In the September/ October timeframe this year it became clear that Yahoo had lost more than 500 million records which was the biggest hack of the year. Who knew that they would top themselves just a few months later!
Yahoo just stated today that a separate incident has exposed at least a billion more user accounts. They also warned that attackers figured out a way to log into targeted Yahoo accounts with forged authentication cookies without having to supply the victim’s password.
How can this get any worse.... It's a Massive Epic Fail. Here is the updated graph from the Wall Street Journal on the size of this monstrous hack.
“Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts,” Yahoo’s chief information security officer Bob Lord said in a statement the company published Wednesday afternoon. “We have not been able to identify the intrusion associated with this theft.”
Yahoo said they were in the process of notifying the affected account holders, and that they have invalidated the forged cookies. “We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016,” Lord said.
Blaming it on the Russian Government in this case is a cop-out. These are high level criminal hackers that simply get air cover from Putin but are not on his payroll.
At this point, Yahoo has fallen down on security in so many ways that I have to recommend that if you have an active Yahoo email account, either direct with Yahoo or via a partner like AT&T, get rid of it. But clean it out first, get rid of all the folders, delete the account and open a gmail account instead. Check if you have used your Yahoo password in other sites, and change the password and security questions for those accounts. And remember, never reuse your email password (or any other password tied to an account that holds sensitive data about you) at any other site.
If you used a mobile phone number in association with your Yahoo! account, and you still use that mobile phone number, then SMS phishing (a.k.a. Smishing) is now a distinct possibility, so be be very wary of Smishes.
Thanks Verizon, for your interest in Yahoo and the due diligence that followed. I would recommend to not pursue this course of action though.
Free Domain Spoof Test
Can hackers spoof an email address of your own domain?
Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO Fraud", penetrating your network is like taking candy from a baby.
Would you like to know if hackers can spoof your domain? KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. It's quick, easy and often a shocking discovery. Find out now if your email server is configured correctly, many are not!
Don't like to click on redirected buttons? Cut & Paste this in your browser: