AuthorTopic: MIS-REPORTED ?: Yahoo Says 'State-Sponsored Actor' Hacked 500M Accounts  (Read 1740 times)

Offline Palloy

  • Moderator
  • Sous Chef
  • *****
  • Posts: 3751
    • View Profile
NBC must have been in such a hurry to break the news that they didn't check what the Yahoo statement meant, and made up a load of stuff as well.
The true story follows below this one.
Yahoo Says 'State-Sponsored Actor' Hacked 500M Accounts
Alyssa Newcomb
22 Sept 2016

Yahoo confirmed Thursday that a massive security breach impacted 500 million users, and said it believes a "state-sponsored actor" is behind the hack, which took place in 2014.

"Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo's network. Yahoo is working closely with law enforcement on this matter," said Bob Lord, Yahoo's chief information security officer, in a statement on Thursday afternoon.

The stolen account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and in some cases, according to Lord, encrypted or unencrypted security questions and answers.

The company is urging users to change their Yahoo password, and also to update their password and security questions if the same ones were used on any other accounts.

"The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected," Lord said.

The hack first came to light last month. At the time, a company spokesman neither confirmed nor denied the alleged hack, telling NBC News in a statement, "We are aware of a claim. We are committed to protecting the security of our users' information and we take any such claim very seriously."

It was announced in July Verizon had reached an agreement to purchase Yahoo for $4.83 billion. The deal is still in process.

A Verizon spokesman told NBC News the company was notified of the incident "within the last two days."

"We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact," the spokesman said. "We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment."
I’m the CISO of Yahoo and I wanted to clear up some misconceptions.

Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw. After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock.

Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers. These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs.

Regardless of the cause our course of action remained the same: to isolate the servers at risk and protect our users' data. The affected API servers are used to provide live game streaming data to our Sports front-end and do not store user data. At this time we have found no evidence that the attackers compromised any other machines or that any user data was affected. This flaw was specific to a small number of machines and has been fixed, and we have added this pattern to our CI/CD code scanners to catch future issues.

As you can imagine this episode caused some confusion in our team, since the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public. Once we ensured that the impacted servers were isolated from the network, we conducted a comprehensive trace of the attack code through our entire stack which revealed the root cause: not Shellshock. Let this be a lesson to defenders and attackers alike: just because exploit code works doesn’t mean it triggered the bug you expected!

I also want to address another issue: Yahoo takes external security reports seriously and we strive to respond immediately to credible tips. We monitor our Bug Bounty ( and security aliases ( 24x7, and our records show no attempt by this researcher to contact us using those means. Within an hour of our CEO being emailed directly we had isolated these systems and begun our investigation. We run one of the most successful Bug Bounty programs in the world and I hope everybody here will participate and help us keep our users safe.

We’re always looking for people who want to keep nearly a billion users safe at scale.

« Last Edit: September 23, 2016, 03:07:15 PM by Palloy »
The State is a body of armed men

Offline Palloy

  • Moderator
  • Sous Chef
  • *****
  • Posts: 3751
    • View Profile
Re: MIS-REPORTED ?: Yahoo Says 'State-Sponsored Actor' Hacked 500M Accounts
« Reply #1 on: September 23, 2016, 03:06:18 PM »
The previous post was addressed to Hacker News, yet Hacker News is today reporting the original story to be true.  Normally Hacker News leads the pack with reporting breaking news, but is 2 news cycles late on this one.   :icon_scratch:  Perhaps the previous post was itself a scam.

Anyway, it can't hurt to change your password on Yahoo.
Yahoo Confirms 500 Million Accounts Were Hacked by 'State Sponsored' Hackers
September 22, 2016
Mohit Kumar
500 million accounts — that's half a Billion users!

That's how many Yahoo accounts were compromised in a massive data breach dating back to 2014 by what was believed to be a "state sponsored" hacking group.

