Yahoo Reveals Yet Another Giant Security Breach

MakeUseOf

By Dave Parrack

Published Dec 15, 2016

Another day, another Yahoo hack. This one dating back all the way to 2013. This particular security breach resulted in the user data of 1 billion Yahoo accounts being stolen.

Another day, another Yahoo hack. This one dating back all the way to 2013. This particular security breach resulted in the user data of 1 billion Yahoo accounts being stolen. Even if you don't want to read on any further, do yourself a favor and change your password. Now.

In August 2013, what Yahoo is calling an "unauthorized third party" stole the data associated with 1 billion Yahoo accounts. This included "names, email addresses, telephone numbers, dates of birth, hashed passwords [...] and, in some cases, encrypted or unencrypted security questions and answers".

Thankfully, the stolen data did not include "passwords stored in clear text, payment card data, or bank account information". However, the passwords stolen were only hashed using MD5, which was already easily crackable by the time this intrusion occurred.

What Yahoo and You Can Do Now

Yahoo has taken steps to secure the accounts affected and is notifying users. Unencrypted security questions and answers have been invalidated to prevent the hackers accessing affected accounts using this method.

All you can really do now is change your password to something more memorable on Yahoo and on any other sites where you use the same (or very similar) login credentials. The same applies to security questions and answers you have used on Yahoo and then replicated elsewhere.

Hackers Forged Cookies to Access Accounts

As well as admitting 1 billion users have had their user data stolen, Yahoo has also disclosed that an unauthorized third party "accessed our proprietary code to learn how to forge cookies". This allowed hackers to access Yahoo accounts without even needing a password.

The "outside forensic experts" Yahoo had investigating this have now identified the accounts affected, and any forged cookies have been invalidated. Interestingly, Yahoo claims the culprit is "the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016". That was this security breach, for those who have lost track.

Yahoo appears to have a serious problem with security, and that problem has obviously existed for several years. No wonder Verizon is reported to be considering its options with regards to its impending acquisition of Yahoo. Maybe a company with so many leaks isn't worth $4.8 billion.

Do you still have a Yahoo account? How do you feel knowing your user data may have been hijacked three years ago without you knowing? Are you getting sick of having to constantly change your Yahoo password? Please let us know in the comments below!