FedEx Will Pay You $5 to Install Flash on Your Machine
We certainly hope that FedEx shows more concern over the safety of its drivers and pilots than it shows to customers wanting to order printing online.

FedEx is making you an offer you
iCub the Open Source Robot
It occurs to us that the iCub might be the perfect companion for an only child. Probably cheaper in the long run than a little brother or sister, and it can be turned off at night.

The Screening Room

Linux Action Show to End Eleven-Year Run at LFNW
Six more episodes before the popular Linux podcast, Linux Action Show, ends its nearly 11-year run in a live broadcast from LinuxFest Northwest.


Jupiter Broadcasting's long-running
No, Evil Hackers Aren't After You
Humankind has outgrown the need to have monsters hiding under our beds. Now we let them hide in our phones, computers and microwave ovens.

Roblimo's Hideaway

OMG! I think I see a giant camera lens on
Four Things a New Linux User Should Know
When you move from "that other operating system" to Linux, you're going to find that in most ways you'll be in familiar territory. However, that's not always the case. We sometimes do things a little differently
Should the U.S. Army Have Its Own Open Source License?
Should the U.S. armed forces begin releasing software under an OSI approved open source license rather than as public domain?

Roblimo's Hideaway

This question has generated many pixels'
GitHub CEO Chris Wanstrath on Open Source
Did you know that the software Stephen Hawking uses to speak is open source and that it's available on GitHub? Neither did we.

The Screening Room

At the Computer History museum, GitHub CEO Chris
December 14th, 2016

Another Yahoo Security Breach Affects a Billion Accounts

After announcing in September that 500 million accounts had been compromised in a 2014 security breach, the company announces today that an additional billion accounts have been hacked in a separate incident.

Yahoo logo

Breaking News

If you’re a Yahoo user, you should strongly consider closing your account. If you decide to keep your account open, you might as well post your username and password to Facebook and send them out in a tweet, for all the good Yahoo’s security precautions will do for you.

Here at FOSS Force, we’ve pretty much stayed away from the spate of problems being faced by Yahoo recently because there’s not much of a FOSS or free tech connection. However, when Yahoo announced this afternoon that an estimated one billion user accounts were breached in August of 2013, we decided that enough is enough.

“The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers,” said Bob Lord, Yahoo’s chief security officer in an online announcement. “We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.”

The earlier incident affected 500 million users, at the time considered to be the largest such breach in Internet history, and is thought to have begun as early as 2014.

Yahoo seems to know very little about the breach announced today. According to a press release from the office of Suzanne Philion, Yahoo’s senior director of corporate communications, “As Yahoo previously disclosed in November, law enforcement provided the company with data files that a third party claimed was Yahoo user data. The company analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data.”

Philion’s press release also addresses another ongoing security issue that account holders should find concerning, especially in light of the company’s other security woes.

“Separately, Yahoo previously disclosed that its outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, the company believes an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. Yahoo is notifying the affected account holders, and has invalidated the forged cookies.”

The company said that it believes that incident to be connected to the breach announced in September.

Yahoo was also criticized in October when Reuters reported that the company had developed custom software to search all of its users’ incoming emails for queries supplied by U.S. intelligence officials.

All of these problems couldn’t happen at a worse time for Yahoo, which in July agreed to be purchased by Verizon for $4.83 billion. The company’s revenues have been declining for a number of years, and many stockholders, weary of halfhearted efforts to turn the company around, have been eager to cash out.

It is not known whether today’s news will have an affect on the sale. After the first breach was reported in September, Verizon indicated that it would take a wait and see attitude.

TechCrunch, which is owned (through AOL) by Verizon, reported that after today’s announcement a Verizon spokesperson said, “As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation. We will review the impact of this new development before reaching any final conclusions.”

At this point, if I were asked to take a gaze at my crystal ball, I would be somewhat surprised if the sale goes through, even at fire sale prices. The already ageing brand has been heavily damaged by these security issues, and it might not be worth the money it would take to turn it around — if that is even possible anymore.

After the breach in September I closed a no longer used Yahoo account I’d had since the 1990s that I’d been holding onto, mainly for sentimental reasons. At this time, I’m recommending anybody still using Yahoo Mail to get out and find another email provider. Yahoo seems to be about as competent at handling its security as it is at everything else it does.

The following two tabs change content below.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

3 comments to Another Yahoo Security Breach Affects a Billion Accounts

  • tracyanne

    >> the company believes an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies.

    At this point I wonder how anyone can possibly defend using Proprietary code.

    What good did it do keeping the source code secret?

  • slu

    2 accounts cancelled…never again! Hadn’t used in years.

  • tewodros tefferfa

    I was not logging in last week it keeps say on my iphone please log in
    the location shows unknown area