Just months after disclosing a breach that compromised the passwords for a half billion of its users, Yahoo now says a separate incident has jeopardized data from at least a billion more user accounts. The company also warned attackers have figured out a way to log into targeted Yahoo accounts without even supplying the victim’s password.
On September 22, Yahoo warned that a security breach of its networks affected more than 500 million account holders. Today, the company said it uncovered a separate incident in which thieves stole data on more than a billion user accounts, and that the newly disclosed breach is separate from the incident disclosed in September.
(Update, Dec. 15, 2016: Yahoo users looking for more advice on what to do next should check out the Q&A just published here, My Yahoo Account Was Hacked! Now What?).
“Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts,” Yahoo’s chief information security officer Bob Lord said in a statement the company published Wednesday afternoon. “We have not been able to identify the intrusion associated with this theft.”
The statement says that for “potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”
In addition, Lord said the attackers had worked out a way to forge “cookies” that Yahoo places on user computers when they log in. Authentication cookies are text files that contain information about the user’s session with Yahoo. Cookies can contain a great deal of information about the user, such as whether that the user has already authenticated to the company’s servers.
The attackers in this case apparently found a way to forge these authentication cookies, which would have granted them to access targeted accounts without needing to supply the account’s password. In addition, a forged cookie could have allowed the attackers to remain logged into the hacked accounts for weeks or indefinitely.
Yahoo’s statement said the company is in the process of notifying the affected account holders, and that it has invalidated the forged cookies.
“We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016,” Lord said.
Yahoo says users should change their passwords and security questions and answers for any other accounts on which they used the same or similar information used for their Yahoo account. The company is asking users to review their accounts for suspicious activity, and to consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.
For years I have been urging friends and family to migrate off of Yahoo email, mainly because the company appeared to fall far behind its peers in blocking spam and other email-based attacks. But also because of pseudo-security features (like secret questions) that tend to end up weakening the security of accounts. I stand by that recommendation.
Most importantly, if you are reusing your Yahoo password anywhere else, now is a great time to change those passwords. And remember, never reuse your email password (or any other password tied to an account that holds sensitive data about you) at any other site.
I guess Verizon ain’t spending much on their security after the purchase ehh?
Also Krebs, what’s a good app on iPhone to get notifications about your posts?
Use Feedly (free version). They have an app.
iPhone Email client works well. Just sign up to KoS posting notifications.
I very much recommend PushBullet. Available for all mobile platforms except windows I think.
Rob, regarding your comment on Verizon not spending much on security….Verizon has yet to complete the purchase of Yahoo plus if you look at the dates of the hacks they are well before Verizon expressed any interest in acquiring Yahoo.
So at this point Verizon has no say on how Yahoo runs it’s business, SEC regulations do not allow merging companies to influence how either company runs it’s business.
Although this database is not available yet, you can see if your credentials have been compromised from other large hacks at https://HEROIC.com
Tested with a 3 accounts I’ve used. It was accurate to what I knew.
First !, enable 2FA,that will solve your problem
Yahoo (to the best of my knowledge) only uses basic SMS 2FA. If you didn’t have your phone number on the account in 2013, that would work, but if you did, then attackers could just make a call to have the number changed to one they have and defeat it that way.
Yahoo has indeed fallen down on security in so many ways, I purged my archives and literally only keep mine around as a burner account these days.
In this case you’re actually wrong about 2-factor. When the back end system will allow a forged cookie, you’ve bypassed authentication all together. In this case it wouldn’t have mattered because the cookie that your browser reports back with to the yahoo servers would make the servers think you’d already authenticated (single or 2-factor). When the back end systems are broken, 2 factor might not save you at all, which appears to be the case here.
Okay. I’ll be the one to say it.
The most surprising thing is that as late as 2013, Yahoo even had a billion (or 1.5 billion) accounts to compromise in the first place.
I’m going to go change my Compuserve password, just in case.
That was my first thought too, but you’d be surprised how many people, against all advice suggesting they do otherwise, stick with what they’re used to.
If you use Flickr, you have a Yahoo account. Lots of photographers use Flickr, as it has the best sharing options.
“The company also warned attackers have figured out a way to log into targeted Yahoo accounts without even supplying the victim’s password.”
…
“The company is asking users to review their accounts for suspicious activity, and to consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.”
