You'd think this would affect the stock price, but currently YHOO only trading down 8 cents (-0.18%). I honestly see this all the time. What sounds like really horrible news for a company, does not affect the price. Howerver, some random analyst or reporter who works at the Mercury Star Sun Inquirer writes a negative article or downgrade and the stock tanks. Doesn't make much sense.
Investors are conflicted: on the one hand, Yahoo had a data breach that will cost them trust, but on the other hand, investors are surprised to hear there are still 500 million Yahoo users.
Is that even possible? I got a password reset email for a LinkedIn account that I thought I had deleted years ago. I know that sometimes logging in can reactivate an account, but it's been YEARS now. And it was like I was always there.
LinkedIn is like dallisgrass. pesky stuff to get rid of.
Living in France as a good Java dev, LinkedIn sends me few spam, while it is very relevant to get contacted by recruiters whenever I update my resume. I've found my last 2 gigs in my last 3 years (yeah I'm a software editor who only contracts whenever my income gets low) through LinkedIn. Of course, this doesn't understate LinkedIn's other face which is made of dark patterns, probably-illegal data hunting, massive spamming problems and doubtful security.
The good news about this breach is that it will greatly increase their "active user" count because of password reset logins. That looks good for the buyout deal.
Twitter did this to me right after their last not-so-great quarterly report came out: sent an email saying they have noticed "suspicious activity on my Twitter account and have suspended it. Click this link to reset your password." Which is kinda funny because I never posted one thing to my Twitter account. So locking it for me was the next best thing to deleting it.
When I got the LinkedIn breach email, I too just deleted my account there. Wasn't worth the fretting about security problems.
I use Yahoo for fantasy sports. When I signed up I was forced to register a RocketMail account. Logging into Yahoo Fantasy is the only thing I've used it for. I wonder how many other people are in this scenario.
Some hacker might have my password, hopefully they don't pull Aaron Rodgers from my line up this week.
Yahoo's been authenticating me nearly every time I try to access the fantasy app on my phone. They've made me change my password 3 times in the past month or so. And the password I set doesn't seem to work, so I keep having to use their phone based authentication. With all the money that they have, it's hard to fathom how Yahoo is so bad at delivering secure identity services.
I started using their "Account Key" process, any time I log in on the site from a computer, I get a notification from my Yahoo sports app (iPhone) asking me if I would like to allow the login attempt. I actually like it better than the two-factor auth I use for other accounts. Whether it's more secure or not, I don't know..
EDIT: just for clarification, this replaces the password entirely. So I never enter a password on the site.
Can you help me understand how it replaces the password entirely? What if I lost my phone, or just deleted their app? Does it basically fall back to letting you click a link in your email to approve logging in? Or, SMS, or...?
I've been skeptical of it.
Fortunately iCloud Keychain means my current Y! password is random as hell and not reused anywhere, but I'm slightly nervous wondering what the hell password I had in 2014 or 2012 or whenever this stupid leak happened. :/
If you don't enter a password, then it isn't two factor auth at all. It just swapping one-factor (something you know) for another (something you have).
I know that it's not, I just said that I like it better than the two-factor auth that I use elsewhere. If I need to pull out my phone; its just easier to click my notification and click "approve", than to go to Authy to get the 6 digit code, and type it in to my computer.
Sorry, I misunderstood your statement. I thought you were comparing it to 2FA elsewhere. Now I see that you were just comparing it to the second factor elsewhere (not the whole 2FA0).
I don't think investors are quite that stupid. First that was 500m users in 2014, not today. It also doesn't say active so it's likely some subset of a total. I wouldn't be surprised if Yahoo had even more than 500m accounts in 2014 and today but I would be SHOCKED if they had nearly that many active users.
Yahoo currently is clocking around 900M - 1B monthly uniques.
Consider that third-party tracking still places Yahoo as one of the top trafficked websites in the world, with only Google, Baidu, and Facebook higher.
Oh I'm well aware around the uniques; Yahoo is ranked #5 in Alexa worldwide. Uniques do not count as users, however and my original conjecture stands in my opinion. Now if you have active, monthly user data that would be awesome to see :)
I'm not sure what you're trying to say. The algorithms adjust for bots, spam, cross-platform duplication, etc. 900M - 1B is defined as the Monthly Active Users figure.
Naturally, there are areas where we know the algorithms are not translating the inputs to real users with 100% fidelity, but we know that the discount is relatively minor, not nearly as substantial as youre suggesting.
Multiple counter-parties had their teams diligence our user figures and associated algorithms and found them to be generally accurate representations.
Unless you're using a different definition of "active, monthly user" that deviates from the industry norms?
> 900M - 1B is defined as the Monthly Active Users figure.
Okay that's the disconnect. Monthly uniques typically count is unique accesses of a web page by non-bots / spam. This is how I've seen it defined in every analytics software package I've ever used. Monthly active users is a vastly different concept as it implies repeat access within the month.
Though judging by the downvotes on my parent comment I'm guessing my thinking of the terms is NOT standard? Not going to lie I'm a bit confused around this. I'm going to have to look into it more.
Sorry, my mistake for being loose with my own terminology. I thought it was implied that I meant unique users, which, given my own comment about terminology, was a bit hypocritical of me.
Entirely likely it's not 500m, for sure, but i would not be surprised if it's still in the hundred million active email accounts. Lot of elderly folks who got hooked on a yahoo email account, and just won't give it up. I can say based on consumers emails I've seen in some of the systems I've managed, yahoo still clocks in as a pretty solid 15-20% of email addresses of active users, which isn't a small figure (gmail is of course higher, and major isp's round the bases).
sure. but somehow, among a sea of replies that either don't care for my joke, or who just don't understand that it is a joke, yours manages to be the most off putting.
Yeah, I was wondering about that when I posted (too quickly). You're right of course, though it turns out that Yahoo! still owns 35 percent of Yahoo Japan, basically the same amount as Softbank, a major Japanese ISP I believe.
Actually, the stock price is being majorly affected today! YHOO usually tracks BABA quite precisely, and BABA was up big today (+3.5%). This usually means that YHOO would be up around 2%, which equates to nearly $1.00 in upside. Instead it was flat today.
To make matters worse, YHOO has actually fallen off quite a bit since BABA reached $105/share 1.5 weeks ago, and YHOO corresponded with a high of around $45. If you do the math, with BABA currently nearing $110, YHOO should actually be just north of $46.
tl;dr YHOO shares are actually suffering, but it's harder to see if you're not familiar with the underlying mechanisms at play.
