Hacks Are Always Worse Than Reported: All Of Yahoo Email Was Hacked In 2013. All. Of. It.
from the yes-all-of-it dept
Given recent and massive stories about data security breaches by some very, very large players in the technology and financial spaces, we have developed a mantra that you should have on repeat in your head any time you read stories about a breach: however big the breach is reported to be initially, it's always bigger. We formulated that 12 years ago and it has continually held true. We saw it with Equifax. We saw it with Deloitte. And you will also likely recall that 2013 and 2014 were not banner years for data security at a little company called Yahoo. Hacks of Yahoo's email platform were reported initially to be in the hundreds of thousands in terms of the number of accounts compromised. As Verizon began negotiating the purchase of Yahoo, that number crept into the hundreds of millions. Eventually, Yahoo settled on a billion compromised accounts resulting from the hacks.
The Verizon deal went through, with a hefty price reduction as a result of the security breaches. And so it's under the Verizon umbrella that Yahoo informed the public this past week that the need for numerical quantification for the two security breaches has been rendered moot. Because it's much easier to just say, "Yahoo email was compromised." As in: all of it.
In 2016, Yahoo disclosed that more than one billion of about three billion accounts had likely been affected by the hack. In its disclosure Tuesday, the company said all accounts were likely victimized. Yahoo included the finding in a recent update to its Account Security Update page, saying that it found out about the wider breach through new intelligence obtained during the company's integration into Verizon Communications. Outside forensic experts assisted in the discovery, the company said.
"It is important to note that, in connection with Yahoo's December 2016 announcement of the August 2013 theft, Yahoo took action to protect all accounts. The company required all users who had not changed their passwords since the time of the theft to do so. Yahoo also invalidated unencrypted security questions and answers so they cannot be used to access an account," Yahoo said Tuesday.
Also important to note is that the yahoos at Yahoo were only able to correctly inform the public as to the specific number of accounts breached in these attacks once the use of numbers no longer mattered. Tooting its own horn about the actions it took to protect "all accounts" when it didn't even know that "all accounts" had indeed been compromised violates PR rule number 1: don't request praise in the middle of a crisis. The crisis, in this case, is why anyone should have a Yahoo email account at all moving forward, given how laughably bungled this whole mess has been handled.
But the larger point harkens back to the introduction: remember the mantra. These things are always, always way worse than initially reported. Why companies engage in this sort of slow-motion bandaid-pulling is beyond me, but it sure seems to be the playbook.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: disclosure, email, hack
Companies: yahoo
Reader Comments
Subscribe: RSS
View by: Time | Thread
So the moral of the story is...
If you're not using end-to-end encryption, then your trans-net communication details will become public.
As will your cheesecake photos because fappening.
[ link to this | view in chronology ]
Re: So the moral of the story is...
If I hack your account and all of your messages are dutifully encrypted, then I STILL have access to all of the metadata. That'll tell me who you're communicating with, how often, and how much you have to say to each other. It may also reveal your geolocation, your mail client/web browser, your work/sleep patterns, and other useful information. And it certainly gives me enough data to start phishing you, particularly if you use a web browser as your mail client.
By the way: NEVER use a web browser as your mail client. If you do, you'll make my task far easier and quicker, because webmail is an anti-security pattern.
So yes, encryption on the wire is good, and encryption in messages is good, and no, you should not blithely presume that if you have both that you're safe. You're not.
[ link to this | view in chronology ]
Abandon Ship
At $25 a month I get my own custom email, encrypted cloud storage, a full Office suite and a ton of features I will likely never use but are there if I need them.
[ link to this | view in chronology ]
Re: Abandon Ship
[ link to this | view in chronology ]
Re: Re: Abandon Ship
[ link to this | view in chronology ]
Re: Re: Re: Abandon Ship
I'm willing to accept the risk with Microsoft, especially since the way their Enterprise tenants are structured you own all the services/data you put on there. Microsoft has policies and technical limitations in place that prevent them from accessing your data without your permission. Especially the OneDrive encrypted storage. That was a big selling point for me when I found that out.
[ link to this | view in chronology ]
Re: Re: Re: Re: Abandon Ship
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Abandon Ship
I do my research and make sure I'm aware of the risks before I use something new and take as many feasible precautions as possible.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Abandon Ship
To each his own, I suppose.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Abandon Ship
And before we get into the "well just use a different OS" debate, no that is not always a viable option. I'm an avid PC gamer and linux and wine just don't work well enough to support that.
[ link to this | view in chronology ]
Re: Re: Re: Re: Abandon Ship
If you communicate online, they can get at it.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Abandon Ship
[ link to this | view in chronology ]
Re: Re: Re: Re: Abandon Ship
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Abandon Ship
[ link to this | view in chronology ]
Re: Abandon Ship
[ link to this | view in chronology ]
Re: Re: Abandon Ship
This isn't their hotmail service I signed up for, it's the full enterprise grade service complete with my own Exchange tenant in the cloud.
[ link to this | view in chronology ]
Re: Abandon Ship
[ link to this | view in chronology ]
Re: Re: Abandon Ship
[ link to this | view in chronology ]
Re: Re: Re: Abandon Ship
[ link to this | view in chronology ]
On the plus side:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Thanks 26, NSA, GS, and Poindexter and DARPA
[ link to this | view in chronology ]
Equifax
House Energy and Commerce Committee: Digital Commerce and Consumer Protection Subcommittee hearing, “ Oversight of the Equifax Data Breach: Answers for Consumers” (also on C-SPAN), yesterday, Oct 3, 2017
Senate Banking, Housing and Urban Affairs full committee hearing, “An Examination of the Equifax Cybersecurity Breach” (also on C-SPAN), today, Oct 4, 2017 (morning)
Senate Judiciary Committee: Privacy, Technology and the Law Subcommittee hearing, “Equifax: Continuing to Monitor Data-Broker Cybersecurity”, today, Oct 4, 2017 (afternoon)
[ link to this | view in chronology ]
Re: Equifax
Bigly!, WINNING!
