Failures

by Timothy Geigner


Filed Under:
disclosure, email, hack

Companies:
yahoo



Hacks Are Always Worse Than Reported: All Of Yahoo Email Was Hacked In 2013. All. Of. It.

from the yes-all-of-it dept

Given recent and massive stories about data security breaches by some very, very large players in the technology and financial spaces, we have developed a mantra that you should have on repeat in your head any time you read stories about a breach: however big the breach is reported to be initially, it's always bigger. We formulated that 12 years ago and it has continually held true. We saw it with Equifax. We saw it with Deloitte. And you will also likely recall that 2013 and 2014 were not banner years for data security at a little company called Yahoo. Hacks of Yahoo's email platform were reported initially to be in the hundreds of thousands in terms of the number of accounts compromised. As Verizon began negotiating the purchase of Yahoo, that number crept into the hundreds of millions. Eventually, Yahoo settled on a billion compromised accounts resulting from the hacks.

The Verizon deal went through, with a hefty price reduction as a result of the security breaches. And so it's under the Verizon umbrella that Yahoo informed the public this past week that the need for numerical quantification for the two security breaches has been rendered moot. Because it's much easier to just say, "Yahoo email was compromised." As in: all of it.

In 2016, Yahoo disclosed that more than one billion of about three billion accounts had likely been affected by the hack. In its disclosure Tuesday, the company said all accounts were likely victimized. Yahoo included the finding in a recent update to its Account Security Update page, saying that it found out about the wider breach through new intelligence obtained during the company's integration into Verizon Communications. Outside forensic experts assisted in the discovery, the company said.

"It is important to note that, in connection with Yahoo's December 2016 announcement of the August 2013 theft, Yahoo took action to protect all accounts. The company required all users who had not changed their passwords since the time of the theft to do so. Yahoo also invalidated unencrypted security questions and answers so they cannot be used to access an account," Yahoo said Tuesday.

Also important to note is that the yahoos at Yahoo were only able to correctly inform the public as to the specific number of accounts breached in these attacks once the use of numbers no longer mattered. Tooting its own horn about the actions it took to protect "all accounts" when it didn't even know that "all accounts" had indeed been compromised violates PR rule number 1: don't request praise in the middle of a crisis. The crisis, in this case, is why anyone should have a Yahoo email account at all moving forward, given how laughably bungled this whole mess has been handled.

But the larger point harkens back to the introduction: remember the mantra. These things are always, always way worse than initially reported. Why companies engage in this sort of slow-motion bandaid-pulling is beyond me, but it sure seems to be the playbook.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Uriel-238 (profile), 4 Oct 2017 @ 1:29pm

    So the moral of the story is...

    If you're not using end-to-end encryption, then your trans-net communication details will become public.

    As will your cheesecake photos because fappening.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Oct 2017 @ 2:28pm

      Re: So the moral of the story is...

      Not good enough.

      If I hack your account and all of your messages are dutifully encrypted, then I STILL have access to all of the metadata. That'll tell me who you're communicating with, how often, and how much you have to say to each other. It may also reveal your geolocation, your mail client/web browser, your work/sleep patterns, and other useful information. And it certainly gives me enough data to start phishing you, particularly if you use a web browser as your mail client.

      By the way: NEVER use a web browser as your mail client. If you do, you'll make my task far easier and quicker, because webmail is an anti-security pattern.

      So yes, encryption on the wire is good, and encryption in messages is good, and no, you should not blithely presume that if you have both that you're safe. You're not.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Oct 2017 @ 1:30pm

    Abandon Ship

    I have had a Yahoo email account since around the early 2000s and was loathe to switch just because everything went through that and it was a bit nostalgic. When the breach was first disclosed last year I immediately bought my own domain name, signed up for a single Microsoft Office 365 E3 subscription and transferred all my email to that. Haven't looked back since.

    At $25 a month I get my own custom email, encrypted cloud storage, a full Office suite and a ton of features I will likely never use but are there if I need them.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Oct 2017 @ 1:34pm

      Re: Abandon Ship

      And free NSA spying.

      reply to this | link to this | view in chronology ]

      • identicon
        kallethen, 4 Oct 2017 @ 1:39pm

        Re: Re: Abandon Ship

        That's included with all email services these days.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 4 Oct 2017 @ 2:02pm

          Re: Re: Re: Abandon Ship

          Unless you want to roll your own private email server and try to maintain it, or use something like tutanota or protonmail, but those are a bit of a pain to use and lack features.

