yahoo Uh oh, Yahoo! Data Breach May Have Hit Over 1 Billion Users

[vissha]

Uh oh, Yahoo! Data Breach May Have Hit Over 1 Billion Users

 

 

The massive data breach that Yahoo! confirmed to the world last week is claimed by the company to have been carried out by a "state-sponsored actor" in 2014, which exposed the accounts of at least 500 Million Yahoo users.

But, now it seems that Yahoo has downplayed a mega data breach and triying to hide it's own security blunder.

Recently the information security firm InfoArmor that analyzed the data breach refuted the Yahoo's claim, stating that the data breach was the work of seasoned cyber criminals who later sold the compromised Yahoo accounts to an Eastern European nation-state.
 

Over 1 Billion Accounts May Have Been Hacked

Now, there's one more twist in the unprecedented data heist.

A recent advancement in the report indicates that the number of affected Yahoo accounts may be between 1 Billion and 3 Billion.

An unnamed, former Yahoo executive who is familiar with the company's security says that the Yahoo's back-end system's architecture is designed in such a way that all of its products use one main user database (UDB) to authenticate users, Business Insider reported Friday.

So all usernames and passwords that users enter to log into services like Yahoo Mail, Sports or Finance goes to this one central database to ensure they are valid, allowing them access.

This central database is what got compromised, and therefore, it's quite difficult to believe that the hackers who compromised the whole database walk away with just a small bunch of "the core crown jewels of Yahoo customer credentials."

Whoever carried out the hack not only stole usernames and email addresses of affected users but also pilfered other personal information, including their dates of birth, phone numbers, hashed passwords, and unencrypted security answers.

So, it's unclear how Yahoo come up with the 500 Million number.

The company had not commented further on how the data breach happened or when it was discovered, citing an active investigation.
 

Yahoo! could have saved you, but decided not to:

A lengthy report published by the New York Times seemingly explains that the company did not reset the passwords of its users after the breach due to the decisions made by Yahoo's CEO Marissa Mayer, who seemed to prioritize developing new products over making security improvements.

The reason sounds stupid, as the article reads:

 

Quote

"The 'Paranoids,' the internal name for Yahoo's security team, often clashed with other parts of the business over security costs. And their requests were often overridden because of concerns that the inconvenience of added protection would make people stop using the company's products."

 

If Yahoo had reset the passwords of its affected users, proper security measures would have been taken by users to protect their personal data from hackers.

Let's see what new advancements come to this unprecedented data breach.

Already, the Yahoo hack is believed to be one of the biggest in history, and the company is still trying to negotiate a deal to sell its core business to Verizon for $4.8 Billion.

Yahoo! has yet to respond to the recent revelation by the insider.

Data breach news has already magnified company's problems, but if breach number reaches Billion, would the company be able to save its acquisition deal?

Let us know in the comments below...

 

Source

[steven36]

Who Hacked Yahoo? Who Cares!

 

 

It's funny because it's true.

Quote

Claiming a hack was launched by a foreign government is the ultimate get-out-of-jail-free card for embarrassed corporate executives.

 

 

That line from Bloomberg News' coverage of the Yahoo hack of at least 500 million user accounts sums up the ridiculous attitude so many in management (and in public relations) take toward cyber security. In blaming a "state-sponsored actor," Yahoo seems to be trying to tell us "there's nothing we could do." JPMorgan tried a similar tactic, with little success, after a 2014 hack.

 

It's as if foreign governments are expected to be able to breach any firm's cyber-security measures, and corporations should be forgiven.

That's bunkum.

 

Cyber security is one of the few areas where victim-blaming might be considered acceptable, and by victim, I mean the companies. In reality, the real victims are the customers, because little downside ever seems to visit the corporations, or their executives.

 

Ah...Who?

Yahoo's declining relevance to advertisers can be seen in its shrinking share of global spend, yet its legacy mail service and large user base make the latest hack a massive security breach

 

 

 

I know I'm going out on a limb here, but by implying a hack is state-backed, and thus couldn't be stopped, corporations are by extension blaming users themselves. That's not acceptable.

 

Obfuscation aside, it may not be an entirely stupid move to blame a nation like China, Russia, North Korea or the U.S. (come on, if you're pointing fingers don't leave anyone out!). You see, a state-backed hack may be better news than a non-government attack. Crazy, I know, but hear me out.

 

 

If a government is hacking your service provider, it's more likely to be looking for strategically valuable information, or a way to extract information from a strategically valuable person. If you're an average Joe teaching gym at the local high school you're probably not on the hacker's radar. If you're a White House staffer sending POTUS's private schedule -- or nuclear launch codes -- to your Yahoo Mail account, then you're SOL.

 

A non-government hacker is probably in it for commercial reasons. Stealing credentials en masse to sell to the highest bidder is just one business model. And since buyers know that even coach Joe has a credit card, that's valuable information.

 

There's nothing to suggest a state-sponsored hacker isn't also in it for commercial reasons -- heck, a bit of ransomware would be a great way to fund the office Christmas party -- but that's not usually their primary purpose. At the same time, remember that state-sponsored and commercial hacks aren't mutually exclusive.

 

While Yahoo's position in the global internet economy is declining, its legacy status and massive email base make this breach important, and damaging. Blaming it on a state-sponsored actor looks suspiciously like PR spin, but the alternative could be worse.

 

1. Seriously Out of Luck

 

Source:

https://www.bloomberg.com/gadfly/articles/2016-09-23/who-hacked-yahoo-who-cares

 

[dac]

Wait two years to warn people

Tells me all I need to know about Yahoo

[pc71520]

15 hours ago, dac said:

Wait two years to warn people

Pretty Fast, wasn't it?

[SnakeMasteR]

Wait two years to warn people

At least it weren't 4. ?

[knowledge-Spammer]