[ link to this | view in chronology ]
Re: Re: Equifax
In this morning's hearing before the Senate Banking Committee, I believe Nebraska's Senator Ben Sasse was the first to have questions about this news item.
He was not the only one.
[ link to this | view in chronology ]
Re: Re: Equifax
For the record (and in case anyone here hasn't seen it), yesterday's widely reported story—
“IRS awards multimillion-dollar fraud-prevention contract to Equifax”, by Steven Overly and Nancy Scola, Politico, Oct 3, 2017
I don't believe Politico was mentioned by name in this morning's committee hearing. Rather, iirc, there was just a generic mention of “news” there. But this Politico story has been widely cited elsewhere, including in David Kravet's story yesterday at Ars Technica.
[ link to this | view in chronology ]
A matter of experience
Well, I mean it's suggested that you use one thief(ideally a former one) in order to catch other thieves because they know the tricks, perhaps the IRS figures that a company that failed spectacularly in their security and which hid this fact as long as they could knows all about securing your personal data and informing you when it's been violated.
Surely they'll have learned their lesson and will do better this time, right?
[ link to this | view in chronology ]
Re: A matter of experience
See North Dakota Senator Heidi Heitkamp's remarks, beginning roughly about 1:47:00 in the C-SPAN video (note this hyperlink doesn't advance all the way to 1:47:00).
Adapted from the closed-caption transcript:
[ link to this | view in chronology ]
Re: A matter of experience
Googling around…
“IRS: New Equifax contract a stopgap as we switch vendors”, by Joe Uchill, The Hill, Oct 4, 2017
I still have the second panel in this afternoon's Senate Judiciary subcommittee hearing queued up. Probably won't get around any time soon to watching today's House Ways and Means Committee's Oversight Subcommittee “Hearing on the Internal Revenue Service’s Information Technology Modernization Efforts ” (Oct 4, 2017).
[ link to this | view in chronology ]
Re: Re: A matter of experience
Well, I suppose it's to the IRS's credit then that the contract was basically forced on them and they're trying to switch to another company, a process that will hopefully be much easier after the gigantic freakin' hack of Equifax and their... 'relaxed' response to reporting it.
[ link to this | view in chronology ]
Re: Re: Re: A matter of experience
“GAO: IRS did not have to award $7.25M contract to Equifax”, by Steven Overly and Nancy Scola, Politico, Oct 5, 2017
[ link to this | view in chronology ]
Re: Equifax
C-SPAN link for this morning's House Financial Services Committee hearing.
[ link to this | view in chronology ]
Re: Re: Equifax
That C-SPAN video seems to end early — before the hearing resumes after the second recess.
Right now, I'm watching the rest of the hearing via YouTube. Currently, that YouTube video is embedded on the House Financial Services Committee homepage. I'm slightly surprised that video isn't currently embedded on the committee's hearing webpage.
[ link to this | view in chronology ]
Never trust a yesterday company to host a service that you can host yourself.
[ link to this | view in chronology ]
If they knew
Yahoos email service is dead or at least should be because of that breach and they don't have that much more than that.
Imo bad move on Verizons side.
[ link to this | view in chronology ]
Also pretty sure that most of the e'mail they'd have seen was likely about 95% marketing and other spam making the privacy considerations close to nil. The real haul was all the reused passwords on other accounts which are entirely the user's own fault.
[ link to this | view in chronology ]
Once I heard about the culture that was cultivated & the outright working around the security team I couldn't leave them behind fast enough.
People thought I was silly to purge them all & shut them down. Given how bad the hack had been & how long it took them to fess up, I suspected it was way worse.
We can no longer trust any reported numbers involving hacks offered up by those who were compromised, they always lie & undersell the extent. They failed at the most basic levels & still want to make it look like it was no big deal.
There are plenty of alternatives out there, it only took me about 10 minutes to figure out which accounts secured other accounts as backups & then invent replacements.
The really horrible thing is, even generating a password that would take years to crack is pointless when encrypting the data isn't done or uses the cheapest fastest way.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
so the difference is?
vs.
"Your data can be shared with any of our 3rd party associated companies."
[ link to this | view in chronology ]
"why anyone should have a Yahoo email account"
I *hate* the neo interface but the inertia behind these groups is regrettably too much to force a change to a different platform.
[ link to this | view in chronology ]
Neither shocked nor dismayed... A bit gassy though.
At least when the government spied on you back then, the agent had to physically get your mail and sort through it...
That was exercise and that probably saved taxpayers millions in unnecessary health problems for these poor and probably now fat agents...
And you didn't have criminals in Eastern Europe and Russia stealing your mail...
Unless that's where you were sending it...
Come on folks... Who's with me on this?...
Nobody?
Megh... Figures... Techy crowd...
Oh well...
But seriously... Is anybody surprised anymore?
I think we need to just start reporting on companies that haven't been hacked in X number of days...
Maybe come up with an award... The "NoHacky"... Eh?
Well, I'm getting back to working on the future of mail... A cybernetic carrier pigeon drone with Siri technology, that you scream the subject of your letter at and then send it on it's way... When or if it arrives it delivers the message using a form of primitive interpretive dance.
So far I've managed to duct tape a bunch of pigeons to drones... Next step is teaching them to dance...
Don't be dismissive... The Internet sounded stupid when it was new and look how long it's taken to become this stupid.
[ link to this | view in chronology ]