Yahoo Hacked – 1.0B Accounts Exposed

Dude… The Fat Lady is SO singing over at Yahoo…

yahoo exposed

  1. There are a few things that come to mind here:
  2. If I were Marissa Mayer, I would crawl under a rock and hide. Like… forever.
  3. If I were Verizon, I would run, not walk, so fast and so far away from the purchase of Yahoo, and I would NEVER look back (or second guess that decision)
  4. If I were a Yahoo user, I would set fire to my account and use the mail account that my ISP gave me. At this point a comcast.net mail account can’t be seen as a bad thing…

To be honest, this is beyond pathetic.

I’ve heard it mentioned that the security breach in question is the result of a separate, earlier attack that occurred in 2013, at least six to twelve months before the attack in 2014 that exposed 500 million accounts to hackers. I’ve heard that security analysts at Yahoo brought their concerns to the management team and the analysis was effectively ignored.

In a statement, Yahoo said they weren’t able to identify the intrusion associated with the breach. Hackers may have stolen names, email addresses, telephone numbers, MD5 hashed passwords, dates of birth, and in some cases, both encrypted and unencrypted security questions and answers.

The company has further admitted that hackers may have accessed all of this information due to a theft of source code, enabling them to manufacture a way in without requiring a password. Apparently, they were able to forge a cookie that allowed them to retrieve credentials that were stored locally. While Yahoo has invalidated the security questions and their answers as well as the forged cookies, the damage has already been done.

The thing that really irks me the most here, is that this was a bigger breach than the one that was reported in 2014; AND it occurred BEFORE the breach that got so much publicity. This hack is twice as big and in my opinion twice as damning. Verizon was already “evaluating” its purchase of Yahoo. If I were them, I’d evaluate myself right out of the deal. The assets aren’t worth the risk.

Yahoo has been severely criticized by six different US senators for taking two years to publicize the September 2014 breach that lost them 500,000 accounts. This latest breach occurred a full year or so before that, and its being revealed AFTER the 2014 breach.

At this point, Yahoo knows basically NOTHING. They have no idea who may have perpetrated the attack, which nation may have sponsored the hackers or the full extent of the information that has been compromised. As a result, Yahoo’s stock took a 2.5% hit in afterhours trading on 2016-12-14. At this point, I can see the value of the stock dropping more as Verizon “evaluates” their purchase plans.

As I said, Yahoo is over. Marissa Mayer is done as a CEO, despite the amount of promise she showed during the early part of her tenue with the company. Verizon should do themselves a favor and target other web content and properties . I think their money would be better spent on assets that weren’t compromised.

If I were a Yahoo user, I’d shut my account down, get a secure password manager, and change passwords and security question answers on all my financial accounts… and that’s just for starters. Yahoo has been around since the early 1990’s. A lot of users have a great deal invested in them, and all of that metadata may be compromised at this point. Better safe than sorry for ALL involved (including investors, Yahoo management and Verizon, as well as users)…

Are you a Yahoo user? Are you still using your Yahoo account? Are you concerned about this breach? What, if anything, have you done to protect yourself and your account information? Why don’t you meet me in the Discussion area below and give me your thoughts on the breach and on Yahoo itself as well as what you’re doing to make yourself safe.

Related Posts:

UPDATED – Apple Developer Website Hacked – #3

apppleApple Developers got a delightful update in the past couple of days. More of the site is back…

The Apple Developer Network status page has seen quite a bit of updates lately. In fact, Apple developers got a nice surprise over the weekend – much of the site’s resources are back, including software downloads.

That didn’t take too long, and I’m really pleased with the level of progress that Apple has made since putting the status page up.

While the Member Center is still offline, each of their three dev centers – Mac, iOS, and Safari – are back up and running. The latest released build of each related developer preview for OS X Mavericks, iOS 7 and Safari are available from each page. However, please note Mavericks, Developer Preview 4, released on 2013-07-22, still isn’t showing as available via the OS X Development Center. Currently, the most current release is Developer Preview 3, released on 2013-07-08. If you want Developer Preview 4, you’ll still need to download it via the Mac App Store after installing Developer Preview 3.

AAPL Status

A lot has happened with this story, and I’m going to move on to other items at this point, unless and until we hear about what actions, if any, will be taken against the security engineer that caused the whole bally-hoo in the first place. At that point, we’ll want to revisit the story, as I’m certain there will be consequences, and quite likely, serious consequences.

Related Posts:

Apple Developer Website Hacked Update #1

1202275-apple-hack-hacking-pirateUPDATE:  A couple days ago, the Apple Developer Website went down for extended maintenance.  Many suspected that the site might have been hacked, but with so much going on with both Mavericks and iOS 7 development, it really could have been anything.

As I pointed out on Monday 2013-07-22, the site was actually hacked, and personal information was compromised.  While Apple has stated that “sensitive personal information was encrypted and [could not] be accessed,” their network was still breached and information was compromised and/or stolen.

Interestingly enough, the person responsible for all of this has come out and identified himself. Ibrahim Balic admitted on TechCrunch that he is the “security researcher” who conducted the ad-hoc penetration testing on Apple’s Developer website.  He said he reported13 bugs, took 73 user details – all of them Apple employees – and gave them to the organization as an example of the exploit(s) he discovered.

Balic claims to have obtained more than 100,000 encrypted user details from the site.  In a posting on YouTube, Balic attempts to explain himself, promising to delete the data that he took, while informing Apple of the pen-tests prior to the actual data “theft.”

Please note that when I tried to view the video, it was marked “private” and it would not play.

Where this goes from here, I don’t know. Penetration testing is something that most every security firm does, and one that most large organizations want completed. However, they usually retain security firms to do this, and the testing is planned, sanctioned and paid for. Balic’s “testing” appears to have been none of these things; and he may find himself in a great deal of trouble.

This story is developing, and we’ll have further information as its made available. Please watch the Soft32 blog for additional updates.

Related Posts:

Apple Developer Website Hacked

For those of you with developer accounts, the site was hacked…

1202275-apple-hack-hacking-pirateI’ve had an Apple Developer account for about 3 years. Like all development account members, I use it to get access to Apple’s prerelease software to help with my development and testing efforts. I’m a hobby developer. I don’t develop things for sale.

The big problem with all of that is that I have a single email address or single Apple ID. Apple ties your Developer account to your Apple ID, and you log into the site with it. I knew the site was down and had been down for a few days, more than expected. Today, I was greeted with the following note from Apple

 

Apple Developer Website Update:

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.

Awesome.

The site got hacked, and they can’t guarantee that my Apple ID and password, as well as my other personal information, weren’t compromised. That’s just terrific.

Well, this certainly isn’t the end of this one. You can bet that there will be additional fallout on the Apple side of the world for this. While I think it’s a good idea to completely change the system, part of the changes would be to NOT tie everything to my Apple ID, but to another user ID and password.

There will be more from me on this as the story develops. Please watch the Soft32 blog for additional updates.

Related Posts:

Stay in touch with Soft32

Soft32.com is a software free download website that provides:

121.218 programs and games that were downloaded 237.780.356 times by 402.775 members in our Soft32.com Community!

Get the latest software updates directly to your inbox

Find us on Facebook