Hmm
I came home to a nice email from Yahoo. Pleasant! One billion accounts sure is a lot.
Verizon would be smart not to continue the acquisition deal with Yahoo.
Curious as to what email sites you do recommend. Thanks for the info!
Protonmail – http://www.protonmail.com
Just switched to protonmail recently. So far, so good. No mail system is perfect, but these folks are better than most.
Yahoo wants your phone number so they can secure your account with 2 way authentication….oh yea let me send that right over to you. The level of idiocy here for Yahoo…is so profound words can’t describe it.
I have never heard of forged cookies; has this ever happened before? Is a new threat?
Nope its as old as cookies themselves (1990’s). Its a simple as identifying a static value for a login token and reproducing that cookie on your system and visiting the vulnerable site.
I am aware of what cookies are; just wasn’t aware that someone could re-code a copied cookie and make it work so that they could login like this without having to use multifactor authentication.
I actually saw this happening. My yahoo account was briefly taken over around that time and I assessed that it was a session cookie. In my case they used my account to send out spam.
I changed that password (regularly since then) plus every password for every account that was linked with that email address. (And switched a lot of them.) So, I’ve effectively migrated away from that account.
It would seem the derogatory expression “a bunch of Yahoos” is quite appropriate. Thank you, Jonathan Swift.
Let me guess, they are blaming it on a state sponsored attack by Russia? Everyone might as well blame everything on Russia, that way you can be let off the hook for your horrible security. Who uses Yahoo anymore anyone?
My father does…
Every time I login there I get an HTTPS signing warning from Chrome. Is this related?
no.
If you are using an old operating system (e.g. windows xp) that is no longer supported, you may get https warnings as the certificates are no longer updating.
Christ, how on earth can Yahoo have 1-billlion user accounts data on hand unless they are hoarding every bit of old user-data all the way from the 1990’s when yahoo was last relevant?
I’m going to bet most of them are via partnerships with ISPs who don’t want to maintain their own server infrastructure. AT&T, for instance, has people sign up with Yahoo for an email address as part of their broadband package, dating back to their aborted @Home venture if not earlier.
How many of those accounts are still active? Who knows. I suspect the only ones logging into most of them are a successive series of hackers who broke into the email accounts at some point before they were due to be expunged, starting the clock ticking all over again from 0. Then another breach, another reset. And so on. And so on.
Well, it’s certainly nice that Verizon started looking at Yahoo, otherwise Yahoo clearly never would have done the necessary due diligence to uncover these breaches.
Thanks Verizon… but are you still sure you want to buy them?
Verizon may wip up dat bad boy a new won yessir and get them panyhoes strayytened up alrite.
I know for a while there, SBCGlobal and AT&T both had ‘merge accounts’ with Yahoo, for their users to get email. I know that ‘merge’ relationship dissolved some time ago, but I wonder if some of the @att.net and @sbcglobal.net accounts are still being serviced on Yahoo servers, and therefore are part of the current bunch of compromised accounts.
i can confirm that sbcglobal.net email accounts use yahoo mail. in fact, at the moment, you cannot change your password through yahoo.com . you are shunted off to AT&T to change your password, but the change does not propagate back to yahoo.com . my father has an sbcglobal.net email account and we have been trying for months to change the password but to no avail. this is not unique to his account.
Yahoo still handles AT&T mail. I believe they also handle the mail for other organizations. That probably helps account for the “billion” hacked.
Many of my customers still have bellsouth.net accounts, and those also go through Yahoo. Their accounts started getting hacked, and spoofed, in large numbers a few years ago. It was then, I suspected Yahoo had been breached.
Ok so what’s the smartest thing to do with my Yahoo! account? Close it at the risk of having someone reclaim my previous email address or keep it as a dead shell to rot on Yahoo! servers, leaving it potentially vulnerable for intrusion / cookie forging etc.?
Set it to forward to somewhere else, give it a long random password and change the answers to your “security questions” to something nonsensical. Record the password and answers.
After a year or so when everyone that matters had a chance to learn your new address log on and cancel the account.
Also consider combining an anonymizing service like Blur with a privacy email service like Cotse.
