacked multiple times, besides the hacks we know about. In order to back up one’s account, it asks for a cell phone number. But that number then becomes part of a person’s personal data which can be hacked. I won’t give it out, but why does Yahoo think that that number adds to the security of the situation?

  21. I received an email indicating that some email address I had with yahoo was part of this breach. The only account that I can think of having with Yahoo was an account that was supposed to be deleted. The email gives no information on the user name of the breached account and gives no contact information on whom I can contact to find out what account this is. It tells me to change my password and security questions but how would I do this for a deleted account? Would I have to change such information on a deleted account or was my account not deleted by Yahoo? Does Yahoo have any customer service email address or phone number where I can call to get more information? It sounds like either they didn’t delete my account with them or someone created a fraudulent account associating it with my email address. I cannot think of any other account I’ve had in the past with Yahoo or an account that may have been acquired by Yahoo so I’m assuming it was this account that was supposedly deleted.

  22. I’m fairly new to IT Security but it seems to me, it would be much better recommending an email service such as Proton Mail rather than Google. Wasn’t Google involved with the collating and handing over of all data to NSA as per the Snowden scandal (along with Yahoo, Facebook etc?)
    I’ve got nothing to hide myself, but if comapnies are known to be harvesting our details, then personally, I’m going to avoid them.

  23. Stop using Yahoo, this is the best advice I can give 🙂

  24. I don’t use Yahoo mail but Flikr linked up with them several years ago, much to my dismay. So, I have to have a Yahoo account to be able to utilize Flikr. Can I though, delete the email account [which I never use, I use only my .mac account] without having to delete the whole of Yahoo?

  25. I have a very old Yahoo mail account – got it as part of DSL service from SNET (well, maybe SBC or maybe AT&T). Kept it around because a few minor things were tied to it.

    When I log in to my Yahoo account and try to change the password, it tells me that password changes are handled by AT&T and sends me to an AT&T page. I successfully changed the password – but apparently this isn’t propagated to the map or smtp accounts I use for mail! A few days later, and my old password continues to work on those.

    What a mess….

    • Worse than I thought. The new password hasn’t propagated to Yahoo *at all* – I can still log in with the old one and have access to everything about the account (other than changing the password – so I have a new, secure password that lets me change … itself.)

      Wonderful.

      — Jerry

  26. Just out of curiosity, can a bot belong to multiple botnets?
    And if, where is the limit?

  27. > in some cases encrypted or unencrypted security questions and answers were stolen

    > Yahoo’s statement on this matter is confusing, and the company hasn’t responded yet to follow-up questions to clarify things.

    I hope you’ll press Yahoo for more information. Currently there’s no way for a user to find out whether their security questions and answers were stolen, nor what their security questions were.

  28. Should website owner be sued for leaking customers information? A recent law Chinese government make is that all website owner need to secure their customers data, for any leak the business might be in sued.

  29. I have 1 tip for all those who’s Yahoo account have been hacked. Move to Gmail. Its far better in every area. I was with Yahoo for years, I have been with Gmail for about 6 months now and so far I love it!