"Yahoo's actual core business of being Yahoo (and Tumblr and whatever) is worth negative $13 billion"
"Even after deducting 38 percent from the value of [the Alibaba shares] to account for taxes, you get a value for Yahoo's actual business of just $1.7 billion"
Actually the part you elide is technically not [the Alibaba shares] but [the Alibaba and Yahoo Japan] shares. But it doesn't really weaken your argument as much as it seems to be, because Yahoo Japan is really separate from Yahoo, despite the name.
Many hedge funds spent time analyzing the effect on a stock price after breach disclosure. From what I read overall, the only negative effect comes if the breach is repeated over longer period of time in media. But as Elena Kvochko put it, "shareholders are numb to news of data breaches" [0].
It doesn't affect stock price because it doesn't really affect the money being made. There aren't going to be any huge fines that need to be paid, they aren't really going to lose customers explicitly due to this. After all, it was _hackers_ that broke in and did bad things, you can't completely protect yourself from hackers. If the difference between having a secure company and an insecure company were cut and dry, then it might have an affect. But the entire security landscape is so nuanced and complicated that the average person watching/reading the news isn't going to know the difference between 2 different companies (one with good security practices and one without).
I wonder whether a marketing campaign focused on security would be effective. For example, "We are the only accounting software to use end-to-end encryption of your financial data. Don't trust your sensitive data with anyone else!"
The horrible news is already baked in. The entire value of the company is Ali Baba. If this breaks the acquisition or causes shareholder suits, then it's a problem.
It only matters if it affects how people interact with Yahoo's business or if it results in fines or lawsuits. Since it probably won't do any of these, it does make sense that it doesn't affect their share price.
In this case, most are looking to how Verizon responds. The share price should be near equivalent to acquisition price. Verizon pulling out of the deal would see it plummet in my opinion.
Edit: acquisition offer usually priced into share price, harder to calculate in this situation since Verizon isn't buying the whole company and all assets.
It is almost certain that this evolving risk was disclosed to Verizon (and other officially interested parties) during the initial stages of the sale negotiating process, and could well explain the difficult gestation of the Yahoo sale. Note that standard procedure would have been for interested parties wishing to enter into formal discussions, to sign watertight non-disclosures at the risk of very big legal liabilities if they don't abide by them. Any M&A professional would know that the valuation hit of "owning up early" is much smaller than the catastrophic effect of trying to hide such a thing until the inevitable noisy leak.
Stock price is defined by the expectation of future earnings. If investors have seen in the past that security breaches have no impact on other businesses, why should they react to this ? SONY has had a much worse security breah not too long ago (with stuff stored in plain text!) and people kept using SONY online services anyway.
Security mistakes do not make lasting impacts on stock prices in my experience. They tend to be a little hiccup, but afterwards things keep moving along on the existing trend.
A cluster of security mistakes in other companies does seem to increase the price of stocks like FEYE, CUDA & FTNT.
> You'd think this would affect the stock price, but currently YHOO only trading down 8 cents (-0.18%).
Why would the stock be affected? Yahoo emails are free. Even if majority is hacked this won't make dent in their revenue streams coming mostly from advertising.
Yahoo is being bought by Verizon, so unless VZ know decides to not purchase YHOO, the stock price is pretty much hard-coded. Otherwise there would be an arbitrage opportunity.
What!? Surely you're being flippant. Alexa currently ranks Yahoo.com as #5 worldwide and in the United States. NUMBER 5! How anyone could think that has zero value makes no sense to me.
Yeah I keep hearing the same thing, but obviously it's at least worth around what Verizon paid for it. I think it's actually worth more, but there is so much hate for the company and its management team.
While the thing you're responding to is obviously idiotic it occurs to me that the sanity of the valuation of Yahoo! is not "obvious" at all. It's a result of the application of partially visible heuristics to determine the worth of things like users, views, "talent," and etc, all passed through back-room dealing at the executive level and bargaining behind closed doors.
The reason I bother coming here to say this is that I think the idea that 4.8 billion dollars "makes sense" to an outsider is endemic of thinking that leads to a dangerous lack of regulation. In other words, I'd be careful not to assume that the left hand always knows what the right hand is doing in companies at this scale.
Your statement doesn't imply value at all. If I created a web site that gave every visitor $1, it would amass an amazing number of visitors, but would be a worthless business.
Yahoo are giving away money? No, of course not. So how does your logic apply. People are visiting Yahoo because they want to use Yahoo services ... even if they're not then they're still visiting, that is valuable to online businesses where a lot of marketing goes in to just getting visitors.
> it would amass an amazing number of visitors, but would be a worthless business. //
You'd get in serious debt. But the website would still be worth something afterwards, not what you paid, but it would have a significant value. Good marketing could convert some of those repeat visitors looking for free money. Indeed, it actually sounds like not a half bad idea! Give away money via paypal/bitcoin or some such up to a limit for a few days, network effect is going to amplify that, then stop and lay out your stall .. if your stall was using bitcoin/paypal for micro payments then double+plus+good! You'd have stories in press around the world, everyone would be sharing your site ("Hey I got free money 2 days in a row at example.com").
Want to cause a riot? Release $100k in $1 notes in public in a busy, large, public space (Central Park?). Say you'll be back next week ... how many millions of people do you think you could attract, how many the 3rd week!!? How much would the press coverage and whatever brand association you could muster be worth?
The price of the stock has little to do with how the company does it's business or what it does.
It is as much about other investors as it is about the company itself.
The motivation there is pure profit, not some higher moral purpose or justice or "make the world better" idealism.
The stock price indirectly affects the company performance, just as the company performance affects the stock price, so it's a feedback loop (or conflict?) created between the investors and the company.
Apparently, investors think that this hack won't affect yahoo's performance or stock price.
These is just my interpretation of it of course, I guess very few people (if any) actually understand all the forces at play here.
"state sponsored actor". I wonder how they decided that. did the hackers plant a flag inside yahoo's data center? or is any attack originating from outside US now considered state sponsored? of course, we will never see any proof of this.
also, did it take them 2 years to discover this breach? that's bad. or, do they just announce it now? that's worse.
Yahoo shouldn't be doing the attribution, it's a conflict of interest[0].
At the moment the standard for incident disclosure is "eventually disclose the leak to users", which some companies, like Yahoo in this case, really stretch.
I'd like to see the standard become engaging an outside firm and have them release as much information as possible so that the techniques used, information stolen, potential attribution etc. can be reviewed and benefit everybody.
The statement so far from Yahoo benefit only Yahoo (specifically Yahoo management)
The stolen Yahoo accounts were listed on a DNM market a few months ago. That is how we found out about it (I suspect that is also how Yahoo found out about it). That is one of the only data points we have on the outside and it points away from the attack being state-sponsored.
