|Security experts have pressing questions unanswered after Yahoo’s admission that “state-sponsored” hackers had stolen the personal details of half a billion users. The attackers obtained names, email addresses, phone numbers and security questions in late 2014. Hackers also stole passwords, but they were in a “hashed” form and therefore could not be immediately re-used. Besides, Yahoo believes that financial information held with it remains safe.
The main question about the hack was why disclosure took so long. In fact, the data leaked 2 years ago and first appeared on the dark web 2 months ago offered for sale by a user named “Peace of Mind”. The latter was also selling data stolen from MySpace and LinkedIn. However, it is unknown when Yahoo first learned about the breach. Whenever it was, Yahoo claimed that the attacker was “state-sponsored”, although in this case it is unclear why would the attacker publicly share stolen data or sell it. Perhaps, there were two different Yahoo breaches with two different hacking groups in the company’s system.
Security experts also point out that the extent to which passwords were protected is also unclear. The company has confirmed the passwords were hashed. Hashing is a one-way transformation which allows the website to check that an entered password is correct while it doesn’t have to store the actual password. In addition, “security questions” were stolen, which were not encrypted, and so some are readable in plaintext. While changing a stolen password is easy, changing a stolen mother’s maiden name is somewhat more difficult.
Industry observers also wonder whether this breach will affect Yahoo’s multi-billion dollar merger with Verizon. As for Yahoo users, they are normally recommended to change their Yahoo password and security questions as soon as possible. If you used the same credentials anywhere else, you are also recommended to change the password there. The best way is to stop re-using passwords altogether. Moreover, since Yahoo is a major webmail provider, another serious problem is that any further service that has password reset emails sent to a Yahoo Mail account can also be compromised, so you need to change your passwords on those services as well.
Sunday, September 25th, 2016
|So they won the world record of the biggest breach or not ?|
|The Security experts sure don't know|
much for being the
|posted by (2016-09-26 23:50:54)|
|Yahoo is merging with Verizon... All their updates have been part of a transition to app based. Messenger just got downgraded as such also. Can't send large files anyone, etc. They want people to secure their old accounts with Cell phone numbers(spying, etc). Not sure if that is linked to the hack or why it wasn't disclosed sooner. It all makes sense that way though.||
Most Popular Stories