          I'm willing to accept the risk with Microsoft, especially since the way their Enterprise tenants are structured you own all the services/data you put on there. Microsoft has policies and technical limitations in place that prevent them from accessing your data without your permission. Especially the OneDrive encrypted storage. That was a big selling point for me when I found that out.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 4 Oct 2017 @ 2:30pm

            Re: Re: Re: Re: Abandon Ship

            I find your excess of faith disturbing.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 4 Oct 2017 @ 2:49pm

              Re: Re: Re: Re: Re: Abandon Ship

              It's not an excess of faith, it's a risk assessment. As I said, I'm willing to accept the risk. I won't live my life afraid of using technology because it might be compromised. If I did I would have to give up all internet access and computer technology because if you're online your data is likely compromised because you've likely used a service that has been compromised. And Windows has something like 80%+ of global OS market share. If the NSA is using Microsoft for spying then 80% of computer users are being spied on already.

              I do my research and make sure I'm aware of the risks before I use something new and take as many feasible precautions as possible.

              reply to this | link to this | view in chronology ]

              • identicon
                Anonymous Coward, 4 Oct 2017 @ 6:23pm

                Re: Re: Re: Re: Re: Re: Abandon Ship

                So you value market share over security.
                To each his own, I suppose.

                reply to this | link to this | view in chronology ]

                • identicon
                  Anonymous Coward, 6 Oct 2017 @ 9:48am

                  Re: Re: Re: Re: Re: Re: Re: Abandon Ship

                  Sorry if I wasn't clear. I don't value market share more, I'm just pointing out that if your assumption is correct and the NSA is using Microsoft software and services for spying, the fact that Microsoft happens to have a large market share means that whether people use their Office 365 services or not, they are probably still being spied on because most everyone uses Windows as their OS.

                  And before we get into the "well just use a different OS" debate, no that is not always a viable option. I'm an avid PC gamer and linux and wine just don't work well enough to support that.

                  reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 4 Oct 2017 @ 2:31pm

            Re: Re: Re: Re: Abandon Ship

            Our government is connected into the providers systems. Has been since the 50's.

            If you communicate online, they can get at it.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 4 Oct 2017 @ 2:52pm

              Re: Re: Re: Re: Re: Abandon Ship

              Which, if true, makes all of the above completely moot. The only way to make sure you aren't being spied on is to do absolutely nothing online. Which in today's world is virtually, if not literally, impossible. So whether I use Microsoft, Yahoo, AOL, tutanota, lavasoft, protonmail, or any other service, it's all compromised and makes no difference which service I choose.

              reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 4 Oct 2017 @ 4:24pm

            Re: Re: Re: Re: Abandon Ship

            lack features? email almost but doesn't quite make it to the recipient or what?

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 6 Oct 2017 @ 9:43am

              Re: Re: Re: Re: Re: Abandon Ship

              No, mostly things like limited custom domains. I have several and to use them I would have to pay extra. For the same price or less I get my own email server that I control plus all the other features of Office 365.

              reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Oct 2017 @ 2:29pm

      Re: Abandon Ship

      How do you KNOW the cloud storage is encrypted?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Oct 2017 @ 3:01pm

        Re: Re: Abandon Ship

        Because it's an enterprise class service used by organizations and companies that have to be HIPAA and PCI compliant.

        This isn't their hotmail service I signed up for, it's the full enterprise grade service complete with my own Exchange tenant in the cloud.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Oct 2017 @ 11:37pm

      Re: Abandon Ship

      Out of curiosity, why them, vs. Google?

      reply to this | link to this | view in chronology ]

  • identicon
    David, 4 Oct 2017 @ 1:31pm

    On the plus side:

    The company does not have to spend a lot of developer hours when offering an application where you can check whether your mail account has been affected by such a hack.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Oct 2017 @ 1:47pm

    People actually still use Yahoo? I have an account, but the only thing it leads to is my fantasy football team management.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Oct 2017 @ 1:57pm

    Thanks 26, NSA, GS, and Poindexter and DARPA

    The failocracy rules, idiocracy would be an order of magnitude up from where we are

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Oct 2017 @ 1:58pm

    Equifax

    We saw it with Equifax.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Oct 2017 @ 2:05pm

      Re: Equifax

      They have just been hired in a no bid contract to do identity verification by the IRS

      Bigly!, WINNING!

