Yahoo Hacked – 1.0B Accounts Exposed

Dude… The Fat Lady is SO singing over at Yahoo…

yahoo exposed

  1. There are a few things that come to mind here:
  2. If I were Marissa Mayer, I would crawl under a rock and hide. Like… forever.
  3. If I were Verizon, I would run, not walk, so fast and so far away from the purchase of Yahoo, and I would NEVER look back (or second guess that decision)
  4. If I were a Yahoo user, I would set fire to my account and use the mail account that my ISP gave me. At this point a comcast.net mail account can’t be seen as a bad thing…

To be honest, this is beyond pathetic.

I’ve heard it mentioned that the security breach in question is the result of a separate, earlier attack that occurred in 2013, at least six to twelve months before the attack in 2014 that exposed 500 million accounts to hackers. I’ve heard that security analysts at Yahoo brought their concerns to the management team and the analysis was effectively ignored.

In a statement, Yahoo said they weren’t able to identify the intrusion associated with the breach. Hackers may have stolen names, email addresses, telephone numbers, MD5 hashed passwords, dates of birth, and in some cases, both encrypted and unencrypted security questions and answers.

The company has further admitted that hackers may have accessed all of this information due to a theft of source code, enabling them to manufacture a way in without requiring a password. Apparently, they were able to forge a cookie that allowed them to retrieve credentials that were stored locally. While Yahoo has invalidated the security questions and their answers as well as the forged cookies, the damage has already been done.

The thing that really irks me the most here, is that this was a bigger breach than the one that was reported in 2014; AND it occurred BEFORE the breach that got so much publicity. This hack is twice as big and in my opinion twice as damning. Verizon was already “evaluating” its purchase of Yahoo. If I were them, I’d evaluate myself right out of the deal. The assets aren’t worth the risk.

Yahoo has been severely criticized by six different US senators for taking two years to publicize the September 2014 breach that lost them 500,000 accounts. This latest breach occurred a full year or so before that, and its being revealed AFTER the 2014 breach.

At this point, Yahoo knows basically NOTHING. They have no idea who may have perpetrated the attack, which nation may have sponsored the hackers or the full extent of the information that has been compromised. As a result, Yahoo’s stock took a 2.5% hit in afterhours trading on 2016-12-14. At this point, I can see the value of the stock dropping more as Verizon “evaluates” their purchase plans.

As I said, Yahoo is over. Marissa Mayer is done as a CEO, despite the amount of promise she showed during the early part of her tenue with the company. Verizon should do themselves a favor and target other web content and properties . I think their money would be better spent on assets that weren’t compromised.

If I were a Yahoo user, I’d shut my account down, get a secure password manager, and change passwords and security question answers on all my financial accounts… and that’s just for starters. Yahoo has been around since the early 1990’s. A lot of users have a great deal invested in them, and all of that metadata may be compromised at this point. Better safe than sorry for ALL involved (including investors, Yahoo management and Verizon, as well as users)…

Are you a Yahoo user? Are you still using your Yahoo account? Are you concerned about this breach? What, if anything, have you done to protect yourself and your account information? Why don’t you meet me in the Discussion area below and give me your thoughts on the breach and on Yahoo itself as well as what you’re doing to make yourself safe.

Related Posts:

UPDATED – Apple Developer Website Hacked – #3

apppleApple Developers got a delightful update in the past couple of days. More of the site is back…

The Apple Developer Network status page has seen quite a bit of updates lately. In fact, Apple developers got a nice surprise over the weekend – much of the site’s resources are back, including software downloads.

That didn’t take too long, and I’m really pleased with the level of progress that Apple has made since putting the status page up.

While the Member Center is still offline, each of their three dev centers – Mac, iOS, and Safari – are back up and running. The latest released build of each related developer preview for OS X Mavericks, iOS 7 and Safari are available from each page. However, please note Mavericks, Developer Preview 4, released on 2013-07-22, still isn’t showing as available via the OS X Development Center. Currently, the most current release is Developer Preview 3, released on 2013-07-08. If you want Developer Preview 4, you’ll still need to download it via the Mac App Store after installing Developer Preview 3.

AAPL Status

A lot has happened with this story, and I’m going to move on to other items at this point, unless and until we hear about what actions, if any, will be taken against the security engineer that caused the whole bally-hoo in the first place. At that point, we’ll want to revisit the story, as I’m certain there will be consequences, and quite likely, serious consequences.

Related Posts:

Apple Developer Website Hacked

For those of you with developer accounts, the site was hacked…

1202275-apple-hack-hacking-pirateI’ve had an Apple Developer account for about 3 years. Like all development account members, I use it to get access to Apple’s prerelease software to help with my development and testing efforts. I’m a hobby developer. I don’t develop things for sale.