Over a month ago, a hacker was found to be selling login information related to 200 million Yahoo accounts on the Dark Web, although Yahoo acknowledged that the breach was much worse than initially expected.

    "A recent investigation by Yahoo! Inc. has confirmed that a copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor," reads the statement.

Yahoo is investigating the breach with law enforcement agency and currently believes that users' names, email addresses, dates of birth, phone numbers, passwords, and in some cases, encrypted and unencrypted security questions-answers were stolen from millions of Yahoo users.

However, the company does not believe the stolen information includes credit card information or any bank details of the affected users.

Yahoo has been criticized for its slow response to the data breach, but it is now in the process of notifying affected customers via emails and asking them to change their passwords, as well as security questions.

At this moment Yahoo did not provide any evidence on why it believed the breach was work of state-sponsored hackers.

Despite millions of people affected by the breach, the biggest victim here seems to be Yahoo itself.

The data breach reports come just as the company is trying to negotiate a deal to sell itself to Verizon for $4.8 Billion. So, if the breach reports negatively impact its share price, even for the time being, it could cost the company and its shareholders a slice of its buyout value.

Over past few months, a large number of data breaches have been reported to plague companies like LinkedIn, MySpace, Tumblr, and as hackers put up for sale massive data dumps of user credentials stolen earlier in the decade.

Change your Password and Use Password Manager

Needless to say, users should immediately change their Yahoo account password. The company will also be prompting anyone who hasn't changed their password since 2014 to do so now.

    "Additionally, Yahoo asks users to consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether," Yahoo suggests.

Also make sure that you also change your passwords on other online accounts if they use the same password, and enable two-factor authentication for online accounts immediately.

And once again, a strong recommendation: Don't reuse passwords.

If you are unable to remember different passwords for each site, you can adopt a good password manager that allows you to create complex passwords for various sites as well as remember them for you.

We have recently listed some best password managers that could help you understand the importance of password managers and help you choose a suitable one, according to your requirement.
The State is a body of armed men

Offline Palloy

  • Moderator
  • Sous Chef
  • *****
  • Posts: 3751
    • View Profile
Re: MIS-REPORTED ?: Yahoo Says 'State-Sponsored Actor' Hacked 500M Accounts
« Reply #2 on: September 23, 2016, 11:37:16 PM »
Everyone with a Yahoo account should join this class action !   :oops: :sorry:
Lawsuit accuses Yahoo of gross negligence over 2014 data breach
24 Sep, 2016

A class action lawsuit has been filed against Yahoo over a data breach of over 500 million accounts. Although the hack occurred over two years ago, it was only recently discovered just as Yahoo executives negotiate a sale to Verizon.

The lawsuit was filed in Sunnyvale, California, by Yahoo users accusing the company of displaying “gross negligence” over the recently discovered data breach. It contends that the two years it took Yahoo to learn that the information for some 500 million accounts had been compromised was unacceptable.

The claimants cite research showing it takes an average 191 days for a hack to be identified and 58 days to contain a breach after it’s been discovered. However, this 2014 hack was just discovered on Thursday after what one unidentified source claimed was another potential data breach from July, the Mercury News reported.

The July breach ended up being unfounded, but unfortunately that was not good news for the company as it tries to negotiate a $4.8 billion sale to Verizon.

Although Yahoo has said that no financial information was taken from the accounts, the lawsuit argues that information from email addresses, dates of birth and even security questions can be used to steal a person’s identity.

The hack is believed to be the biggest in history and the class action suit cites a potential participant pool of 500,000. They are seeking a jury trial and unspecified damages. The breach is being investigated by the FBI, with Yahoo claiming a “state-sponsored actor” is to blame for the attack.
The State is a body of armed men

Offline Palloy

  • Moderator
  • Sous Chef
  • *****
  • Posts: 3751
    • View Profile
Re: MIS-REPORTED ?: Yahoo Says 'State-Sponsored Actor' Hacked 500M Accounts
« Reply #3 on: October 03, 2016, 02:58:57 PM »
Uh oh, Yahoo! Data Breach May Have Hit Over 1 Billion Users
September 30, 2016
Swati Khandelwal
The massive data breach that Yahoo! confirmed to the world last week is claimed by the company to have been carried out by a "state-sponsored actor" in 2014, which exposed the accounts of at least 500 Million Yahoo users.

