Yesterday, Yahoo announced that back in 2013, approximately 1 billion accounts were hacked, and information about those accounts, including names, hashed passwords, dates of birth, and more were taken. This is on top of the 500 million accounts that they announced last September had been hacked.
First off, Yahoo was using MD5 for hashing passwords. MD5 was shown years ago to be crytographically insecure. I know engineers at Yahoo are pretty smart, but this is pretty dumb.
Second, how do you let 1.5 billion accounts get compromised? Why does Yahoo not take security seriously? In an email to affected accounts, Yahoo said this about what happened:
Law enforcement provided Yahoo in November 2016 with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with a broader set of user accounts, including yours. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.
Here’s what’s worrying about the announcement. They can’t seem to find out how it happened. They posted this on a Tumblr (?!) site:
We have not been able to identify the intrusion associated with this theft.
Wow. Seriously? 10,000 employees and you can’t figure out how your systems got hacked, again?
If you have been affected by this or a previous breach at Yahoo, here is my professional advice:
STOP USING YAHOO!
If you are using Yahoo for your main personal email, stop immediately. Use Gmail. Yahoo has shown it does not take security and the safety of your data seriously, so don’t use them. Even if we don’t take into account that Yahoo was scanning emails for content and giving it to US intelligence agencies, it’s not safe.
Change all your Yahoo passwords immediately. Email, Flickr, Fantasy Football, all of it. Now. Stop reading this.
I have a spare email address there I use for signing up for dubious looking sites and other mailing lists, fantasy football, and some other things and I’m changing my password there just the same.
R.I.P. our data.