Massive Yahoo Hack – 500 Million Accounts Compromised

The New Acunetix V12 Engine


So if you are a Yahoo user (which most of us probably have been at some point) you will be aware of the Yahoo Hack – with 200 Million e-mail addresses being up for sale on the black market it seems up to 500 million have been compromised in one of the biggest hacks yet.

Massive Yahoo Hack - 500 Million Accounts Compromised

It seems likely it was some kind of nation-state attack, and the break-in actually occurred in late 2014. So if for some reason you signed up for a new Yahoo webmail account since then you’ll be safe.

Hackers strongly believed to be state-sponsored swiped account records for 500 million or more Yahoo! webmail users. And who knew there were that many people using its email?

The troubled online giant said on Thursday that the break-in occurred in late 2014, and that names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers, were lifted.

This comes after a miscreant calling themselves Peace was touting copies of the Yahoo! account database on the dark web. At the time, in early August, Yahoo! said it was aware of claims that sensitive information was being sold online – and then today, nearly two months later, it alerted the world to the embarrassing security breach.

“We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor,” said Yahoo!’s chief information security officer Bob Lord on Tumblr today.

“The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.


I’m surprised Yahoo is even still around to be honest, it’s a relic from an era gone by. The only significant impact they’ve had on my Internet in the past decade was to completely screw up Flickr (which I loved).

The passwords are hashed (mostly with bcrypt) and no real sensitive date was leaked (payment details, SSNs etc) – but it’s still a pretty bad compromise.

“Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.”

Yahoo! has said it will email all those thought to be affected by the theft and is advising everyone who hasn’t changed their passwords in the last two years to do so. If you’ve forgotten your password however, you could be out of luck – security questions that Yahoo! was storing in unencrypted format have been deleted from the system.

Unlike others, Yahoo! doesn’t appear to be offering any kind of credit monitoring service for affected customers, but helpfully includes a link for users to check their own credit records. It also advises users to be on their guard against unsolicited emails.

The statement leaves many questions unanswered. For example – how many of these email accounts are actually active for a start. It’s difficult to imagine that Yahoo! actually has half a billion active email users and a quick poll around the office shows just over half of Vulture West staff have a Yahoo! account but that none of us have used it in the last year.

Yahoo! also fails to point out that the chief benefit to the hackers isn’t going to be their email accounts, but other online identities. People foolishly tend to reuse passwords and security question answers and that’s where the main value of the data comes from.

Unfortunately for you, if you forgot your password and haven’t changed it in the past 2 years you may be out of luck as security questions were stored in plain text and have since been deleted.

There’s also a very interesting article about how Yahoo hired some of the best people in the infosec industry and then proceeded to pretty much ignore them:

Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say

I’m also guessing it’s likely that this will take a toll on the Verizon deal, or at least slow it down.

Source: The Register

Posted in: Exploits/Vulnerabilities, Legal Issues, Privacy

, , ,


Latest Posts:


Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.
How To Recover When Your Website Got Hacked How To Recover When Your Website Got Hacked
The array of easily available Hacking Tools out there now is astounding, combined with self-propagating malware, people often come to me when their website got hacked and they don't know what to do, or even where to start.


2 Responses to Massive Yahoo Hack – 500 Million Accounts Compromised

  1. oldcrank November 1, 2016 at 10:09 am #

    Maybe flickr is the reason they had that many email accounts?

    • Darknet November 1, 2016 at 2:01 pm #

      Ah yah that’s a good point.