[0] Some would argue that the research / attribution firms are only a little less conflicted since they sell products that aim to prevent the same state-sponsored attack.
Their interest is in making the attack look more sophisticated than it may have been, making them look less incompetent because they'd be one of many victims state-backed hacking (they even say that in their statement)
I think it has to do with the sophistication of the attack. If they used multiple zero-days, multiple pieces of custom coded software, and a team of operators working full time for long periods of time then it can be assumed it's a multi-million dollar effort involving a large team of engineers. In such a case the list of potential adversaries can be reduced to corporate or state actors.
I agree, but the typical PR spin tends to be "a sophisticated adversary". It'd look bad to say an attack was state sponsored if you didn't have good reason to believe it, since that's a pretty specific accusation.
My guess is they hired a firm that actually knows security - probably FireEye or Crowdstrike - and their analysts came to that conclusion.
No it's not. It's an entirely vague specification.
Was it the Russians, the Chinese, the NSA?
It's also something they'll never have to prove or verify so from a PR perspective it makes you look far less incompetent if you say 'state sponsored actor' instead of '17 year old high-schooler from Estonia'.
>It's also something they'll never have to prove or verify so from a PR perspective
I disagree. In breaches like these, attribution discussion begins pretty quickly after the announcement. If researchers find evidence it was some script kiddie or a black hat group or whatever, that would embarrass Yahoo even more.
If you don't know who the attacker is, you have nothing to lose by saying you were compromised by a sophisticated adversary in a targeted attack. You have more to lose by saying a nation-state attacked you if they actually didn't.
It seems like the Hillary/Russia thing has everyone thinking, without any evidence, that it's always fake when a state actor is accused. I don't see any reason to doubt them, do people think that countries are not trying to hack into these systems?
Exactly. I see no reason why a "state sponsored actor" would spend "millions" on hacking Yahoo, to turn around and sell the stolen data for $1200 on the black market.
> I think it has to do with the sophistication of the attack.
The security team probably sees thousands of attacks every day, mostly automated but probably a dozen a day targeted/custom. If one gets through the security, that is of course more sophisticated than all the other ones, plus it outsmarted the security team and developers, so you'd hardly tell your boss "we were too stupid". Instead, it came from China* so state-sponsored is a good text to write.
*Or something like that. Enough infected computers there to go around (or government cares little enough if you rent a server).
Yeah, unfortunately I think this has become a trend. If a big company gets hacked, they can just say "Well, this sucks, but what could innocent helpless little us have done against a whole country like [Russia, NK, Iran, other stereotypical boogeyman to American audiences]?" It's quite transparent BS in every case I've seen thus far (prominently, Sony and the DNC), but it definitely earns the hacked company some sympathy, and it allows them to feel more important and make others think they're important enough for a nation-state to try to steal from them.
Since it's worked a couple of times, now everyone is going to pile on. I expect every major data breach over the next few years is going to be perpetrated by an ethereal "state-sponsored actor".
> (Bonus points to readers who understand why /var/tmp instead of /tmp :D)
Because many newer Linux distributions mount /tmp as a tmpfs that gets zapped when the system shuts down. Do I get a no-prize?
> echo "Russians wuz here!" > /var/tmp/hacker.sig
Oh, that brings back memories of an incident involving Serbian/Romanian malware at a former employer of mine... when I got into the box to figure out why it was attempting to DoS Caltech, I found a complete set of DoSing tools in /root with comprehensive documentation in Romanian, plus a quick 'who' showed that the attacker was still logged in over SSH, so I looked up his IP and it came up as being somewhere in Serbia. After that, "Serbian Malware" became a meme at that company (and I quickly made sure to patch the hole -- the result of a stupid, stupid mistake that I take responsibility for -- to make sure it couldn't happen again).
didn't a cache of supposedly state-sponsored tools just get auctioned off by a group who (supposedly) compromised a machine which was under the ownership of one of the three-letter groups?[0]
Seems to give more credence to the viewpoint that the tool doesn't indicate the perpetrator too easily.
If I hand you an F-16 and you use it to do damage that would indicate possible US air force involvement. If the F-16 that attacked me was preceded by advanced ECM, suppression of air defenses using stand-off munitions, and was performed in a particular precision attack pattern then US air force involvement would be much more likely. These signatures are not just about the tools, but the opsec and procedures that the hackers used to deploy the tools, how they moved laterally to the target, and how they exfiltrated the information. It is the whole package that identifies a real state-sponsored actor vs a freelancer with access to a bag of zero days.
Well, the F-16 is used by over two dozen nations. So it's use wouldn't indicate anything.
Some of the nations that use the F-16 are also capable of the things you say prove US air force involvement. Even then, that's a bit of an extreme analogy.
How about we pull down the analogies to be more in line with what more likely happened? Like, someone used a truck to rob a bank and people think a manufacturer of trucks is somehow responsible?
So, what would be the "signature" of a state-sponsored actor, what in this sort of hack costs money and resources on the scale of "[physical?] suppression of air defenses"?
It's not so much about scale as about characteristic types. If you find that the air defenses were suppressed with anti-radiation missiles that the US doesn't sell much or at all, that makes it reasonable to find US involvement more likely than the bombs just having come off an F-16's racks does. That's just as true whether one such missile was used, or one hundred.
(In military parlance "suppress" usually means not specifically to destroy, but to render ineffective. For example, at the infantry level, "suppressing fire" isn't intended specifically to kill members of an enemy formation, but rather to make them keep their heads down so as not to die, rather than doing something useful like actively opposing a move by another of your fire teams. In the case of anti-air defenses being suppressed to clear the way for an air attack, though, the tool of choice is going to be a standoff anti-radiation missile; see "Wild Weasels" for more detail on how it's done.)
Going after authentication info (esp. the security questions) _is_ a narrow target. You are probably looking at a couple of tens of GB total. If you get away with it clean you can also then go back in and hit specific targets using that authentication info, so you walk away with a useful basket of data that does not reveal anyone you might have targeted but in turn makes it easier to go after those targets in the future.
helps to "save face", when all 0-day exploits are now considered "state sponsored".. otherwise they'd have been reported within bug-bounty program.. who else pays more - hostile governments, of course =)
If they claim it was a state-sponsored attack and then a non-state-sponsored hacking group makes a credible claim to have been the perpetrators, Yahoo will look even worse than they do now. I doubt Yahoo is saying 'state-sponsored' just for PR.
