Another Yahoo Data Breach

Well Yahoo has just revealed another data breach from 2013 this one affecting about 1 billion accounts. For a link to an article about it see:

But it might be worth changing your password and security questions if you have a Yahoo account.

3 Likes

3 posts were merged into an existing topic: Over 1 million Google accounts breached

Hi @grahroll & @vax2000

Iā€™m not sure why, but the forum brought up a suggestion bubble to merge the new Yahoo hack with similar topics.

I hope you donā€™t mind but I acted on the suggestion and added this topic to the earlier one on the Google breach, and renamed it to a generic ā€œHack attack breaches user accountsā€, so we can discuss all past and future incidents like these on the one thread.

Hopefully, this will reduce information duplication across several threads.

If you have a better suggestion for the thread name, Iā€™m happy to change it or have it changed.

@grahroll If I was a Yahoo user would certainly be not too happy about this at all .

2 Likes

Found an interesting read on Gizmodo . Gives details on what to do about Yahoo breach

2 Likes

Going into the woods seems the best one of that lot :slight_smile: But sure Google is good but it does share your info with marketing and so on, that could be almost as bad as the breach. There is no perfect answer but perhaps some people will at least take a bit more interest in their security and privacy and stop using password, 123456, qwerty, and the other lazy not secure passwords I see nearly everyday.

2 Likes

Good point about passwords @grahroll . Some of my friends are so naive concerning them they are just asking for security issues .

1 Like

Anyone using the internet should change their passwords regularlyā€¦like many businesses do with their own intranets.

It can take years for a breach to be made public (like the Yahoo one) and by the time one knows, there it is little too late.

Changing passwords regularly reducing the direct access to your accountā€¦but doesnā€™t stop the hacking of the whole of the businesses system.

I also see that Yahoo has increased its security in the recent months which is a step in the right direction.

I have a Yahoo account along with Google and firefox. I also use some of their info services, such as Finance, Weather, etcā€¦ Donā€™t we as account users have a right to be notified immediately as soon
as the breach occurs? Why do they wait 3 yrs. before telling us??? Once the media get wind of it??? What happens in the case of "identity theft???
Isnā€™t it a breach on their part??? Iā€™m sure Choice would notify us right away if they were hacked.
Iā€™ts a hassle deleting their account due to all the people that need to be notified

3 Likes

The notification guidelines for data breaches states that ā€œIn general, if a data breach creates a real risk of serious harm to the individual, the affected individuals should be notified.ā€ Not doing may breach some of the Australian Privacy Principles, and then in theory it could lead to a penalty from the OAIC.

However, a company can still decide not to disclose a breach on a case-by-case basis. Considerations can include avoiding creating undue anxiety for low risk breaches and to avoid ā€˜desensitising individualsā€™ to notification. Would be interested to hear everyoneā€™s thoughts on this - should we be notified when our data is compromised at all times? Would this encourage transparency and better security, or is this a misdemeanor in an age of open data?

@Digital-Rights

3 Likes

From my readings it appears Yahoo didnā€™t work out how serious it was until they investigated the previous leak. So until about Nov 2016 they were blind to it. From wikipedia about the breaches https://en.wikipedia.org/wiki/Yahoo!_data_breaches :

"In its November 2016 SEC filing, Yahoo! reported they had been aware of an intrusion into their network in 2014, but had not understood the extent of the breach until it began investigation of a separate data breach incident around July 2016.[4][26] Wired believes this separate data breach involved the Peace data from July 2016.[14] Yahoo!'s previous SEC filing on September 9, prior to the breach announcement, had stated that it was not aware of any ā€œsecurity breachesā€ or ā€œloss, theft, unauthorized access or acquisitionā€ of user data.[27]

The November 2016 SEC filing noted that the company believed the data breach had been conducted through a cookie-based attack that allowed hackers to authenicate as any other user without their password.[4][5][28] Yahoo! and its outside security analysts confirmed this was the method of intrusion in their December 2016 announcement of the August 2013 data breach.[2][6] Multiple experts believe that the security breach was the largest such incident made public in the history of the Internet at the time"

So Yahoo knew but had no idea of the severity, which begs the question of what security inspection/audit regime they had in place to begin with?

As to your question Brendan I have to say that notifying is more important so that people can take action sooner rather than later. If someone chooses to ignore the warning that is then their choice, no pun intended :slight_smile: I also believe companies would be more responsive and responsible about data security to avoid the customer backlashes.

2 Likes

I would like to know about a security breach which MAY involve my account straight away @BrendanMays, along with the relevant information about the breach. That way I can immediately change passwords just in case, even if my account was not compromised.

Better safe than sorry.

3 Likes

As being part of the picture, I myself would prefer being notified each time it happened to change
passwords, notify friends, a choice of deleting that website out of my life. Like with YAHOO, itā€™s not
the 1st time it happened and we usually get notified sometime later , maybe even years later.
This last time ,I got the word a short time after the hacking from a GEEKā€™S website and where they
got it from is a good question. Iā€™m sure it would encourage more transparency and better security if
that site was caught outright and had to pay the piper.

4 Likes

Here is an interesting article about privacy and in light of the security bungles perhaps a wake up call to some:

5 Likes

The Yahoo 2013 data breach has now been revealed to have affected ALL 3 billion user accounts. To read the Reuters article on it see here:

This could also really impact the class action lawsuits, as everyone who has held an account could be eligible for compensation.

3 Likes

Wow, thatā€™s one hell of a mess

2 Likes