200M Yahoo accounts go up for sale on digital black market

My Yahoo account was among those in the 2014 breach. Among other things, your phone number is stolen and sold. I recall a number of months afterward, I got a spate of spammy phone calls, and had no idea what the deal was. One year after the breach, it was made obvious my Yahoo account was toast. Somebody (ies) made a veritable fortune from these breaches. Just can't grasp the magnitude.

 

I have an unlisted number, and I have no problems. So, if my details were stolen back in 2014, when the original hack was carried out, I don't seem to have suffered adverse consequences from being with Yahoo.

 

It's almost absurd to believe no one at Yahoo was "aware" of this, only after the breach was reported--hmmmm, right. Furthermore, you can now speculate whether some Yahoo people facilitated and profited from the gains of those very breaches. Verizon should throw its offer in the garbage and move on, Yahoo is an albatross.

 

They were that all the way back in Windows 98, Vista, and XP days.

Makes one wonder about Hotmail now if it's even still around. Dumped them both many moons ago.

 

Don't people feel strange and very coincidental than Yahoo suddenly get attacked/breached several times since Verizon want to buy it... to me seems a very very very unlucky moment for Yahoo overall value...

1st business rule : "if the product you want to buy is less good than expected, ask for a lower price..."

 

Yesterday i saw the "warning"-message the first time after logging in.
But i changed my password already some weeks ago. Do i have to change it now again?

There are lot of "breach-messages" about yahoo in the last time , it's kind of confusing
Ok, found a quick overview: #48 - A History of Yahoo Hacks

 

A newly discovered data breach exposed the private information of more than 1 billion Yahoo users, the company said, dwarfing the scope of another recently disclosed hack and casting doubt on Verizon Communications Inc.’s planned acquisition of the internet company. http://www.wsj.com/articles/yahoo-discloses-new-breach-of-1-billion-user-accounts-1481753131

 

Has anyone used yahoo account key instead of a password on cell phone.

 

About two weeks ago, I had trouble logging into my Yahoo Mail account. When I did get back in, there was a email from Yahoo, which partly said: "we noticed an attempt to sign in to your Yahoo account XXXXXXX from an unrecognised device in Singapore." That was new one on me!

 

https://nakedsecurity.sophos.com/20...f-yahoo-put-on-hold-after-breach-revelations/

 

Senators frustrated with Yahoo's silence around hacks inquiry

http://www.zdnet.com/article/senators-stonewalled-by-yahoo-silence-over-historical-hacks/

 

"Yahoo issues new warning of potentially malicious activity on accounts"

https://www.theguardian.com/technology/2017/feb/15/yahoo-hack-warning-user-data-2015-2016

Part of The Guardian Article citing a statement by Yahoo appears to be misleading or inaccuate:

"...Yahoo told the Guardian that it first reported the cookie forging in a filing in November 2016 and outlined the issue in a security update in December 2016, although some users are only being notified this week...."

According to most reports, such as PC World the "notifications" were sent TODAY.

"...In a new warning to users sent Wednesday, Yahoo said the forged cookie problem allowed hackers to gain access to user accounts without passwords. The company connected the issue to the breach it reported in September..."

http://www.pcworld.com/article/3170...count-breaches-related-to-recent-attacks.html

A report in The Register is to the same effect.

"...The intruders also snatched session cookies to log into Yahoo! accounts, a detail Yahoo! noted in a December note and has now begun formally alerting customers about..."

https://www.theregister.co.uk/2017/02/15/verizon_meh_on_yahoo_megabreaches/

Yahoo's December 2016, Security Update, referenced in The Guardian article, implying that Yahoo began notifying affected customers in December is here:

"...Separately, our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, the outside forensic experts have identified user accounts for which they believe forged cookies were taken or used in 2015 or 2016. The company is notifying the affected account holders, and has invalidated the forged cookies. We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on September 22, 2016...."

https://help.yahoo.com/kb/SLN27925.html

Such obscuration of the true facts is in line with Yahoo's recent refusal to fully cooperate with a Senate Committee investigating Yahoo's "Security" Practices:

http://www.zdnet.com/article/senators-stonewalled-by-yahoo-silence-over-historical-hacks/

 

Yahoo emailed me this warning today.

 

I got two warnings when I tried to login to my second Yahoo account, using the mobile login. I saved one of the warnings, i.e. pdf file. Not too worried, because it appears it was related to having had some yahoo cookie stolen, but apparently that was all. I have changed my passwords back in December on that account.

 

http://www.livecharts.co.uk/share_p...agree--350m-price-cut-for-a-news25580289.html

 

Actually, the forged cookie method is very serious, since it allows to login to accounts without having access to the password. Never really thought about this account hijacking method. But I'm guessing that 2FA would have helped.

 

I think I was OK, because I haven't noticed anything untoward, i.e. no increase in spam. None of my saved emails have been deleted.

By 2FA, you mean 'two factor authentication'? Is that still being used by Yahoo Mail?

 

Yes, 2FA can be enabled for Yahoo Mail:

 

@mood

"We'll send your cell phone a code by text or phone call that only you'll have access to." I have it, then.

 

Yes, it's not foolproof either, but it's probably the best way to keep accounts safe.

 

Google has just released this article about 2FA:

https://blog.google/topics/nonprofits/improve-your-nonprofits-account-security-2-step-verification/

 

I try to avoid Google. However, I couldn't when I got my new smartphone about 15 months ago. I had to create a Gmail account, before I could use the darn thing.

I never use it to send email, i.e. Gmail.

 

https://www.infosecurity-magazine.com/news/yahoo-execs-security-team-over/
​

Ms. Marissa takes a good hit to her "pocketbook." Publically "draw and quartering" her would have a more lasting effect.

 

Correct, I also found it to be strange. But to clarify, I just wanted to give you some general info about 2FA.