After announcing in September that 500 million accounts had been compromised in a 2014 security breach, the company announces today that an additional billion accounts have been hacked in a separate incident.
If you’re a Yahoo user, you should strongly consider closing your account. If you decide to keep your account open, you might as well post your username and password to Facebook and send them out in a tweet, for all the good Yahoo’s security precautions will do for you.
Here at FOSS Force, we’ve pretty much stayed away from the spate of problems being faced by Yahoo recently because there’s not much of a FOSS or free tech connection. However, when Yahoo announced this afternoon that an estimated one billion user accounts were breached in August of 2013, we decided that enough is enough.
“The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers,” said Bob Lord, Yahoo’s chief security officer in an online announcement. “We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.”
The earlier incident affected 500 million users, at the time considered to be the largest such breach in Internet history, and is thought to have begun as early as 2014.
Yahoo seems to know very little about the breach announced today. According to a press release from the office of Suzanne Philion, Yahoo’s senior director of corporate communications, “As Yahoo previously disclosed in November, law enforcement provided the company with data files that a third party claimed was Yahoo user data. The company analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data.”
Philion’s press release also addresses another ongoing security issue that account holders should find concerning, especially in light of the company’s other security woes.
“Separately, Yahoo previously disclosed that its outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, the company believes an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. Yahoo is notifying the affected account holders, and has invalidated the forged cookies.”
The company said that it believes that incident to be connected to the breach announced in September.
Yahoo was also criticized in October when Reuters reported that the company had developed custom software to search all of its users’ incoming emails for queries supplied by U.S. intelligence officials.
All of these problems couldn’t happen at a worse time for Yahoo, which in July agreed to be purchased by Verizon for $4.83 billion. The company’s revenues have been declining for a number of years, and many stockholders, weary of halfhearted efforts to turn the company around, have been eager to cash out.
It is not known whether today’s news will have an affect on the sale. After the first breach was reported in September, Verizon indicated that it would take a wait and see attitude.
TechCrunch, which is owned (through AOL) by Verizon, reported that after today’s announcement a Verizon spokesperson said, “As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation. We will review the impact of this new development before reaching any final conclusions.”
At this point, if I were asked to take a gaze at my crystal ball, I would be somewhat surprised if the sale goes through, even at fire sale prices. The already ageing brand has been heavily damaged by these security issues, and it might not be worth the money it would take to turn it around — if that is even possible anymore.
After the breach in September I closed a no longer used Yahoo account I’d had since the 1990s that I’d been holding onto, mainly for sentimental reasons. At this time, I’m recommending anybody still using Yahoo Mail to get out and find another email provider. Yahoo seems to be about as competent at handling its security as it is at everything else it does.