While attribution is difficult and sometimes impossible, if you find that the attacker used custom malware/infrastructure also seen in other attacks, it is likely that it's the same attacker group. And in some cases, it's known that certain groups work for certain governments.
"The data stolen may have included names, email addresses, telephone numbers, dates of birth and hashed passwords but may not have included unprotected passwords, payment card data or bank account information, the company said."
What's the difference between "may have" and "may not have" in this context?
It seems like they're saying anything could have been stolen.
That is an incredibly deceptive sentence. They should have listed everything under "may have", unless I'm misunderstanding because they used some convoluted English.
The way I read it is that the stolen data has a relatively high probability of including the first set of things, but a relatively low probability of including the second set of things. They don't want to say definitively for whatever reason.
Possibly, although they may have phrased it that way precisely to elicit your generous interpretation. Even in the scenario that they knew unprotected passwords were just as likely to have been stolen as properly protected ones.
I don't know about that, sounds to me like they're still in the process of investigating and they don't want to use any absolutes. "We think these were stolen, but we don't think these were" is what I take from it.
They seem to be trying to strike a balance between warning their users, which has to happen quickly, and knowing for sure what happened, which takes a long time to figure out.
If they are opting more toward informing users quickly, then their language can't be definitive yet.
IMO this is a good thing--much better to warn people soon, than sit on the news for another month until they've completed the forensics.
If they haven't detected any sign of intrusion on their payment servers, then it would seem those did not get hit. On the other hand, it took them until now to detect the 2014 account intrusion! So it's still possible that they will discover some problem on the payment servers as they dig deeper. Hence the use of "may not" vs. "did not."
> It seems like they're saying anything could have been stolen.
Well yes, once you know the bad guys were inside the perimeter, it's hard to rule anything out. It's possible to construct a network with internal defenses as strong as the external defenses, but most networks are not built that way. Most are still soft on the inside--get root on one server and there are pathways to others.
Yeah, they shouldn't have unprotected passwords in any way, shape, or form. The statement makes it sound like they do store unprotected passwords, but they don't think those were stolen.
Is that good? They have poor data handling and sunsetting protocols is what you're saying.
UK law requires that personal data is not kept for longer than is necessary and is securely handled and such. So if those passwords in an "ancient DB" had personal data associated with them (real names, say) then they've been breaking the law (for a long time, is the implication).
Surely if you had passwords in old DBs then when you introduce hashing you salt and hash them and sanitise the DB and all backups ... having them still hanging around is a significant failure too. But yes, not as significant as having plaintext passwords in DBs now would be.
Interesting point on the UK laws, but I doubt PII is kept alongside login data, just referenced, and removed as needed without removing a user's login credentials.
Far from an expert, but hasn't flagging an account as needing a password change on next login been used as a way to migrate to properly encrypted passwords in the past?
Often. But you want to back it up with a blanket invalidation and password deletion after some grace period, to deal with the case where the user just never logs back in - and a password reset process outside the auth flow, to handle anyone who comes back after that.
A strategy that has worked great for me transitioning off of poorly-thought-out legacy password storage schemes is to take the "bad" hash you have for everyone and treat it exactly as you would a plaintext password - in other words, salt and properly hash it the same way the new passwords are done. Then I delete the unsafe hash and flag that account as "use the old hashing scheme on the password first before normal authentication process, then correctly re-hash and salt the password and store it normally."
Not passively anymore: login.yahoo.com is negotiating PFS ciphersuites which the private key can't decrypt without a copy of the ephemeral ECDHE parameters.
Similar language to athletes denying drug rumors. "I have never knowingly taken an illegal supplement, and have never been notified of having failed a drug test."
Moving email addresses out from one provider and creating another one is more difficult than moving phone numbers (in the latter case, number portability could help, if available).
What exactly can an average/common end user do for such incidents, even if it is to avoid them in the future? I use different passwords across accounts, with all of them being somewhat complex or very complex.
I have looked at a few different paid service providers before, but they're all very expensive. Expensive for me is anything that charges more than $20 per year, or worse, charges that amount or higher for every single email address/alias on a domain. My use of email for personal purposes is writing about a handful of emails in an entire year, but on the receiving side, I get a lot of emails - most of them somewhat commercial in nature (like online orders, bank statement notifications, marketing newsletters I've explicitly signed up for, etc.). I also have several email addresses, each one used for a different purpose and with some overlap across them.
It seems like web hosting has become extremely cheap over time whereas email hosting has stagnated on the price front for a long time.
Moving to a new email address (and taking all your existing mails with you to the new inbox) is actually far easier than changing phone numbers.
Almost all (old) providers let you set up a mail forwarding (to the new provider). But even better, several services let you set up some fetchmail-like program where it imports all the messages from the old provider, e.g. via POP3 or IMAP, and even deletes them with the old provider, if you want.
Nevertheless, I fully agree with you that email services are much too expensive. Given the current market prices, Fastmail, for example, is great and worth its money.
We're told to spend some money on good quality software and services.
But: If I (and even more so the average non-technical user) pay 99 USD/year for Dropbox, 50 USD/year for Fastmail (because you want your own domain), 10 USD/year for the actual domain (separately), 100 USD/year for my quality newspaper subscription, etc. -- and all this is just for one person in my famile (i.e. me) -- you soon end up not having enough money for the "real" things in life.
> [...] pay 99 USD/year for Dropbox, 50 USD/year for Fastmail (because you want your own domain), 10 USD/year for the actual domain (separately), 100 USD/year for my quality newspaper subscription, etc.
I went for Mailbox.org, you get 25 GB for email AND 25 GB for documents, all for €4.50/month, about $60 per year. You also get calendar/contacts/tasks with web based apps for all of the above, plus word processor and spreadsheet.
They support open standards (CardDav/CalDav/WebDav) so you can choose among several clients on any platform, and they seem to have a good track record with regards to privacy.
This, however, is offset by the fact that my "quality newspaper" subscription is about AUD $350/year, LOL
Disclaimer: I am not associated with Mailbox.org in any way, just a happy customer (at least for now!).
For me FastMail's customers service has been better than Google Apps.
And had fewer issues in general with FastMail. Google Apps has some crazy limits, like on the number of IMAP connections or email aliases, you can't normally change the primary domain, you can't setup an abuse@ alias, etc, etc. and contacting Google Apps support doesn't do more than for them to tell what's already written in the docs.
And I mentioned in another mail, but FastMail's IMAP import and POP3 links work, whereas this functionality is broken for Gmail and Google's support won't help you ;-)
My experience has been entirely the opposite of yours. Fastmail has excellent (and personal) customer service whereas getting ahold of someone at Google is nearly impossible.
