Yahoo Announces Breach of One Billion Accounts

Author: Nadia_Kovacs30 Employee Posted: 14-Dec-2016 | 4:09PM · Edited: 16-Dec-2016 | 1:03PM · 20 Comments

Hot on the heels of Yahoo announcing a data breach of 500 million user accounts in September, the company has announced that they have suffered another breach of one billion accounts. Yes, you read that correctly- one BILLION accounts.

As Yahoo previously disclosed in November, law enforcement provided the company with data files that a third party claimed was Yahoo user data. The company analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, Yahoo believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. The company has not been able to identify the intrusion associated with this theft. Yahoo believes this incident is likely distinct from the incident the company disclosed on September 22, 2016.

Yahoo believes that the information that was stolen consists of full names, email addresses, dates of birth, phone numbers, hashed passwords, and possibly security questions and answers as well.

Luckily, Yahoo does not store credit card or any other payment information in the system that was affected.

2016 seems to be the year of the “mega-breach” with us reporting on eight major breaches involving well-known companies. Big data is big money for attackers, so they set their sights on companies that tend to hold large amounts of personally identifiable data on their customers, such as Social Security numbers, birthdates, home addresses and even medical records. It’s easy for a cybercrime victim to report credit card fraud and just get a new card number. When it comes to a Social Security number, though, you are bound to it for life. And Social Security numbers open the door to all sorts of identity theft.

Norton Protects You Against Data Breaches

Norton makes it easy to have proactive protection against data breaches like these in place with Norton Identity Protection Elite. Norton helps monitor everything online about you--from financial accounts to social media and your credit report. Norton Identity Protection can even provide restoration services if you become a victim of identity theft.

What Yahoo is Doing to Protect Their Users

The company is currently identifying and notifying potentially affected users instructing them to change their passwords immediately. In addition to notifying users, they are removing any unencrypted security questions and answers from the affected accounts so cybercriminals cannot use those answers to break into users accounts.

How To Protect Your Accounts:

In situations like this, we cannot stress enough the importance of using safe and secure passwords.
Here are some tips on creating a secure password:

Use a random combination of at least ten symbols, letters, and numbers.
Don’t use the same password for multiple websites. Ever.
Don’t use words in your passwords- cybercriminals have programs that can crack those passwords in a heartbeat.
Don’t use any personal information in your password- not even your birthdate.
Do not open emails from unknown sources and delete anything that appears questionable.
Do not rely on security questions to protect your account/password. Most security questions are common across applications, and the answers are often found on public social media sites.

We understand that it can be hard to keep track of dozens of complicated passwords for multiple websites; however, cybercriminals count on password reuse in order to gain access to other accounts. One way to get around the annoyance of having to remember all of those unique passwords is using a secure password manager, such as Norton Identity Safe.

Another great way to protect your account is if the service offers two-step verification. Two-step verification is a method of verifying your identity in addition to your username and password. Two-factor authentication asks you to provide one of the following things:

Something you know – a pin number, password or pattern.
Something you have – an ATM or credit card, mobile phone or security token such as a key fob or USB token.
Something you are – Biometric authentication such as a voiceprint or fingerprint.

You can also visit Yahoo’s Safety Center page for more information on how to secure your account. Yahoo also offers a Yahoo Account Key, which is an authentication tool, similar to two-factor authentication as well.

SaveSave

Comments

bjm_ replied on Wed, 12/14/2016 - 16:17 Permalink

In situations like this, we

In situations like this, we cannot stress enough the importance of using safe and secure and passwords.

