Hacks Are Always Worse Than Reported: All Of Yahoo Email Was Hacked In 2013. All. Of. It.

from the yes-all-of-it dept

Given recent and massive stories about data security breaches by some very, very large players in the technology and financial spaces, we have developed a mantra that you should have on repeat in your head any time you read stories about a breach: however big the breach is reported to be initially, it’s always bigger. We formulated that 12 years ago and it has continually held true. We saw it with Equifax. We saw it with Deloitte. And you will also likely recall that 2013 and 2014 were not banner years for data security at a little company called Yahoo. Hacks of Yahoo’s email platform were reported initially to be in the hundreds of thousands in terms of the number of accounts compromised. As Verizon began negotiating the purchase of Yahoo, that number crept into the hundreds of millions. Eventually, Yahoo settled on a billion compromised accounts resulting from the hacks.

The Verizon deal went through, with a hefty price reduction as a result of the security breaches. And so it’s under the Verizon umbrella that Yahoo informed the public this past week that the need for numerical quantification for the two security breaches has been rendered moot. Because it’s much easier to just say, “Yahoo email was compromised.” As in: all of it.

In 2016, Yahoo disclosed that more than one billion of about three billion accounts had likely been affected by the hack. In its disclosure Tuesday, the company said all accounts were likely victimized. Yahoo included the finding in a recent update to its Account Security Update page, saying that it found out about the wider breach through new intelligence obtained during the company’s integration into Verizon Communications. Outside forensic experts assisted in the discovery, the company said.

“It is important to note that, in connection with Yahoo’s December 2016 announcement of the August 2013 theft, Yahoo took action to protect all accounts. The company required all users who had not changed their passwords since the time of the theft to do so. Yahoo also invalidated unencrypted security questions and answers so they cannot be used to access an account,” Yahoo said Tuesday.

Also important to note is that the yahoos at Yahoo were only able to correctly inform the public as to the specific number of accounts breached in these attacks once the use of numbers no longer mattered. Tooting its own horn about the actions it took to protect “all accounts” when it didn’t even know that “all accounts” had indeed been compromised violates PR rule number 1: don’t request praise in the middle of a crisis. The crisis, in this case, is why anyone should have a Yahoo email account at all moving forward, given how laughably bungled this whole mess has been handled.

But the larger point harkens back to the introduction: remember the mantra. These things are always, always way worse than initially reported. Why companies engage in this sort of slow-motion bandaid-pulling is beyond me, but it sure seems to be the playbook.

Filed Under: , ,
Companies: yahoo

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Hacks Are Always Worse Than Reported: All Of Yahoo Email Was Hacked In 2013. All. Of. It.”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: So the moral of the story is...

Not good enough.

If I hack your account and all of your messages are dutifully encrypted, then I STILL have access to all of the metadata. That’ll tell me who you’re communicating with, how often, and how much you have to say to each other. It may also reveal your geolocation, your mail client/web browser, your work/sleep patterns, and other useful information. And it certainly gives me enough data to start phishing you, particularly if you use a web browser as your mail client.

By the way: NEVER use a web browser as your mail client. If you do, you’ll make my task far easier and quicker, because webmail is an anti-security pattern.

So yes, encryption on the wire is good, and encryption in messages is good, and no, you should not blithely presume that if you have both that you’re safe. You’re not.

Anonymous Coward says:

Abandon Ship

I have had a Yahoo email account since around the early 2000s and was loathe to switch just because everything went through that and it was a bit nostalgic. When the breach was first disclosed last year I immediately bought my own domain name, signed up for a single Microsoft Office 365 E3 subscription and transferred all my email to that. Haven’t looked back since.

At $25 a month I get my own custom email, encrypted cloud storage, a full Office suite and a ton of features I will likely never use but are there if I need them.

Anonymous Coward says:

Re: Re: Re: Abandon Ship

Unless you want to roll your own private email server and try to maintain it, or use something like tutanota or protonmail, but those are a bit of a pain to use and lack features.