Truth be told, with Google Apps you get phone support and email support usually answers withing 24 hours in my experience.
Problem is they couldn't help me much when I had problems. Google Apps has serious limits and contacting support won't help you get around those limits. Most of the time support just tells you what you can already find in their online docs.
They only solved two issues for me: (1) when I wanted to change my primary domain, after 2-3 months of asking them repeatedly, they finally enrolled me into this beta programming and finally changed my primary domain. And (2) when I upgraded to the annual subscription and then changed my mind, they reverted me to the flexible pricing. On the other hand they couldn't even help with with an import gone wrong.
With FastMail I have had a good experience thus far.
> They only solved two issues for me: (1) when I wanted to change my primary domain, after 2-3 months of asking them repeatedly, they finally enrolled me into this beta programming and finally changed my primary domain.
Were you on the grandfathered free tier? It seems to be quite trivial to change the primary domain if you're on a paid tier.
No, I was on the paid tier. If you're talking about September 2016, maybe. I was talking about 2015, being just an example of how Google's support was unhelpful.
Google has absolutely no customer support whatsoever. I don't know anything about FastMail customer support, but it's hard to argue it's worse than no customer support.
Unless customer service means something different than customer support. What does it mean?
Personally, I use Google Apps for Business and since a few months ago Hangouts doesn't work correctly any more. It's almost unusable at times.
What can I do? Who can I complain to? How can I escalate this? Absolutely nobody can help me.
Once I figure out a feasible transition plan from Hangouts, I'm done with doing business with Google.
I guess I'm the outlier here. I signed up for a paid personal account while trying to sign up for a business account. The custom domain option being available for a personal account threw the wrench in my plans.
The tech support rep who answered barely understood their platform and kept giving me incorrect instructions. It took a long while on the phone with that rep to get the account moved to a business account.
I have had good luck with fastmail.com, but at $30/year for the entry-level option it sits in what you classify as the "expensive" category.
For a dedicated service with keen developers and ongoing product development (yay U2F support), great and accessible support, reasonable expectations of privacy, it has been well worth it. YMMV, of course.
I've been using fastmail. I don't necessarily like it better than gmail, especially since I use hangouts for most of my conversations. however I outright dislike their mobile app, it won't load with no internet connection, like it doesn't cache anything. so maddening. I've been using it a few months paying $5/mo, but will likely discontinue it soon.
Thanks. That $20 a year was just an approximate amount. I wouldn't mind paying a little more.
I've seen Fastmail recommended multiple times and have looked at it. Considering that I would actually want at least three or four "users" (access wise), the plans are quite expensive. The fact that each user can have up to 600 aliases (which sounds great and is useful) doesn't matter much to me since the billing is per user (as opposed to some kind of mix and match of users and aliases). This makes their business model not suitable for my needs.
Zoho has a free, ad-free service¹ that allows: 1 domain, 5GB per user e-mail hosting, and 5GB per user document storage for up to 25 users. Pricing seems reasonable beyond that. They provide incentives in the form of additional users for referrals (my referral code: WX7yxEKy). They also support 2-factor authentication.
I love how every time a company is compromised, everyone pops with their own "uncompromised" service offer.
As if, this one would never get compromised and they were much better at it. Except they probably aren't. Bet the devs have all keys on their "work" laptop (you know, the one with stickers that they take home, to starbucks, on vacations, watch their movies on, etc.) (like everyone elses is doing)
I think it's useful information. Many people are not aware of alternatives.
Plus, it would be better for all concerned to have 25 smaller companies with 20M accounts each than one company with 500M accounts. Less of a security monoculture, and fewer eggs in a single basket when it does get compromised.
From a user's perspective, although it may be less convenient, it's probably healthier to use a bunch of services offered by a bunch of different companies than to work with a single company for all digital needs.
I tried to sign up for Zoho a few months ago. Absolutely nothing in the signup process worked. I just got messages to "try later." So I gave up after about a day of peridocally retrying.
On the flip side, I did that and while generally it's been a positive experience, providing your email address over the phone has become huge pain!
I definitely took for granted how easy it is to say to someone "first initial + last name at major email provider . com", instead of "really easy first part at custom domain, wait let me give you the phonetic alphabet equivalent, no just the letter b, not actually the word bravo... . io - yes io, item oscar, it's the indian ocean. Yeah I'm sure it works"
When I first went to get the domain for my main/personal email address, the .COM wasn't available...And I just didn't have an interest in the .NET or .ORG. So I went with .CC. I thought, "Hey it seems neat, slightly different (at the time) but not too weird, and its one letter shorter for people to type!" ...Or so I thought. Boy, has it been annoying with some people. Admittedly over the years it has become slightly easier, though there is the occasional exercise almost exactly as you described above, spelling it out as if to an infant.
I supposed the audience on HN is likely tech-focused, but even today (september 2016), there are so many "civilians" out there who are NOT exposed to non-.COM domains, its quite surprising. So many people that you would think have by now been exposed to some technology - hey they use advanced mobile phones, "smart tvs", etc. - and they look at you stunned if you bring up an email address with a TLD from outside the U.S. I'm living here in U.S., but if you want to really stump some people give them email addresses like the following:
This sounds good, but in my experience americans wants everything spelled out. Every time I need to communicate a common name, or common-word domain, or anything like that, they always ask me how to spell it.
"Hi, my name is Kate", "How do you spell that?". WTF!
And they get it wrong anyway. My partner's name is "Andreea", with a double 'e', and she always makes this fact very explicit, but in 95% of cases they will input it in their systems with a single 'e'.
My name is unusual, but it's one letter off from a usual name in my country. The bank has my correct name in their record, of course. But each time they email me, they use the wrong name. They sometimes even emit me new cards in the wrong name! When I complain, they ask very surprised and say that they are aware that the name in the system is what it is, but they thought it was a mistake, so they decided to emit the card in a different name! Unbelievable! This has happened with multiple banks.
Nobody seems to have any trouble with "jon@jrock.us", other than spelling "jon" wrong. I think one time someone at American Airlines said "oh, that's neat". Otherwise, nobody cares.
I would hesitate to recommend using a personal domain for email. It's more complex and worse for security.
In addition to securing access to your email provider (Gmail for example), you now have to secure access to your domain provider too. And even if you do your best, they might fall for social engineering because they take phone calls--like in the famous @N hack:
This hack involves 2012 passwords, according to the Re/code coverage. If you've still got the same password, that's a problem. If you're changing passwords every year or so, your vulnerability drops.
Two-factor identification on any account that involves your money is a good idea, too.
