Yahoo Hacked Again… Time to Run Away From Yahoo
Two days ago we wrote an article advising all Yahoo users to close their accounts due to Yahoo’s lack of security and apparent inability to deal with it. Just when we thought it could not get any worse with Yahoo … it just got worse. This time, Yahoo admits that it had more than one billion accounts stolen.
The following article appeared today ( 14 December 2016) on ZDNet:
Yahoo hacked again, more than one billion accounts stolen
Yahoo has disclosed that more than one billion accounts may have been stolen from the company’s systems in another cyberattack.
The company said in a statement Wednesday after the markets closed that unnamed attackers stole the accounts in August 2013, a little over a year prior to a previously disclosed attack in September, in which attackers stole around 500 million accounts in 2014.
But the company said it wasn’t able to identify the intrusion associated with August breach.
The statement said that the hackers may have stolen names, email addresses, telephone numbers, hashed passwords (using the weak, easy to crack MD5 algorithm) dates of birth, and in some cases encrypted or unencrypted security questions and answers.
Yahoo said it has invalidated unencrypted security questions and answers so that they cannot be used to access affected accounts.
But payment card data and bank account information, stored in separate systems, are not thought to have been stolen in the attack.
Source code stolen
The company also admitted that hackers may have developed a way of accessing accounts without a password by stealing Yahoo’s secret source code.
“Based on the ongoing investigation, the company believes an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies,” which can be used to store authentication credentials locally.
“The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used,” said the statement.
Yahoo has also invalidated the cookies.
Reporting delay ‘unacceptable’
It’s the latest security blow against the former internet giant, which earlier this year said it had been attacked by “state-sponsored” hackers — just as it was being bought by Verizon for $4.8 billion.
But Yahoo still hasn’t said who behind the attack, or which state may have sponsored the hackers.
Verizon reiterated its statement on Wednesday, saying the company “will evaluate” the purchase as Yahoo continues its investigation…