Something doesn’t seem right. Cookie forging merely tricks the server into believing that it is an authentic user. To get the hashed passwords, you have to be inside the server which means the server itself was hacked. So this attack something much more than just “cookie forging”
They’re two separate attacks, Jim.
To even use ATT’s Internet-based services, their tech support told me customers are required/forced to maintain a yahoo email account…
The billion accounts doesn’t surprise me. I would guess at least 20%-30% are from spammers and scammers. I love the idea of scam accounts being hacked.
The really scary thing is that other big hacks like this also won’t be known for years, if ever. Or if a company learns about one, they won’t tell us.
How long before we are all begging to pay for access to a “safe” Internet?
This is old news for customers of BT whose Executive were aware but did nothing to alert their customers in March 2013. But the media still seems not be interested in looking back at it.
https://community.bt.com/t5/Email/BT-email-accounts-hacked/td-p/796762/highlight/false
PS Hoping this get through this time – I’ve just got an error message
429 Too Many Requests
shield
Ok I realise this is going to sound really bad but as a stay at home mum of three, I’m embarrassed to say I have a Yahoo account. I didn’t realise about these security breaches until now, and the thought of changing over email makes me shudder. I am pretty naive when it come to technology and so wouldn’t even have a clue where to start switching everything over. If there was some guidance somewhere on how I go about sensibly tackling this, and which email provider I should switch to, I’d be most grateful of it. I know people here have jested that Yahoo still has so many users but I imagine there must be a fair old number in the same boat as me! Any (helpful) advice welcome!
I have the same problem. Migrating away from an email account I have used for decades is a daunting task. I plan to approach it by simply migrating away one thing at a time. As I come across accounts that are linked to the email I will work on moving them over. Local gas bill, electric bill, and so on. I expect it will take a while, rather than doing it all at once. I’ll have to keep checking it from time to time to look for things I missed. As to which email service to move to, I’m still researching that. Who can say if some other provider won’t have the same problem, or go out of business?
Just depends on how much effort you want to go to.
Switching isn’t hard, just takes a while. You have to login to each account (bank, electric, facebook, etc) and goto your profile information, and click change email address (the steps vary on each company). I use gmail myself, but with the full knowledge my stuff isn’t private from them.
For me personally, I use a password manager to make sure I have a unique password for every account. This way I only have to memorize the one password to get into the manager, and it stores all the rest encrypted. I can use this on my computer to auto fill in passwords, and it syncs to my phone too.
In addition, I use an email forwarder, spamgourmet.com so I can give out unique email addresses to everything I sign up for, then if I ever change email accounts again, I just change the forwarder destination.
So for instance, I might give out bb.somguy@spamgourmet.com to best buy, and I might give out boa.somguy@spamgourmet.com to bank of America and in each case it gets forwarded to somguyasdfzfv@gmail.com but now I know who sold my email address or had their emails hacked.
I have over 1000 accounts in my password manager, all with unique emails and passwords.
So, an account is at least three things:
1. Inbound Connections
2. Outbound Connections
3. Received mail
The general outline to migrate is:
1. Create a new account elsewhere (I use Gmail)
2. Figure out every place where you log in using your yahoo email address
2a. Log in there
2b. Update your account address to your new address
2c. Change your password for that account
3. Notify your human friends about your new address
4. Migrate your contacts
4a. Export your contacts from yahoo
4b. Import them to your new provider
5. Migrate your mail
6. Set up mail forwarding from yahoo.
Before you start, I’d recommend that you pick a password manager. macOS includes KeyChain.app which works well enough. My primary requirement in a password manager is that it be able to generate passwords for me. You’re going to be setting hundreds of new passwords during your migration, and the worst things you can do are sharing passwords between sites and trying to pick or remember passwords yourself (humans are terrible at securely generating passwords, we tend to pick things people can look up or guess).
Steps 2/3 are the longest and most painful. You can start with your browser history, or search your mailbox for new account notifications. As a warning, don’t trust the links in the mail, they could be phishing attempts, instead use Google to get to the site’s main page…
Google will help with 4/5:
https://support.google.com/mail/answer/56283?hl=en
6: https://www.lifewire.com/forward-yahoo-mail-to-another-address-1174481
I have found it to be easier to just not use yahoo anymore. I haven’t logged into any account I had on their system in so many years. They can have it.
I would like to know however, what update I can possibly get, download, or install that would protect me from this?
