81 thoughts on “Yahoo: One Billion More Accounts Hacked

    1. Hai Phan

      The real question is who are the lazy software developers working at Yahoo, a company that has made zer0 innovations in the last decade. At one point they dominated the messenger business, and they couldn’t make anything out of it, the software remained slow, buggy, user-unfriendly. All these developers not only need to be fired, they need to change their professions all together. They got no business in the technology industry.

  1. CW

    While changing my Yahoo mail password (yes, I still have a Yahoo mail account, although with all traffic forwarded elsewhere), I got this Yahoo error:

    “Your password is too similar to the one you’ve used previously”

    (And no, it wasn’t a “Enter old password/Enter new password” change form: only the new password was requested)

    How does Yahoo know the relationship between old and new passwords, unless Yahoo has saved my password somewhere in some reversible, non-hashed way? Buried in the Yahoo cookie on my PC? Living on the Yahoo servers?

    1. Lisa H

      The typical way this is done, is by comparing the MD5 of the password hash. The MD5 hash of your passwords are stored. When you type in a new password, the system hashes it, compares it to the last N number of passwords stored. If the hashes match, it is the same.

      1. EstherD

        True as far as password REUSE is concerned.

        But comparing hashes won’t get you anywhere as far as password SIMILARITY is concerned, which according to the OP is what the message said:

        “Your password is too SIMILAR to the one you’ve used previously” [emphasis added]

        Even a SINGLE character change in a password should result in a TOTALLY DIFFERENT hash. Because that is what hashes are SUPPOSED to do… generate a VERY DIFFERENT result even for VERY SIMILAR inputs. Otherwise, you risk a hash collision, which is BAD NEWS in this (and other) contexts.

        More likely they’re doing some kind of browser-side checking against a retained copy of the plaintext password that was entered at the most-recent login.

      2. Mike

        “Same”… An MD5 isn’t a couple characters off if you use a capital P in your password instead of a lower case p. The entire hash is different. So again, how do they know?

        1. Adrian

          How about this: they set up a scenario of “similar” passwords for any user given password. Like “every character is uppercase”, “add 1-9 at the end”, “reverse password”
          And then store the hashed variants for these “similar” passwords, maybe 10-20 of them
          I really hope that their security guy is against storing plain text in the users database (and yahoo admited that the hashed passwords were stolen)

    2. timeless

      Remember that hashing isn’t particularly expensive.

      Let’s say your old password was “1234c”.
      Let’s say they only store a hash for that.

      Let’s say you offer “1234f” as your replacement password. At this time, they have the replacement plaintext. They can hash a thousand variations of it:
      “f4321”, “1234a”..”1234z”, .. if any of these match the hash, then your password is too similar.

      “Too similar” has a programmatic definition, and checking it is just applying all such variations to the input and hashing.

  2. Chip Douglas

    My understanding is that AT&T uses Yahoo to process their email. Does anyone know if that is also affected?

    1. timeless

      Companies rarely invent distinct security systems for alternative brandings of a product. So, I’d assume that they were technically vulnerable too. Whether attackers knew / bothered to target them is a different story.

      Assume you were impacted.

    2. Richard Steven Hack

      I believe AT&T is attempting to migrate their subscribers off Yahoo to their own servers. However, getting off Yahoo appears to be a bit complicated for the average user who wants to keep his AT&T account but dump Yahoo. Users should contact AT&T support on that.

      I have a client who is an AT&T subscriber who I’ve advised to migrate off Yahoo to Gmail. He has issues with his Yahoo email returning daemon messages. I’ve advised him to contact Yahoo to resolve that issue and forward all his Yahoo mail to Gmail and also install an autoresponder to refer all his email sources to the Gmail account until he can close the Yahoo account.

  3. PNWreader

    Is there any way to determine whether any given website might be hosted on a Yahoo-related platform? e.g., if one looked at the “developer tools” in the browser, could the network path back to source host be revealed?

  4. William Smith

    Last time I checked (3 weeks ago), Yahoo is no longer supporting security questions and prompts you to delete them.

    Delete security questions from your account

    Remove security questions as recovery info on your account by deleting them from your Account Information page. Instead, add an email address or phone number to verify and secure your account.

    ! Can’t create new or edit exisiting questions – Your only option is to disable your current security questions. Once you’ve done this, you will not be able to view or create new questions.

    Go to your Yahoo Account Settings.

    Click Account security.

    Click Disable security questions.

    – You’ll be brought to a new page with your security questions.

    Click “Yes, secure my account.”

    Click Continue.

  5. Mark Goodge

    “Not been able to identify the intrusion associated with this theft” surely suggests the door is still wide open?