I’m willing to accept the risk with Microsoft, especially since the way their Enterprise tenants are structured you own all the services/data you put on there. Microsoft has policies and technical limitations in place that prevent them from accessing your data without your permission. Especially the OneDrive encrypted storage. That was a big selling point for me when I found that out.

Anonymous Coward says:

Re: Re: Re:3 Abandon Ship

It’s not an excess of faith, it’s a risk assessment. As I said, I’m willing to accept the risk. I won’t live my life afraid of using technology because it might be compromised. If I did I would have to give up all internet access and computer technology because if you’re online your data is likely compromised because you’ve likely used a service that has been compromised. And Windows has something like 80%+ of global OS market share. If the NSA is using Microsoft for spying then 80% of computer users are being spied on already.

I do my research and make sure I’m aware of the risks before I use something new and take as many feasible precautions as possible.

Anonymous Coward says:

Re: Re: Re:5 Abandon Ship

Sorry if I wasn’t clear. I don’t value market share more, I’m just pointing out that if your assumption is correct and the NSA is using Microsoft software and services for spying, the fact that Microsoft happens to have a large market share means that whether people use their Office 365 services or not, they are probably still being spied on because most everyone uses Windows as their OS.

And before we get into the “well just use a different OS” debate, no that is not always a viable option. I’m an avid PC gamer and linux and wine just don’t work well enough to support that.

Anonymous Coward says:

Re: Re: Re:3 Abandon Ship

Which, if true, makes all of the above completely moot. The only way to make sure you aren’t being spied on is to do absolutely nothing online. Which in today’s world is virtually, if not literally, impossible. So whether I use Microsoft, Yahoo, AOL, tutanota, lavasoft, protonmail, or any other service, it’s all compromised and makes no difference which service I choose.

Anonymous Coward says:


We saw it with Equifax.

Anonymous Coward says:

Re: Re: Equifax

They have just been hired in a no bid contract to do identity verification by the IRS

For the record (and in case anyone here hasn’t seen it), yesterday’s widely reported story—

IRS awards multimillion-dollar fraud-prevention contract to Equifax”, by Steven Overly and Nancy Scola, Politico, Oct 3, 2017

I don’t believe Politico was mentioned by name in this morning’s committee hearing. Rather, iirc, there was just a generic mention of “news” there. But this Politico story has been widely cited elsewhere, including in David Kravet’s story yesterday at Ars Technica.

That One Guy (profile) says:

Re: Re: Re: A matter of experience

Well, I mean it’s suggested that you use one thief(ideally a former one) in order to catch other thieves because they know the tricks, perhaps the IRS figures that a company that failed spectacularly in their security and which hid this fact as long as they could knows all about securing your personal data and informing you when it’s been violated.

Surely they’ll have learned their lesson and will do better this time, right?

Anonymous Coward says:

Re: Re: Re:2 A matter of experience

… perhaps the IRS figures…

See North Dakota Senator Heidi Heitkamp’s remarks, beginning roughly about 1:47:00 in the C-SPAN video (note this hyperlink doesn’t advance all the way to 1:47:00).

Adapted from the closed-caption transcript:

Sen Heitkamp:  . . . We found out today that the IRS has been forced to continue your contract by your protest. That’s why that contract was continued. . . .

Anonymous Coward says:

Re: Re: Re:2 A matter of experience

… perhaps the IRS figures…

Googling around…

IRS: New Equifax contract a stopgap as we switch vendors”, by Joe Uchill, The Hill, Oct 4, 2017

 . . . That contract raised eyebrows at a House Ways and Means Committee hearing about IRS information technology infrastructure held on Wednesday. . . 

Jeffrey Tribiano, IRS deputy commissioner for operations support, testified that the contract was to continue the electronic authentication service Equifax had already been providing as the agency attempted to move that contract to a new vendor.

In July, after the IRS decided to replace Equifax with another company’s successful bid, Equifax challenged the procurement. . . .

I still have the second panel in this afternoon’s Senate Judiciary subcommittee hearing queued up. Probably won’t get around any time soon to watching today’s House Ways and Means Committee’s Oversight Subcommittee “Hearing on the Internal Revenue Service’s Information Technology Modernization Efforts ” (Oct 4, 2017).