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Oct 2017 @ 2:13pm

        Re: Re: Equifax

        They have just been hired in a no bid contract to do identity verification by the IRS

        In this morning's hearing before the Senate Banking Committee, I believe Nebraska's Senator Ben Sasse was the first to have questions about this news item.

        He was not the only one.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Oct 2017 @ 2:29pm

        Re: Re: Equifax

        They have just been hired in a no bid contract to do identity verification by the IRS

        For the record (and in case anyone here hasn't seen it), yesterday's widely reported story—

        IRS awards multimillion-dollar fraud-prevention contract to Equifax”, by Steven Overly and Nancy Scola, Politico, Oct 3, 2017

        I don't believe Politico was mentioned by name in this morning's committee hearing. Rather, iirc, there was just a generic mention of “news” there. But this Politico story has been widely cited elsewhere, including in David Kravet's story yesterday at Ars Technica.

        reply to this | link to this | view in chronology ]

        • icon
          That One Guy (profile), 4 Oct 2017 @ 3:13pm

          A matter of experience

          Well, I mean it's suggested that you use one thief(ideally a former one) in order to catch other thieves because they know the tricks, perhaps the IRS figures that a company that failed spectacularly in their security and which hid this fact as long as they could knows all about securing your personal data and informing you when it's been violated.

          Surely they'll have learned their lesson and will do better this time, right?

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 4 Oct 2017 @ 3:52pm

            Re: A matter of experience

            … perhaps the IRS figures…

            See North Dakota Senator Heidi Heitkamp's remarks, beginning roughly about 1:47:00 in the C-SPAN video (note this hyperlink doesn't advance all the way to 1:47:00).

            Adapted from the closed-caption transcript:

            Sen Heitkamp:  . . . We found out today that the IRS has been forced to continue your contract by your protest. That's why that contract was continued. . . .

            reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 4 Oct 2017 @ 4:20pm

            Re: A matter of experience

            … perhaps the IRS figures…

            Googling around…

            IRS: New Equifax contract a stopgap as we switch vendors”, by Joe Uchill, The Hill, Oct 4, 2017

             . . . That contract raised eyebrows at a House Ways and Means Committee hearing about IRS information technology infrastructure held on Wednesday. . . 

            Jeffrey Tribiano, IRS deputy commissioner for operations support, testified that the contract was to continue the electronic authentication service Equifax had already been providing as the agency attempted to move that contract to a new vendor.

            In July, after the IRS decided to replace Equifax with another company's successful bid, Equifax challenged the procurement. . . .

            I still have the second panel in this afternoon's Senate Judiciary subcommittee hearing queued up. Probably won't get around any time soon to watching today's House Ways and Means Committee's Oversight Subcommittee “Hearing on the Internal Revenue Service’s Information Technology Modernization Efforts ” (Oct 4, 2017).

            reply to this | link to this | view in chronology ]

            • icon
              That One Guy (profile), 4 Oct 2017 @ 11:36pm

              Re: Re: A matter of experience

              Well, I suppose it's to the IRS's credit then that the contract was basically forced on them and they're trying to switch to another company, a process that will hopefully be much easier after the gigantic freakin' hack of Equifax and their... 'relaxed' response to reporting it.

              reply to this | link to this | view in chronology ]

              • identicon
                Anonymous Coward, 5 Oct 2017 @ 4:15pm

                Re: Re: Re: A matter of experience

                I suppose it's to the IRS's credit then that the contract was basically forced on them . . .

                GAO: IRS did not have to award $7.25M contract to Equifax”, by Steven Overly and Nancy Scola, Politico, Oct 5, 2017

                The Government Accountability Office on Thursday disputed the idea that the IRS had no choice but to award a $7.25 million, no-bid contract to Equifax, undercutting the agency's primary defense of its decision. . . .

                reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Oct 2017 @ 9:10am

      Re: Equifax

      House Financial Services full committee hearing, “Examining the Equifax Data Breach”, …, Oct 5, 2017

      C-SPAN link for this morning's House Financial Services Committee hearing.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 Oct 2017 @ 10:55am

        Re: Re: Equifax

        C-SPAN link for this morning's House Financial Services Committee hearing.