Debra Flowers replied on Fri, 12/16/2016 - 15:34 Permalink

I left Yahoo 2 nights ago

I left Yahoo 2 nights ago deleted all my accounts since this happen I only used for yahoo messenger since yahoo stop useing messenger 11 I canceled my account with yahoo 10 years yahoo client

Bloated_Germ2 replied on Fri, 12/16/2016 - 16:22 Permalink

I already changed my

I already changed my passwords and killed my secret questions a few months ago after that breach was brought to light. Do i need to change my passwords again?

bjm_ replied on Fri, 12/16/2016 - 16:25 Permalink

https://krebsonsecurity.com

https://krebsonsecurity.com/2016/12/my-yahoo-account-was-hacked-now-what/

douglas035 replied on Fri, 12/16/2016 - 18:05 Permalink

I left Yahoo six months ago

I left Yahoo six months ago when I heard something similar and never went back since that incident now this whats next.

jendayiB replied on Fri, 12/16/2016 - 19:18 Permalink

I have been a Norton

I have been a Norton subscriber for years prior to the Yahoo hack so does that mean I was protected from this incidence?

owlabye replied on Sun, 12/18/2016 - 20:58 Permalink

I have the same question my

I have the same question my pass words are on Norton Safe maybe one on google save which is not a security risk because the program is not containing a risk for me because it has in no turn no information not ready available.

MY-NS-SAFETY1 replied on Sat, 12/17/2016 - 06:38 Permalink

Thanks Nadia Kovacs for the

Thanks Nadia Kovacs for the comprehensive update...I am one of the lucky ones that was NOT affected by Yahoos predicament as I did not have an account. For many years I rely on NORTON security and so far all is good! That is appreciated...thanks! Tibor

Kathy Paine replied on Mon, 12/19/2016 - 17:08 Permalink

I don't think i was affected.

I don't think i was affected.. I have not used my Yahoo account since 2011.

blue50moon replied on Tue, 12/20/2016 - 15:22 Permalink

same here i havnt used my

same here i havnt used my yahoo account probably since 2012 or 13.However i did get an email stating that someone has made an atempt to login on the 16th when I actually logged in on the 19th. So i would have gotten emails prior to the 16th ?

Taffy_078 replied on Wed, 12/21/2016 - 08:45 Permalink

Yahoo clearly have their

Yahoo clearly have their tongue in their cheek when making this announcement. They must have been aware of it at the time - the breach (or possibly a different one) affected XXX tens of thousands of customers of BT-Yahoo email. It created the largest-ever thread on that Community forum, with 98 pages, 974 posts and 18,828 views!

http://https://community.bt.com/t5/Email/BT-email-accounts-hacked/m-p/796762#M18990

BT is probably the UK's largest telecoms provider and the way they tried to hide the problem was a disgrace. I personally wrote to each member of the BT board - got me nowhere of course!

You'll see in that thread references to newspapers in the USA, Australia, New Zealand and elsewhere with articles about this and other hacking incidents. E.g.

http://www.newshub.co.nz/nznews/yahoo-xtra-customers-emails-hacked-2013021109

http://arstechnica.com/security/2013/01/how-yahoo-allowed-hackers-to-hijack-my-neighbors-e-mail-account/

https://mic.com/articles/27916/yahoo-hacked-ceo-marissa-mayer-faces-hacking-incident-during-first-year-on-the-job#.ZgAKHke0k

http://thenextweb.com/insider/2013/03/06/despite-its-efforts-to-fix-vulnerabilities-yahoos-mail-users-continue-reporting-hacking-incidents/

The funny (?) thing is that around that time Sky UK (part of Fox) announced it had cut it's link with the tech company providing their email (name forgotten) because they'd been hacked and so Sky were now moving everyone to Yahoo!!!

phiolater replied on Fri, 12/23/2016 - 08:28 Permalink

wasn't yahoo bought by

wasn't yahoo bought by Verizon and if so was Verizon compromised?

Taffy_078 replied on Fri, 12/23/2016 - 09:36 Permalink

Verizon want to buy Yahoo but

Verizon want to buy Yahoo but are having second thoughts, They know about the BT Community thread.

Tom Higgins replied on Fri, 12/23/2016 - 08:29 Permalink

I dumped Yahoo many years ago

I dumped Yahoo many years ago and switched to MSN only to have my email account hacked at a later date. I now use Chrome and have been using Norton as long as I can remember. So far Norton has protected me. Kudos to Norton.