It's true that this hack was in 2012, but the information lost is not only passwords but also account information like name, addresses, other linked email addresses, etc. So those who changed their passwords after this hack still have something to worry about.
True, but if you've got any internet presence at all, it's already pretty straightforward to associate your name and email address (or addresses). Tools like Datanyze, Spokeo, SellHack, etc. do that routinely. Having 120 million Yahoo records available for mischief (without current passwords) makes things slightly worse, but not much.
Right, but it still needs an email service provider to point to (and I wouldn't want to run it myself for various reasons). And the providers I've seen are expensive (for me).
You also get 1TB of storage with that, and unlimited storage with 5+ accounts. I do this for my family, and we all have unlimited backups and custom domain email.
Luckily, I do have a grandfathered plan where I can use Google Apps for my domain for free. But as I mentioned in another comment, I'm trying to reduce my linkages with Google, Facebook and others for privacy reasons. That's one of the reasons why I don't use that much (the other issue is dealing with changing my email addresses with everyone else I've shared those with - ad based free email providers like Yahoo do not offer mail forwarding out of their platforms for free).
I personally use Gmail as an IMAP client for my domain's mailbox. I get the convenience of webmail + the ability to move my data elsewhere if I wish to.
I've been trying to reduce my footprint with Google, Facebook, etc., for privacy reasons. I love Gmail's spam filter, and am ok with some of the annoyances in the webmail interface. But the privacy part makes me feel uncomfortable.
Just because you move to a paid email provider doesn't mean that provider won't get hacked. In fact, the resources at larger companies like Google could provider better protection.
Perhaps the benefit of being at a paid email provider is that they have a much smaller number of accounts, so they are a less attractive target for hackers.
You're missing the point. Paying for your email means you own your domain and email address, so you have the freedom to move to another provider if the current one proves to be incompetent.
Also, in case you have problems, it's impossible to reach Google's support, unless you're a Google Apps customer. It's also near impossible to reach Yahoo's support too. I know because I've been there. If you don't pay, you don't get any support.
"Better protection" is a fairy tail if you can't talk with somebody in case your email goes missing or in case you suspect you've been hacked.
They appear expensive because the expectation in people's minds is that email, and most online services are free.
Personally I find email to be the most important online service. Everything depends on email. While I can live a non luddite life without Netflix and Dropbox and cloud VMs, and Facebooks, I quite literally can't live my normal life without email.
For me, it's more important than a phone. Because of this, I would expect to pay less for a mobile plan than for email, but even with "expensive" email service, the situation seem reversed.
If the idea of paying for online services were more entranced in people's mind, there would be more competition and there would be email providers offering services at any price point. Now we only have free email, and "expensive" email, for "those" people.
Thanks. I've looked at it before and like the privacy part very much. But it's quite expensive for my needs since I would have to get a few ProtonMail Plus accounts, taking the cost to a couple of hundred dollars a year or more.
I considered both before choosing one. Ended up going with Protonmail because:
* The folks behind Protonmail are also heavily involved in the OpenPGP.js project. Interop with plain PGP from non-Protonmail accounts is on their roadmap and a feasible future feature. AFAIK that's not on tutanota's roadmap and they use a different customized crypto library, so all you'll ever get is e2e encryption with other tutanota users.
* Proton's mobile app is a top-rated android mail app, and pretty good even compared to iOS's Mail app.
* IMAP support is also on Protonmail's roadmap, but not something I miss due to the good mobile app.
* The tutanota.com and tuta.io domains are dorky and hard for other people to remember.
Thanks so much for pointing this out. I had never heard of it before and had a look. It looks good and has a team whose values I identify with. What's more, it has flexibility in billing that looks quite attractive (users, storage, aliases, etc.).
Unfortunately, it does not support IMAP or POP, which I prefer just to have local copies of mails as a backup.
A paid account looks appropriate (and would help the company stays in business), but it's a bit pricey for my needs (though not as much as other providers who don't have a lot of flexibility on users/storage/aliases).
I will try the free account to experience it firsthand.
Number portability helps you keep your same number with a different provider, I don't think it's relevant when you're talking about switching numbers. Also, email forwarding is easier to set up than call forwarding, and just overall I think switching email addresses is easier.
I've had a Yahoo email for years and then got fed up with it so got a Gmail one and set Yahoo to forward to it. Works for me and I think Gmail is fairly secure. Yahoo seems kind of bad security wise. It's all free now though I used to have to pay Yahoo to forward.
I create a new email address for every new service I have, with a different password. I literally have 120 different emails that all funnel into the same email address via forwarding.
I tried to do that for a long time. It's nice until you forget exactly what your email is with say, Company X Industries when trying to reset your password. Was it CX@domain.xyz? CXI? CompanyXIndustries? That example is silly but this came up frequently for me. And was super awkward when giving out my email to a CS rep over the phone or "Can you confirm your email address for me?" Me: "something that ends with XP84.cc, I forgot."
Password managers have made this somewhat less painful, at least on the Web, as opposed to "Apps" which refuse to implement the API for using the password -- and username -- stored in your keychain.
Is there some kind of "statute of limitations" thing that means we're suddenly finding out about a string of breaches from 2012 now?
Or is there some group that is trading breach data privately that have themselves been compromised so that data coming from them is finally leaking out?
I'm now more worried about the 4 year delay in these things coming to light than the effect of the breaches themselves given how many times I now show up on haveibeenpwned.
I am curious to know what happened in 2012 that all these breaches occurred. I assume they are holding the data, and trying to squeeze what they can out of it all the way through. However this year there seems to have been a lot of massive breaches that year. does it all stem from one hack? 200m Yahoo accounts could lead to at least a few million LinkedIn accounts I would assume, maybe not as many as was actually compromised in the LinkedIn breach, but still.
I just want to know if the same exploits were used in all of these instances. Or maybe they have just found backups for all these companies this year from 2012 and are using those. I don't even how that would happen.
If they found a yahoo employee credentials in the linkedin hack (or vice-versa) then they don't need a million accounts, just those credentials.
"Hackers who used an employee’s password, re-used from the LinkedIn breach, to access Dropbox’s corporate network and steal the user credentials" - from a unnamed source quoted in a techcrunch article.
So maybe they also managed to traverse from linkedin to Yahoo or Yahoo to linkedin through similar password re-use.
Yahoo has recommended that users "check their accounts". What exactly would they be checking? Doesn't a compromised account look the same as an uncompromised account from a user perspective?
Potentially, you could have weird locations signing in, emails you didn't send in your sent items. But yeah, seems unlikely that a 'state-sponsored attack' on this scale wouldn't be able to cover their tracks in the eyes of Yahoo Mail users.