But, now it seems that Yahoo has downplayed a mega data breach and triying to hide it's own security blunder.

Recently the information security firm InfoArmor that analyzed the data breach refuted the Yahoo's claim, stating that the data breach was the work of seasoned cyber criminals who later sold the compromised Yahoo accounts to an Eastern European nation-state.

Over 1 Billion Accounts May Have Been Hacked

Now, there's one more twist in the unprecedented data heist.

A recent advancement in the report indicates that the number of affected Yahoo accounts may be between 1 Billion and 3 Billion.

An unnamed, former Yahoo executive who is familiar with the company's security says that the Yahoo's back-end system's architecture is designed in such a way that all of its products use one main user database (UDB) to authenticate users, Business Insider reported Friday.

So all usernames and passwords that users enter to log into services like Yahoo Mail, Sports or Finance goes to this one central database to ensure they are valid, allowing them access.

This central database is what got compromised, and therefore, it's quite difficult to believe that the hackers who compromised the whole database walk away with just a small bunch of "the core crown jewels of Yahoo customer credentials."

Whoever carried out the hack not only stole usernames and email addresses of affected users but also pilfered other personal information, including their dates of birth, phone numbers, hashed passwords, and unencrypted security answers.

So, it's unclear how Yahoo come up with the 500 Million number.

The company had not commented further on how the data breach happened or when it was discovered, citing an active investigation.

Yahoo! could have saved you, but decided not to:

A lengthy report published by the New York Times seemingly explains that the company did not reset the passwords of its users after the breach due to the decisions made by Yahoo's CEO Marissa Mayer, who seemed to prioritize developing new products over making security improvements.

The reason sounds stupid, as the article reads:

    "The 'Paranoids,' the internal name for Yahoo's security team, often clashed with other parts of the business over security costs. And their requests were often overridden because of concerns that the inconvenience of added protection would make people stop using the company's products."

If Yahoo had reset the passwords of its affected users, proper security measures would have been taken by users to protect their personal data from hackers.

Let's see what new advancements come to this unprecedented data breach.

Already, the Yahoo hack is believed to be one of the biggest in history, and the company is still trying to negotiate a deal to sell its core business to Verizon for $4.8 Billion.

Yahoo! has yet to respond to the recent revelation by the insider.

Data breach news has already magnified company's problems, but if breach number reaches Billion, would the company be able to save its acquisition deal?
The State is a body of armed men

Offline Palloy

  • Moderator
  • Sous Chef
  • *****
  • Posts: 3751
    • View Profile
Re: MIS-REPORTED ?: Yahoo Says 'State-Sponsored Actor' Hacked 500M Accounts
« Reply #4 on: October 10, 2016, 03:22:47 PM »
After reading this, you can perhaps understand how this incident has been misreported.  There WAS a "State-Sponsored Actor", and it WASN'T Putin, it was NSA/FBI.

This is Yahoo's Help Page on how to delete your Yahoo account
(note that this will lock you out of any YahooGroups you were in, and, plus whatever else uses your Yahoo account credentials)
Yahoo Email Spying Scandal — Here's Everything that has Happened So Far
October 07, 2016
Swati Khandelwal
Today Yahoo! is all over the Internet, but in a way the company would never have expected.

It all started days ago when Reuters cited some anonymous sources and reported that Yahoo built a secret software to scan the emails of hundreds of millions of its users at the request of a U.S. intelligence service.

At this point, we were not much clear about the intelligence agency: the National Security Agency or the FBI?

