Oath-my-God: THREE! BILLION! Yahoo! accounts! hacked! in! 2013! – not! 'just!' 1bn! With Equifax testifying in US Congress today about its own massive security failings, someone at Yahoo! presumably thought now would be a good time to bury bad news – but some things are too large to hide. In a filing on Tuesday to America's financial watchdogs, Yahoo!, now owned by Verizon under the Oath brand, admitted the …
I suspect they had that many accounts because they hosted email for others.
My ISP supplied email account was actually hosted by Yahoo! until this breach happened, they have since bought their email system home which is nice.
At the time they forced users to change their password also. I guess they didn't believe Yahoos! assurances that it was only "some" accounts.
Easy answer to the 3 billion question... many of us had throw away accounts there. I had 5 and lost all 5 so I created 5 new ones that so far haven't been "attacked" as far as I know. The first 5 had their passwords changed by the miscreants and luckily, all 5 were clear of any emails. I generally check them daily and delete any email since like I said... throwaways.
TalkTalk manage their own email. Does that make them any better?
I still have a @lineone.net address from the days when you accessed the internet by paying 3p per minute for a dial-up phone call. It still works, to usual TalkTalk levels of reliability, even though I left them about 20 years ago.
I know (as one personally affected) that for the original BT consumer email accounts, BT insisted you had to confirm your home address (which they had automatically lifted from your phone a/c ), mothers maiden name and date of birth. BT then facilitated sharing of these details with Yahoo when we were shifted (or should that be shafted) to the Yahoo service but both failed to make sure they were kept securely enough.
Once home address, mothers maiden name and date of birth are out there together in a nice package, you are ripe for identity theft. One attempt with my info involved a bank loan using my credentials but with but a slightly different address (an empty house down the road).
The loan was approved subject to paperwork being signed and returned. Fortunately the friendly postman who knew us delivered the paperwork to my real address (seeing my name and initials).
You wouldn't credit (pardon the pun) how uninterested the bank concerned seemed to be.
After the last attempt to shift us BT Yahoo mugs to a different but cheaper-for-BT outsourced service failed miserably (surprise), it looks like millions of BT suckers are stuck with Yahoo for ever. "Yahoo!" or should that be "Oh Fcuk!"
At one time Yahoo provided email services to AT&T and all AT&T email accounts were directed to Yahoo - I'm sure that's changed now but when the accounts were migrated did anyone change their passwords?
Ah... no. Yahoo still provides email services to AT&T, despite now being owned by Verizon. AT&T's level of incompetence is approached only by Comcast, Times-Warner, BT, Verizon and Sprint, and exceeded only by Yahoo and perhaps Talk-Talk. Hmm. Wait. Yahoo is now part of Verizon. Oh, my.
They were / possibly still are the market leader in Japan.
Back then, they were the biggest email provider, slightly ahead of Hotmail. Gmail may have overtaken them now.
Also, a lot of people have more than one account. For example sexylegs69@... might be a good choice for signing up for dating sites, but not for signing up with recruitment agents.
I believe that BT Internet and Yahoo were linked in some way, can't recall details but defo my btinternet.net email was with Yahoo, and I suspect other ISPs may have been providing email accounts through Yahoo. Plus when do you delete a user account when the number of accounts is how you measure/boast how big you are? Plus all those spam mailboxes that got created in the 90s but not deleted, 3 Billion accounts or email address is a possibility, but there were only probably 1 billion real users, and on 30 active ones.
One of her predecessors invested in Alibaba, which came to fruition to the tune of $1B, which she frittered away. While Yahoo was already on the ropes when she joined, she was not a good CEO - turning around a business when you have a billion dollars at your disposal is definitely not hard mode.
Yeah, Yahoo stock more or less doubled under Mayer, but pretty much all of that was down to the Alibaba holding - if you take it out of the equation, Mayer had almost no impact whatsoever. In fact, Yahoo shares became a direct proxy for Alibaba fairly early during her tenure, which implies that the market didn't think her decisions would have any measurable effect on anything - or that Yahoo under Mayer was going to do anything valuable by itself, either.
How about now?
I thought record levels of remuneration were because of assumed risk of being thrown to the dogs in the event of malfeasance. This level of "mis-statement" of the company's vulnerability to litigation would seem to invite criminal investigation.
Unfortunately this level of compromise, linked with stupid security failings like poor password hashing or improperly stored personal data or lack of investment in reasonable protection, is always going to happen until significant jail time is available and targeted at the executive levels. Bit like SOX compliance - as soon as the threat of felony convictions appeared in the US, proper auditing suddenly became de rigueur.
with a $55m golden parachute, and is now reportedly looking around for another challenge before retiring.
Perhaps that challenge will take the form of shareholders challenging that renumeration in the light of the new evidence that has emerged.
I will mention, as I did for the previous stories about the estimates on account breaches; that at the time I suggested they were lying, as EVERYONE I knew with a Yahoo account had it hacked back in 2013.
I STILL get relayed emails from my old account, even though I lost control of it at the time; and at no point have I ever received an email from Yahoo telling me that my account had been hacked.
I suggest it isnt a case of "just found out", but more "we have just been found out".
Mmmmm....Hackers had access to Equifax systems from March to July. Who actually believes that only a portion of Equifax's data was taken. Given the five months it is more believable that all 920 million personal credit records and 91 million company records have been taken,
Mmmmm....Hackers had access to Equifax systems from March to July. Who actually believes that only a portion of Equifax's data was taken. Given the five months it is more believable that all 920 million personal credit records and 91 million company records have been taken,
The hackers had a capped internet connection, could not download more ;-)
"The hackers had a capped internet connection, could not download more ;-)"
You may be joking, but this is actually more or less right. The hackers knew what they were doing, and so will have throttled the data extraction to avoid producing a tell-tale traffic increase. It's not uncommon for extraction to occur at <10kb/s across several months to avoid detection.
The only reason I did not know for certain that all Yahoo users were hacked... is I was not able to ask all of them.
All of those I know (and even my own accounts), showed signs of strange actions/hack/attempts. Such as password resets (normal if someone tries) and occasional failed delivery attempts (that could have been false headers on someone else's email)... so I was unable to confirm, but was suspicious that someone had had an attempt at sending out emails from my account.
That and I know a lot of people who their accounts were "hacked" and needed to change passwords.
Yahoo! forced everyone on Flickr to use Yahoo! email account. I have a Flickr account and I had to use Yahoo! email account after some date (around 2013) and I was unable to use my normal email account at the time. I just set-it up, saved the password and never used the Yahoo! email account for anything.
"The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information."
Two months from now: "There was a misprint in our last public statement regarding the one three billion compromised user accounts. The word "not" should be removed from between "did" and "include". Oath Shredded Foot Inc sincerely regrets the error."
Yahoo began in the kindler, gentler, days of the internet, and unfortunately secure web programming practices clearly weren’t on their mind. However, to have failed to have monitored, tested and updated their systems to ensure that they kept up to date with security best practices is unforgivable.
But I still have a small fond spot for Yahoo because of the Yahoo Groups mailing list hosting service, which really was a great service for many groups and organisations back in the days of dialup, when every minute online cost you money (and monopolised your phone line). However, the user base of those groups has gradually trickled over to web forums and, apart from Flickr (which was an acquisition rather than an in-house service) Yahoo didn’t really seem to find a niche after broadband arrived.
A bit of a shame for one of the web pioneers: with some forethought, and with technically competent management (and, hopefully, rather less evil), Yahoo could somehow still have been where Google are now...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