I found it rather perverse that the login and account recovery screens of Yahoo! have 3rd party ads running. Doesn't give me any confidence in their security (in addition to the breach).
You, sir, have just landed at an important topic that we're all too lax on. This third-party injected javascript into otherwise 'trusted' pages is a real serious issue.
Besides the 'kill all ads' talk which isn't very helpful, there really needs to be some serious conversation about how this particular issue with the internet is addressed.
Wait, Yahoo believes the data was stolen by a "state-sponsored actor"!
If they have such evidence, why don't they explain so? To me it looks like a tactic to put the focus on the "noughty" government instead of themselves.
Anyway, it will be an interesting read (if ever written) how Yahoo discovered they had been stolen and by who (what state?).
Also, if "the state" is finally behind this, who will they prosecute till death? I bet it's the hacker :(
a) Big US enterprises are under attack from state-sponsored actors on a daily basis, so it's not that weird. It's not like the NSA weren't caught with their hands in the cookie jar either.
b) If you name the state you think is behind it, you better be ready for the diplomatic repercussions between the US government and the rogue state, as well as potentially stopping doing business in that state (see Google and China)
We can assume that the US government is not the state-sponsored actor in the OP, because their attack has already been publicly known for some time. This one is probably China or Russia.
Yes but the parent is telling you, as a developer, don't use them. Personally, I'll make up a fake answer (e.g. What's your favorite pizza topping? A:338192).
Just make it something reasonably short as you might have to repeat it to a live customer service agent.
One of the more convoluted announcements I've seen. I have to be aware that yahoo officially communicates via tumblr.com, check two different announcement pages which may not yet be up (converting time zones). When I clicked one of them I had to find the notice "in my region" which had only one option (not my region) and linked to another (non-yahoo?) site with an image of a document. I can't imagine all 500M users will jump through these hoops and remember when they last changed their password.
I wonder how many dummy accounts from the mid-2000s of mine were included in that.
I was born in 1990, and my insecure online behavior from 2000-2005 scare me. Hopefully HaveIBeenPwned gets their hands on this so I can scan for my teenage usernames.
I wonder what percentage of those 500 million accounts correspond to real human beings. Much of the spam on the sites I run come from what appear to be fake @yahoo.com accounts.
I believe a common reason for this is that they don't want to announce it until they're completely sure the breach is gone and that they have control of things again. Announcing that it happened and that it's ongoing forces them to either cease operations or face liability.
Yeah, that sucks because I have my business stuff with them (I know, I know). On the bright side I didn't receive an email so maybe they didn't get the biz accounts. Changed my pw anyway.
And something's changed with their biz accounts anyway- it's been sold/rebranded or something and I'm not sure where the future lays... :[
The California law, for example, just says it needs to be "expedient" without defining time limits. It isn't clear that they violated that law at all. They are disclosing a very large breach and I would assume that if they do see suits here, they will be civil suits.
FWIW... I just logged in to my Yahoo Account and removed the security questions. Just to be sure. I had already changed my password a few months ago when first rumors of this came up. I'm pretty sure that the option to remove the security questions wasn't there back then.
> We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor.
GCHQ? Although GCHQ seems to have hacked them even earlier than that.
I primarily write JS for a living but because I freelance I often have to work with wordpress. After spending a few weeks digging into the internals I soon realized that every single wordpress project I've inherited–paid themes included–were horrendous and failed to utilize the most basic facilities provided by core.
In most of these projects a quick turnaround was more important than clean code (probably the cause of the aforementioned horrendous codebases), so I always just hacked away at the templates without every trying to gain a deep understanding of PHP, its recommended best practices, and security gotchas.
My question is, can you point me towards something like "PHP, the good parts"? I would like to know how to write well architected, performant, and secure PHP on the occasions I need to use it professionally. I know that PHP has a reputation as being dangerous by default, so knowing what not to do would be reassuring. So far all of the PHP books I've found have been fairly disappointing; covering all of the features without really detailing any best practices or opinions.
I don't use OO when I write PHP but it seems the real vulnerability there is the use of eval(). There is almost never a legitimate use for that function. I would definitely draw in to question the wisdom of OWASP deciding to classify this as a separate vulnerability. You should use the disable_functions directive in php.ini to hard-disable eval() (and other iffy functions) on production servers. One tutorial @ http://www.cyberciti.biz/faq/linux-unix-apache-lighttpd-phpi...
This tutorial disables curl_exec. Good luck getting any popular API client to work, they all use cURL... or if you're lucky, a modern-enough version of Guzzle that can use socket connections, but LOL that's opening another can of worms...
HTTP parsing is notoriously difficult and I'd rather trust cURL (which is battle-tested in a load of environments) than a PHP userspace library.
${parameter:-word}
Use Default Values. If parameter is unset or null, the expansion of word is substituted. Otherwise, the value of parameter is substituted.
Curious - exactly what man page do you find that in? I've always seen that construction but given that it just uses random punctuation it's impossible to Google it. I don't even know what those are called!!
HIBP is a great service and was the first one on the scene. HEROIC has more breached records than HIBP and with a free account on HEROIC you can see more details about how you have been compromised along with better search capabilities.
HIBP is still useful to me, at least, because it will let me find breaches for my entire domain, rather than just for specific email addresses. This is useful since I use a different email address per-site (username-somestring@domain), so just being able to search on my base email address on HEROIC isn't likely to turn much up...
For me it shows almost the same information as haveibeenpwned.com. How would someone find out about the breach that this post/article is referring to? Are you loading this one soon?
"We are recommending that all users who haven’t changed their passwords since 2014 do so."
And then don't include an easy link to where users can do that? Great work yahoo.
I found my way to http://profile.yahoo.com but apparently from my machine at an AU University: "profile.yahoo.com’s server DNS address could not be found"
Interestingly my account is not part of the compromise and my friends are; I can confirm this because they received a message about the compromise and I did not. . .I asked them how long they've had their accounts and they said for about a year; where as I have had my account for about 5 years. Interesting no?
I think my only concern is what data I had attached to my Yahoo account (for Flickr) which I think they required me to tie to a phone number. So I guess that means I can expect people trying to abuse that phone number as a point of identification in identity theft attempts. Oh joy.
There’s one thing I don’t understand with this “state sponsored actor”. Say you are an oppressive regime and you target activists who use yahoo mail to publish your dirty laundry. Why on earth would you hack half a billion accounts just to get access to a few dozen ones? Doesn’t make sense. You attract too much attention. A thing like that would never go unnoticed. If on the other hand you’ve found some exploit and target specific accounts which are numbered in the tens, say hundreds, you can easily get away with it.