The news outlet then reported that the company installed the software at the behest of Foreign Intelligence Surveillance Act (FISA) court order.

Following the report, the New York Times reported that Yahoo used its system developed to scan for child p*rnography and spam to search for emails containing an undisclosed digital "signature" of a certain method of communication employed by a state-sponsored terrorist organization.

Although Yahoo denied the reports, saying they are "misleading," a series of anonymous sources, therefore, unaccountable, provided media with vague and conflicting info about the scanning tool, its working, for how long and under what authority it was used, and ultimately how it was discovered.

Not an Email Scanner, It was a 'Rootkit' Installed by Government

Yes, now the whole Yahoo saga is getting worse day by day, leaving experts frustrated who are trying to figure out facts from fiction.

The latest twist is a recent Motherboard report, which again cited two anonymous sources, which held previous descriptions of the email scanning tool wrong, saying the tool was much more powerful than other sources reported.

These sources — at least one of whom once worked with Yahoo security team — said that in reality, the NSA or FBI had secretly installed a "buggy" and poorly designed "backdoor" or "Rootkit" on Yahoo's mail servers.

In technical term, Rootkit is a software program that modifies the operating system in such a way that it gives hackers administrative or "root" control over systems without being detected by the actual administrator of the system.

The backdoor was so secretive that even Yahoo's own security team was kept in the dark about the program. So, when the security team discovered this tool, they believed some hackers had installed a sophisticated and dangerous piece of malware.

The team sounded the alarm, after which the company executives tell them they had installed the tool on the US government request, which resulted in the contentious June 2015 departure of Chief Information Security Officer Alex Stamos, who now works at Facebook.

    "If it was just a slight modification to the spam and child pornography filters, the security team wouldn't have noticed and freaked out," an anonymous source told Motherboard. "It definitely contained something that did not look like anything Yahoo mail would have installed. This backdoor was installed in a way that endangered all of Yahoo users."

And, apparently it has been reported that the custom-built rootkit/malware code was super buggy and "poorly designed," suggesting that hackers could have exploited it to gain unlimited access to all Yahoo users' data as well as Yahoo's network, the ex-Yahoo source told Motherboard.

And the worst part is that these attacks would be virtually undetectable by either Yahoo's team or the US intelligence agency because the malicious program was designed in a way that administrators can't see what programs are running under a rootkit cloak.

A separate report at the Intercept also has similar claims. So, it could be possible that the same source is going to multiple publications.

    "The program that was installed for interception was very carelessly implemented, in a way that if someone like an outside hacker got control of it, they could have basically read everyone's Yahoo mail," an anonymous ex-Yahoo source told The Intercept.

The Whole Yahoo Saga is Getting Worse

Yahoo Chief Executive Marissa Mayer has been criticized over the Internet to comply with the US government rather than fighting it back. Internet users are saying it's the latest corporate witch-hunt and, unfortunately, it all arrive just in time for Halloween fun.

This whole saga has already cost Yahoo 1 Billion in losses, according to recent reports. After Verizon had learned about the recent disclosures about hacking and spying in the past few weeks, it is expecting a Billion discount in the Yahoo acquisition deal, which was initially finalized for $4.8 Billion.

The 2014 hack the company admitted recently exposed over 500 Million accounts, which marked it as the biggest data breach in history. However, some unknown sources claimed that the number might be between 1 Billion and 3 Billion.

There are still many unanswered questions like:

    What programs the US government ran on Yahoo's mail servers?
    How long was the rootkit in place?
    Who actually wrote the rootkit/malware code?
    How interconnected Yahoo's other services -- like sports, finance, and photo sharing -- were with its Mail product?
    What exactly the government was looking for?
    Why Yahoo kept its own security team in the dark?

Forcing Yahoo to actually install a rootkit is a very big deal, which is an indigestible thing because info on individuals could be kept secret but forcing a company to install a backdoor on its server is not supposed to be a secret. That's not how things work.