The big problem with all of that is that I have a single email address or single Apple ID. Apple ties your Developer account to your Apple ID, and you log into the site with it. I knew the site was down and had been down for a few days, more than expected. Today, I was greeted with the following note from Apple

 

Apple Developer Website Update:

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.

Awesome.

The site got hacked, and they can’t guarantee that my Apple ID and password, as well as my other personal information, weren’t compromised. That’s just terrific.

Well, this certainly isn’t the end of this one. You can bet that there will be additional fallout on the Apple side of the world for this. While I think it’s a good idea to completely change the system, part of the changes would be to NOT tie everything to my Apple ID, but to another user ID and password.

There will be more from me on this as the story develops. Please watch the Soft32 blog for additional updates.

Related Posts:

RAD Software Development – For when Management Wants it Bad

2013-02-14-13.06.17In an age where convenience and instant gratification are easy to come by, taking time to do things the right way often gets glossed over…and causes a lot of problems

I am a software QA professional. That means that I test software for a living and manage teams to do the same thing. I’m good at it; and one of the things that I’m really beginning to hate about some of the faster paced, quick turnaround software development and releases processes is that time for testing is either greatly reduced or bypassed entirely.

I’ve learned that when management wants it bad, they can usually count on those fast passed processes to deliver just that – bad, buggy software.

Here’s a very clear case in point – today The Verge reported that it had found a bug in iOS 6.1 that allowed anyone to bypass the iOS lock screen and view and modify contacts, listen to your voicemail, and browse your photos (by attempting to add a photo to the accessible contact list). It doesn’t appear as if the exploit grants access to email or the web.

The new exploit is similar to one that was discovered in iOS 4.1 that allowed access to contacts, call history and voicemail on a passcode-locked handset without knowing the numeric entry code required to formally unlock the phone. While the steps seem to be bit unusual and convoluted – a user needs to make and then immediately cancel an emergency call and then hold down the power button a couple of times – its bugs like this that completely destroy any confidence a smartphone dependent public has in a venerated company like Apple.

It also really chaps my hide.

Testing is something that many companies either bypass or greatly reduce time and resources on, as its seen as a road block to release. In fact, many modern day methodologies don’t carry a lot of support for the different types of needed testing.

System testing, or testing the entire (and just the) application as a whole, is usually supported. Integration testing, or testing the interaction of the application with other apps and systems, usually gets bypassed. Regression testing, or the reexecution of previously completed system and integration testing tests, rarely ever gets done.

…and case in point. The bug that’s referenced here seems to be some type or classification of regression bug that should have been squashed over two FULL versions ago. The fact that it’s come back, isn’t cool; and is something that Apple needs to deal with quickly.

I’ll be watching beta releases of iOS in the near future and if I find out anything interesting, I’ll pass it on.

Related Posts:

Sony Online Entertainment also hacked

Further investigations in the PSNetwork security breach brings bad news for Sony. Its multiplayer game service was also hacked. Known as Sony Online Entertainment, the service is the second major victim of a huge hack attack on the Sony’s most ‘moneymaker’ products. PlayStation chief Kaz Hirai declared on Sunday that the credit card details of nearly 10 million PSN users may have been acquired illegally.

The damage doesn’t stop here. Another 10,700 bank account numbers have been stolen from the SOE network, property of users outside US (Germany, Austria, Netherlands and Spain). The first lawsuit against Sony’s latest security issues comes from a user in Alabama, and this is just the beginning of a wave of legal scrutiny.

read PSN down for the seventh day | read PlayStation Network will be back up this week

Related Posts:

PSN down for the seventh day

Like all the other PS 3 users I was unable to connect to their online service this week. I wasn’t very upset because I’m not huge fan of this product, but I’m still amazed how could a bunch of hackers destroy the image and eventually the business of such a huge company.

Today is the seventh day when the PSNetwork is down and will remain so until further analyzes. The access to the service seems to have been banned by the company itself from the moment they found out their service was hacked. At the moment there are only rumors circulating the internet, but it seems that personal information such as name, address, e-mail, birthday, and PSN login information were obtained by the hackers. It is not confirmed if the purchase history and also credit card information may have been compromised as well.

The only thing I’m sure is that Sony will have to rebuild the PSN infrastructure and to invest a lot in marketing assuring the customers that their system is secure again. Until then, expect the unexpected!

Related Posts:

Stay in touch with Soft32

Soft32.com is a software free download website that provides:

121.218 programs and games that were downloaded 237.780.356 times by 402.775 members in our Soft32.com Community!

Get the latest software updates directly to your inbox

Find us on Facebook