XmasRose replied on Thu, 12/29/2016 - 07:48 Permalink

Unfortunately, changing our

Unfortunately, changing our passwords at this point will only help with potential future breaches. As the report says...they already have our information. All we can do now is monitor our credit reports but since companies tend to make it easy to establish credit with the right information, we'll be putting in a lot of time and effort trying to clean up our reports. Until companies start taking these breaches seriously this is going to be the "norm" for us.

Funny how in the 21st century, companies still believe in paying to fix things instead of preventing it in the first place. We should be able to charge them for the time and effort we put into cleaning up their mess.

Taffy_078 replied on Thu, 12/29/2016 - 22:25 Permalink

At the time, BTYahoo email

At the time, BTYahoo email customers had a way to check their log-in record that showed the country of origin of the log-in. Some users ask for problems though by having their email address in the traditional format of "first name.surnameATxyz.com". This makes it so much easier for them to be swamped with spam, phishing and worse. They then compound the problem by signing up to a forum with the same FirstnameSurname as their User name on that forum & then write asking for help with spamming etc.

So on this forum we see a new thread from eg JoeBloggs complaining of XX phishing/spam attacks every day on his eg outlook email account. Virtually telling everyone that his email address is likely to be joe.bloggsAToutlook.com.

If I see one of these I suggest to them that they change their email address to a phonetic version eg jay.bee or jaybee2017[AT] and also change their forum User name. Am I guilty of overkill?

I agree with XmasRose about companies failing to get their fingers out.

Oh and one more sermon - I predict that there'll be many PCs sold around now to people who've never used one before. Hopefully they'll be sensible and have Norton preinstalled or as part of the PC bundle. They'll feel confident seeing Norton2017 on the box but in most cases they won't be told by the retailer that Norton2017 was preinstalled or produced around June/July 2016 and that the very first thing they should do is to check for updates to it. I wasn't and that's how my first PC some years ago got infected.

How can I suggest to Norton that could do more to alert new customers to immediately check for updates?

Taffy_078 replied on Thu, 12/29/2016 - 22:32 Permalink

PS I should have added that I

PS I should have added that I'm still receiving "Help - stranded in XYZ airport after being mugged - please send money" emails (allegedly) from friends who only now are having their BTYahoo email account breached and used. At a rate of perhaps one per week. Worse still, two of them are Secretaries in large sporting organisations and frequently email up to one hundred members using To and not BCC!

Sophia Addison replied on Sun, 12/02/2018 - 21:54 Permalink

I faced the same related

I faced the same related problem at my PenMyPaper admin email id. At that time it was really hard to point out and solve the problem properly. The post has been brilliantly and truly said this is one of the best posts that I have come across in recent times. But this post has all the attributes of changing the way we write our write-ups as this post really teaches how to craft our write-ups well.

Taffy_078 replied on Mon, 12/03/2018 - 00:10 Permalink

Those with BT*** email

Those with BT*** email addresses will remember that the largest thread on the BT Community concerned a (then) BTYahoo hacking incident - https://community.bt.com/t5/Email/BT-email-accounts-hacked/m-p/796762#M18990, with 985 posts.

Taffy_078 replied on Mon, 12/03/2018 - 00:19 Permalink

I'm sure most of us changed

I'm sure most of us changed our IDs and passwords, perhaps even changed our email provider but there remains a serious risk. Those who hacked and got our old details will still be able to send out fake emails purporting to be from us. So friends, family, acquaintances are at risk of receiving these fake emails - they've no way of knowing that the old email account has been closed down/changed because of the hacking, do they?

I still receive emails purporting to be from acquaintances, even from my local councillors and national politicians, which because of the messages contained I can tell are clearly not from them. They did the right thing, shut down their BT email account and replaced it with a new BT account (or another provider's); they have no idea that fraudulent emails are still going out in their (old) name to their contacts.

If our email provider has been hacked, it's so important that we tell all our contacts to ignore emails sent from our old email address. How many do, though?

It's up to the likes of Norton to tell everybody, surely.

Introducing Norton Safe Email!

Security Covered by Norton