September 500000 accounts, now one billion, any non-affected accounts left?
““We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016,” Lord said.” – this i doubt is true, i highly suspect that nation state hackers are not going to hack bulk of account but be more precise and hack what they need
this statement with “state sponsored” stuff has become a classic PR sentence
Similar to some comments above – I would like some suggestions from group on 2 things:
– Which is safer email provider? Is Gmail better?
– How do I migrate all of my 1000s and 1000s of emails (some of which may be important) from yahoo account to another account? I hate to click and forward each one of them individually.
Any suggestions are welcome!
Thank you….Ramesh Sethi
See my reply above with steps. Google has migration support.
Is Google safer? Probably. Do you need to use 2FA to be safe? Absolutely. Is anything truly safe? Definitely not.
Security is roughly a function of the most vigilance and the weakest link.
For accounts, the weakest link can be:
Guessable passwords, recycled passwords,
Password resets,
2FA SMS where the SMS provider can be socially engineered to forward your SMS traffic,
Your computer (virus, malware),
Using http:// instead of https:// (especially over WiFi or in a coffee shop / library),
Backup accounts which are authorized for account recovery,…
Vigilance is partially the mail provider looking for attacks, and atypical login activity (Facebook and Google do this), it’s also choosing not to trust other corporate devices (Google treats its Intranet as untrustworthy as the Internet which somewhat mitigates against compromised devices on their network).
There’s an adage about with more eyeballs, all bugs are shallow…. it isn’t perfect, but roughly if your mail provider isn’t growing and innovating, it’s probably a security risk. The more people make changes and test and have value to attack, you more quickly they’ll identify problems and fix them.
“We have not been able to identify the intrusion associated with this theft.”
And, for some reason, “the Russians” can’t manage to that, too. Sure. BTW, here’s the level “sophistication” of the Podesta hack from the NYT:
—–
“Hundreds of similar phishing emails were being sent to American political targets, including an identical email sent on March 19 to Mr. Podesta, chairman of the Clinton campaign. Given how many emails Mr. Podesta received through this personal email account, several aides also had access to it, and one of them noticed the warning email, sending it to a computer technician to make sure it was legitimate before anyone clicked on the “change password” button.
“This is a legitimate email,” Charles Delavan, a Clinton campaign aide, replied to another of Mr. Podesta’s aides, who had noticed the alert. “John needs to change his password immediately.”
Mr. Delavan, in an interview, said that his bad advice was a result of a typo: He knew this was a phishing attack, as the campaign was getting dozens of them. He said he had meant to type that it was an “illegitimate” email, an error that he said has plagued him ever since.
—–
Sure, he typed ““This is a legitimate email, John needs to change his password immediately” but his excuse is that he meant to type “illegitimate” which makes no sense considering the rest of what he typed and yet lapdog media makes no mention of this. And mom’s basement script kiddie phishing surely indicates a nation state actor to me, how about you?
In another description elsewhere, the content of the phishing email gave a warning that Podestas gmail account had been hacked and specified the Ukraine as the source of the compromise. Why would they expect to get such custom treatment from Google? Google this:
The stealthy, Eric Schmidt-backed startup that’s working to put Hillary Clinton in the White House – Oct 9, 2015
Excerpt:
An under-the-radar startup funded by billionaire Eric Schmidt has become a major technology vendor for Hillary Clinton’s presidential campaign, underscoring the bonds between Silicon Valley and Democratic politics.
The Groundwork, according to Democratic campaign operatives and technologists, is part of efforts by Schmidt—the executive chairman of Google parent-company Alphabet—to ensure that Clinton has the engineering talent needed to win the election. And it is one of a series of quiet investments by Schmidt that recognize how modern political campaigns are run, with data analytics and digital outreach as vital ingredients that allow candidates to find, court, and turn out critical voter blocs.
I can’t believe a tech company as large as Yahoo is still hashing passwords using md5. It’s been known to be an insecure hashing algorithm for years.
What’s not to believe? We are still dealing with a ton of security issues all over the place that were a problem 15 years ago (like Flash).
Marissa Mayer during her reign as CEO at Yahoo fought with her security officials over any expenditures to beef up their InfoSec. Will this news have any impact on the $55 million golden parachute she’s getting after Verizon acquires Yahoo?