Yahoo has yet to comment on the issue.
The State is a body of armed men

Offline Palloy

  • Moderator
  • Sous Chef
  • *****
  • Posts: 3751
    • View Profile
Re: MIS-REPORTED ?: Yahoo Says 'State-Sponsored Actor' Hacked 500M Accounts
« Reply #5 on: October 11, 2016, 04:54:53 PM » operating out of Germany offers a good email service, which also has a "collector" feature - you give them up to 10 email addresses and passwords, and they go and collect the new emails from them and put them in your GMX inbox.  This will catch all the people who you have forgotten to notify of your change of email address.  When the mail in your GMX Inbox dries up, you can delete your Yahoo/Gmail/Hotmail email accounts.

Of course there's no reason to trust them any more than anyone else, but certainly a lot more than Yahoo.
Yahoo Disables Email Auto-Forwarding; Making It Harder for Users to Move On
October 10, 2016
Swati Khandelwal
Yahoo! has disabled automatic email forwarding -- a feature that lets its users forward a copy of incoming emails from one account to another.

The company has faced lots of bad news regarding its email service in past few weeks. Last month, the company admitted a massive 2014 data breach that exposed account details of over 500 Million Yahoo users.

If this wasn't enough for users to quit the service, another shocking revelation came last week that the company scanned the emails of hundreds of millions of its users at the request of a U.S. intelligence service last year.

That's enough for making a loyal Yahoo Mail user to switch for other rival alternatives, like Google Gmail, or Microsoft's Outlook.

Yahoo Mail Disables Auto-Forwarding; Making It Hard to Leave

But as Yahoo Mail users are trying to leave the email service, the company is making it more difficult for them to transition to another email service.

That's because since the beginning of October, the company has disabled Yahoo Mail's automatic email forwarding feature that would allow users to automatically redirect incoming emails from their Yahoo account to another account, reported by the Associated Press.

All of a sudden it's under development? Here's what a post on the company's help page reads about the feature's status:

    "This feature is under development. While we work to improve it, we've temporarily disabled the ability to turn on Mail Forwarding for new forwarding addresses. If you've already enabled Mail Forwarding in the past, your email will continue to forward to the address you previously configured."

In other words, only users who already had the feature turned ON in the past are out of this trouble, but users who are trying to turn ON automatic email forwarding now have no option.

Yahoo has shared the following statement about the recent move:

    "We're working to get auto-forward back up and running as soon as possible because we know how useful it can be to our users. The feature was temporary disabled as part of previously planned maintenance to improve its functionality between a user’s various accounts. Users can expect an update to the auto-forward functionality soon. In the meantime, we continue to support multiple account management."

Yahoo is trying to save its Verizon Acquisition Deal

The move to turn off the email forwarding option could be an attempt to keep its customers’ accounts active because any damage to the company at this time is crucial when Yahoo seeks to sell itself to Verizon.

The Yahoo acquisition deal has not yet closed, and Verizon Communications has reportedly asked for a $1 Billion discount off of Yahoo's $4.83 Billion sales price.

As a workaround, you could switch on your vacation responder instead to automatically reply to emails with a note about your new email address.

Delete Your Yahoo Account Before It's Too Late

You can also forego the forwarding process and simply delete your Yahoo Mail account entirely, until and unless Yahoo disables that option, too.

As the Reg media reports that British Telecoms customers, whose email had been outsourced to Yahoo, have not been able to set up automatic email forwarding or even access the option to delete their accounts.

    "Sorry, the delete feature is currently unavailable. This feature will become available by the end of September," the error message reads.

So, hurry up before it gets too late.
The State is a body of armed men


Related Topics

  Subject / Started by Replies Last post
0 Replies
Last post August 02, 2016, 03:36:03 PM
by Palloy
6 Replies
Last post August 19, 2016, 09:35:34 PM
by RE
0 Replies
Last post March 03, 2017, 01:28:56 PM
by Palloy2