  6. IA Eng

    Looks like some other news feeds suggest that any proprietary code may have assisted in the forgery of Yahoo cookies:

    The hackers used “forged ‘cookies’” – bits of code that stay in the user’s browser cache so that a website doesn’t require a login with every visit, wrote Yahoo’s chief information security officer, Bob Lord. The cookies “could allow an intruder to access users’ accounts without a password” by misidentifying anyone using them as the owner of an email account. The breach may be related to theft of Yahoo’s proprietary code, Lord said.

  7. LAWRENCE MCDONALD

    On my iMac a notification says Yahoo password is needed in your internet accounts section. I have one for yahoo home page, but I never requested Yahoo mail address. So I will not enter it. Does anyone know if this notification is coming from Apple? Yahoo? or The bad guys? I recently downloaded Firefox. Could the Fox be asking for it? Does Firefox want us to use yahoo mail? (which I will not do} I only use my comcast email address.

  8. darius moon

    I would love to see an article/blog that details exactly how to migrate all yahoo messages and confidently remove all content from the mailbox.

  9. Dr. Jim

    Yahoo is the email platform used by many state and local governments. This hack could be potentially disastrous for their operations. So much for cost effective over more secure.

  10. yonkata

    Everything is about money. I will explain it this way. Nobody really cares for efficiency. Important is how much you spend and what statistics are pulled out each month/year. No one really cares for the actual prise of the information received.
    And now what, we spend/make billions for spying. We are the best. Everyone is using services from our network and for these billions now we own the net. Really?
    And sometimes, somewhere on the globe, appears and idiot to say or make something wrong. These actions require some reaction in order to remind this man, in what kind of position he really is. Which is hard when dealing with stupid people, no matter how much money or power they think they have.
    And in this small game someone sent a message like: Your billions don’t count. You alway were and will be more steps behind. Just don’t mess with our affairs or at least play fair.
    The same rules apply everywhere, all the media, no exceptions. Media is used like sms, peoples mind really does not matter at all after elections.

  11. Winston

    I just discovered this Yahoo feature due to this hack hysteria. I don’t believe I have a Yahoo Plus email account whatever that is (the tutorial excerpted below is from a non-yahoo site with no date stamp, so it could be old) just a standard account, and yet this very handy sounding option seems to be available.

    Do any other email providers offer this?:

    How to Create Disposable Emails on Yahoo!

    Time spent deleting and wrangling junk mail can cut into your productivity and even bottom line. That’s where a disposable email address comes in handy. When you download trial software or sign up for an online offer, websites ask you for an email address, which they may share with other companies or flood with junk. If you have a Yahoo Mail Plus account, you can create up to 500 disposable email addresses that you can use without having to worry about giving out your primary addresses. Messages to disposable addresses are color coded and can be delivered to folders you specify, making it easier to identify and delete them.

  12. Dennis Kavanaugh

    Here’s a disturbing anecdote regarding AT&T Yahoo accounts. Not sure if all AT&T domains are impacted, but my ancient Prodigy.net account is one of the original AT&T accounts, and I recently received an email from Yahoo informing me of the breach and requesting I change my password immediately. In my case there is a primary Prodigy account, and four sub email accounts, so I need to change five in all.

    So I proceed to click the link, request a password reset, get asked a security question or two, then am informed I cannot change my password online and am directed to call AT&T. After calling them and getting wound up in their call tree, a human comes on and ultimately informs me that she will need the last three digits of my AT&T billing account number in order to pass the required security validation. Only one problem: I don’t have that AT&T account anymore as I have moved five times since creating this account and am out of the AT&T service area. I do have an AT&T wireless account that I have maintained throughout this period, but that isn’t recognized by these people.

    I request an escalation, get a callback two days later and they ask the same questions and tell me they need those three digits, and that’s that. They didn’t want to hear that I don’t have the account, it was paperless when I did have it (they asked me to call them back when I had located a copy of the bill from five or so years ago), and said they were the last path of escalation. With smoke coming out of my ears I hung up and asked my wife to help me charm them into submission. About two hours later she had reached someone who was willing to get some technical folks involved and change my passwords.

    So, for the final scene, I test my new passwords using the web interface, then the POP interface I use on my smartphone. Surprise!!! The password on my POP account hasn’t changed, but the web interface has. Same email account, different protocol. Go figure.

    I have no clue how things are cobbled together on the back end of this Yahoo/AT&T system, but it is pretty bad when you cannot change your password without about 4 hours on the phone and two escalations, then only get half of your account changed. I am starting to understand why breaches occur: no one has a clue how things work, so they can’t begin to establish any meaningful risk level.

Comments are closed.