        That C-SPAN video seems to end early — before the hearing resumes after the second recess.

        Right now, I'm watching the rest of the hearing via YouTube. Currently, that YouTube video is embedded on the House Financial Services Committee homepage. I'm slightly surprised that video isn't currently embedded on the committee's hearing webpage.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Oct 2017 @ 2:59pm

    I created my old yahoo email account solely to sign up for mailing lists with monetary kickbacks. The hackers can have that if they really want it.

    Never trust a yesterday company to host a service that you can host yourself.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Oct 2017 @ 3:44pm

    If they knew

    If they knew that the hack included all accounts why didn't they reduce the price more? Like half of what was offered.

    Yahoos email service is dead or at least should be because of that breach and they don't have that much more than that.

    Imo bad move on Verizons side.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Oct 2017 @ 10:57pm

    Wonderful. Also totally expected. I was always pretty sure that Yahoo wasn't telling the whole story, and that they'd lost it all.

    Also pretty sure that most of the e'mail they'd have seen was likely about 95% marketing and other spam making the privacy considerations close to nil. The real haul was all the reused passwords on other accounts which are entirely the user's own fault.

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 4 Oct 2017 @ 11:57pm

    I had a handful of yahoo accounts... over half got the notification that the nation state hacker had gotten into them.

    Once I heard about the culture that was cultivated & the outright working around the security team I couldn't leave them behind fast enough.

    People thought I was silly to purge them all & shut them down. Given how bad the hack had been & how long it took them to fess up, I suspected it was way worse.

    We can no longer trust any reported numbers involving hacks offered up by those who were compromised, they always lie & undersell the extent. They failed at the most basic levels & still want to make it look like it was no big deal.

    There are plenty of alternatives out there, it only took me about 10 minutes to figure out which accounts secured other accounts as backups & then invent replacements.

    The really horrible thing is, even generating a password that would take years to crack is pointless when encrypting the data isn't done or uses the cheapest fastest way.

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 5 Oct 2017 @ 6:00am

    I'm kind of thorn on how much of a data breach is a problem considering even companies with the best security practices out there can still fall victim to an unsuspecting employee inserting a heavily contaminated usb stick. That said, breaches that bad and comprehensive (Yahoo, Equifax) should immediately spell the end of the company. Either by people flocking out or via government shutting it down for good. Yahoo is walking fast towards the end but Equifax got awarded new no-bid contracts worth millions by the govt.. So, yea, expect your data to be violated ad nauseam forever and nobody moving to fix it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Oct 2017 @ 6:33am

    so the difference is?

    "We got hacked and your data was stolen."

    vs.

    "Your data can be shared with any of our 3rd party associated companies."

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Oct 2017 @ 9:19am

    "why anyone should have a Yahoo email account"

    Because of yahoo groups and the niche communities that live in them.

    I *hate* the neo interface but the inertia behind these groups is regrettably too much to force a change to a different platform.

    reply to this | link to this | view in chronology ]

  • icon
    McGyver (profile), 5 Oct 2017 @ 11:03am

    Neither shocked nor dismayed... A bit gassy though.

    I say we all go back to good old fashioned ink on paper snail mail...
    At least when the government spied on you back then, the agent had to physically get your mail and sort through it...
    That was exercise and that probably saved taxpayers millions in unnecessary health problems for these poor and probably now fat agents...
    And you didn't have criminals in Eastern Europe and Russia stealing your mail...
    Unless that's where you were sending it...
    Come on folks... Who's with me on this?...
    Nobody?
    Megh... Figures... Techy crowd...
    Oh well...
    But seriously... Is anybody surprised anymore?
    I think we need to just start reporting on companies that haven't been hacked in X number of days...
    Maybe come up with an award... The "NoHacky"... Eh?
    Well, I'm getting back to working on the future of mail... A cybernetic carrier pigeon drone with Siri technology, that you scream the subject of your letter at and then send it on it's way... When or if it arrives it delivers the message using a form of primitive interpretive dance.
    So far I've managed to duct tape a bunch of pigeons to drones... Next step is teaching them to dance...
    Don't be dismissive... The Internet sounded stupid when it was new and look how long it's taken to become this stupid.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer
Anonymous number for texting and calling from Hushed. $25 lifetime membership, use code TECHDIRT25
Report this ad  |  Hide Techdirt ads
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.