BTW, I don’t know if it’s coincidental but just yesterday I received a notification from Yahoo to disable access to Mail from third party apps.
Will it? Why? If anything, Google and Facebook seem to be more firmly entrenched in everyone's day-to-day lives and are more likely to get the "too big to fail" treatment.
Agreed. My sense is that if this happened to political heavyweights like Google or Facebook, we'd have serious diplomatic muscle on the case, as indeed we have already seen in the past with Google's China travails, or Obama's barely-hidden warnings to Europe about the antitrust fines.
It will be more newsworthy. Nothing to do with the impact. Though I do suspect Google and Facebook devote more resources these days to security than Yahoo.
I have an account that was definitely compromised. I had completely forgotten this account existed and never used it to sign up for anything else. I was rather surprised when I realized someone had that email and password.
Oddly, I changed the password for 2 Yahoo accounts only a month ago. I have to wonder if Yahoo filtered for people who recently changed passwords before designating me as a person who might be affected.
Long live yahoo...oh well. I've never used them for email, I only had an account for yahoo IM, which they just killed. I have no use for them at all now.
The trouble is that confidentiality and integrity play against each other in useful ways. For instance, even if I have nothing private to say in my email, if you want to authenticate messages as coming from me, I need a private key to sign my email so that nobody else does.
Even in a hypothetical future where, say, two employees in a company couldn't communicate privately without the entire rest of the company knowing (and I question whether that would be a good future), you still want the ability for one employee to communicate and certify the message as coming from them. Otherwise I could give myself bonuses. That requires some password or key known to me and only to me; that requires that cookies and other session state on my computer are only accessible to me.
It seems bizarre that Yahoo would use a post on tumblr.com to make such an important announcement. From what I've seen Tumblr has become mostly a wasteland of worthless garbage in the past few years and no one takes it seriously any more. Isn't this the sort of thing that ought to be on the yahoo.com home page from a PR crisis management standpoint?
Create a bookmark to your inbox when logged in. Next time you log-in, immediately click your inbox bookmark so you can skip all the irritating "give us your phone number or you will suffer greatly" pages.
As for personal info, don't give it to them. Anyone who doesn't require it by law gets mis-info, this has served my privacy & security since the turn of the century. EVERYONE wants your phone number "for security" these days* , and yet, when they bungle their security yours goes out the window with a million+ others'.
*Your phone number is marketing gold to those who believe they value your personal, identifiable data more than you do.
I had a terrible experience recently. It was so dumb I wrote a rant to a no-reply address they had sent me some options about.
I logged in from my only computer, they presented my recovery email addresses with check boxes. I didn't read the prompt, but I selected the one I still use (one was so freaking old--a netzero address). It seemed to remove it from the list, which was the opposite of the behavior I'd expect. I literally didn't care enough to add it back. If I get locked out of my yahoo account...so?
Anyway, then they sent me a "new device" email that said I should login from one of my normal devices. It was my normal device, I just hadn't logged in for maybe...years? Surely they can alter the logic to not say something so stupid.
Not necessarily. 2FA only prevents access to the account, but passwords are both hard to decrypt and easy to change so I'm not too concerned about that. The real valuable data in this hack are the names, emails addresses, DOBs, telephone numbers, and security questions. Those things are very hard to change and would be very valuable data points for anyone trying to steal your identity or social engineer themselves in other accounts of yours.
Yes, you are right. That's really valuable data for anyone impersonating someone. But its becoming more and more difficult which service to use that might protect the information.
Hopefully in services like protonmail, everything is encrypted.
You're likely under-estimating the amount of CPU time they're willing to throw at the problem. If you have to ask, the answer is "not strong enough for your password. Change your Yahoo password. Change all other passwords that were shared. Stop sharing passwords across sites."
On the other hand, my LinkedIn password was 15 base-64 characters, poorly hashed with just SHA-1. As a rough ballpark, cracking it on average comes out to about 500 times all of the work that has ever been put into BitCoin mining. I still changed my password after the breach. Why not?
However, the specifics of the hash only make a difference if your password is weak. As long as the hash is non-invertible, use passwords containing at least 96 bits of entropy, and you're fine.
I use https://github.com/kmag/store_password_gpg , which is a 200-line Python script I wrote a while ago to generate a random password and encrypt it using gpg. Any decent password manager should allow you to generate unique, random, per-site passwords.
Yahoo's announcement (link changed since some of these comments were posted) says the "vast majority" used bcrypt.
I've been getting an "Unexpected sign-in attempt" email from Yahoo every day for the last couple of weeks, but I don't see any evidence that the attempts were successful.
old accounts. the reason for the "vast majority" and "in some cases" terminology is very likely because the user records only get updated when the user logs in. for accounts that haven't been used in a long long time, it's possible you'd still find pre-bcrypt hashes and plain text question/answers.
Regarding your last sentence, I think other comments have chimed in on what they believe the pre-bcrypt hashes were made with.
The de facto excuse to use when you get hacked these days. Who could possibly defend against an entire nation? And it's incredibly easy to "prove" that some Russian IP accessed your system at some point, therefore Putin is directly involved and no amount of security would've prevented him from getting in.
Sidetracked: Can someone explain to me why there seem to be a culture of blackhat hacking from Russia? Do their CS degrees have mandatory advanced courses on how to exploit vulnerabilities for lulz?
Not really even saying this in a mean way. Almost all top CS programs in the US have assignments on writing buffer overflow attacks and reverse engineering in their mandatory intro to systems course. But I don't seem to see them going off on their own to learn more sophisticated attacks and acutally using it in the real world.
Why does russia seem to foster so many blackhats? Or is it just the proxies that are hosted there?
I don't understand what difference it makes if it's state-sponsored or not.
It seems like Yahoo's PR wants to switch focus to state-sponsored hacking and form a narrative around what's been in the news lately as opposed to Yahoo's incompetence.
Also it's less embarrassing to get hacked by a whole nation than a few nerds in their basement.
If you're a human rights activist with a Yahoo account and Russia or China stole these passwords, then your communications have a much higher chances to have been breached and spied upon than if say, a Russian gang got their hands on this and used accounts to spread more ransomware around.
State attack = a state steals the access and keep the breach secret for as long as they can [or until they get hacked themselves]. They use it for espionage and similar purposes
Evil bad guy = all accounts and passwords are already available on blackmarket.com since Day+1 after the breach. They'll probably end up in a torrent within the next month.
Evil bad guy sponsored by a state = Well, somewhere between the two. Hopefully the state ensures they get exclusive access and non disclosure.