That One Guy (profile) says:

Re: Re: Re:3 A matter of experience

Well, I suppose it’s to the IRS’s credit then that the contract was basically forced on them and they’re trying to switch to another company, a process that will hopefully be much easier after the gigantic freakin’ hack of Equifax and their… ‘relaxed’ response to reporting it.

Anonymous Coward says:

Re: Re: Re:4 A matter of experience

I suppose it’s to the IRS’s credit then that the contract was basically forced on them . . .

GAO: IRS did not have to award $7.25M contract to Equifax”, by Steven Overly and Nancy Scola, Politico, Oct 5, 2017

The Government Accountability Office on Thursday disputed the idea that the IRS had no choice but to award a $7.25 million, no-bid contract to Equifax, undercutting the agency’s primary defense of its decision. . . .

Anonymous Coward says:

Re: Re: Equifax

C-SPAN link for this morning’s House Financial Services Committee hearing.

That C-SPAN video seems to end early — before the hearing resumes after the second recess.

Right now, I’m watching the rest of the hearing via YouTube. Currently, that YouTube video is embedded on the House Financial Services Committee homepage. I’m slightly surprised that video isn’t currently embedded on the committee’s hearing webpage.

Anonymous Coward says:

Wonderful. Also totally expected. I was always pretty sure that Yahoo wasn’t telling the whole story, and that they’d lost it all.

Also pretty sure that most of the e’mail they’d have seen was likely about 95% marketing and other spam making the privacy considerations close to nil. The real haul was all the reused passwords on other accounts which are entirely the user’s own fault.

That Anonymous Coward (profile) says:

I had a handful of yahoo accounts… over half got the notification that the nation state hacker had gotten into them.

Once I heard about the culture that was cultivated & the outright working around the security team I couldn’t leave them behind fast enough.

People thought I was silly to purge them all & shut them down. Given how bad the hack had been & how long it took them to fess up, I suspected it was way worse.

We can no longer trust any reported numbers involving hacks offered up by those who were compromised, they always lie & undersell the extent. They failed at the most basic levels & still want to make it look like it was no big deal.

There are plenty of alternatives out there, it only took me about 10 minutes to figure out which accounts secured other accounts as backups & then invent replacements.

The really horrible thing is, even generating a password that would take years to crack is pointless when encrypting the data isn’t done or uses the cheapest fastest way.

Ninja (profile) says:

I’m kind of thorn on how much of a data breach is a problem considering even companies with the best security practices out there can still fall victim to an unsuspecting employee inserting a heavily contaminated usb stick. That said, breaches that bad and comprehensive (Yahoo, Equifax) should immediately spell the end of the company. Either by people flocking out or via government shutting it down for good. Yahoo is walking fast towards the end but Equifax got awarded new no-bid contracts worth millions by the govt.. So, yea, expect your data to be violated ad nauseam forever and nobody moving to fix it.

McGyver (profile) says:

Neither shocked nor dismayed... A bit gassy though.

I say we all go back to good old fashioned ink on paper snail mail…
At least when the government spied on you back then, the agent had to physically get your mail and sort through it…
That was exercise and that probably saved taxpayers millions in unnecessary health problems for these poor and probably now fat agents…
And you didn’t have criminals in Eastern Europe and Russia stealing your mail…
Unless that’s where you were sending it…
Come on folks… Who’s with me on this?…
Megh… Figures… Techy crowd…
Oh well…
But seriously… Is anybody surprised anymore?
I think we need to just start reporting on companies that haven’t been hacked in X number of days…
Maybe come up with an award… The “NoHacky”… Eh?
Well, I’m getting back to working on the future of mail… A cybernetic carrier pigeon drone with Siri technology, that you scream the subject of your letter at and then send it on it’s way… When or if it arrives it delivers the message using a form of primitive interpretive dance.
So far I’ve managed to duct tape a bunch of pigeons to drones… Next step is teaching them to dance…
Don’t be dismissive… The Internet sounded stupid when it was new and look how long it’s taken to become this stupid.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...