Yahoo’s 2013 hack, again in the news

Topic

New Reply

Reports have showed up all over the place in the last several hours, stating that ALL 3 BILLION (yes, with a B) Yahoo accounts were hacked in the 2013
[See the full post at: Yahoo’s 2013 hack, again in the news]

1 user thanked author for this post.

Elly

Reply | Quote

Replies

Yahoo data breach: NCSC response
Created: 15 Dec 2016
Updated: 04 Oct 2017

 
UPDATE: Yahoo data breach

Media outlets are reporting that all Yahoo user accounts were affected in a hacking attack dating back to 2013. Yahoo put out additional advice to its customers yesterday. It states that:

Yahoo is providing notice to additional user accounts affected by an August 2013 theft of user data previously announced by the company in December 2016. This is not a new security issue. In 2016, Yahoo previously took action to protect all user accounts. https://help.yahoo.com/kb/account/SLN28451.html?impressions=true

NCSC advice from December 2016 remains valid and is set out (read the full article here)

Reply | Quote

Excuse my stupidity but what is 2FA that I am suppose to secure my account with?

Reply | Quote

2FA is 2-factor identification (authentication). When you login, it sends a message to you cell phone or email with a unique code that has to be entered before the login is completed. Someone trying to break in to your account would not have access to you phone or email, and would thus be unsuccessful.

Reply | Quote

PKCano wrote:
2FA is 2-factor identification (authentication). When you login, it sends a message to you cell phone or email with a unique code that has to be entered before the login is completed.

I haven’t seen Yahoo Mail or Gmail offering 2FA login authentication via a secondary email address — although Gmail allows an option for the user to be notified at a secondary email address AFTER a login is detected.

I recall that Yahoo Mail’s 2FA uses cellphone SMS for on-demand login authentication. Likewise for Gmail. Sometimes, the SMS may take more than 10 mins (or even forever) to arrive.

If SMS is not available or feasible, a Gmail user can periodically request a limited list of pre-determined codes to use as 2FA login substitute. But I don’t recall Yahoo Mail ever offering this non-SMS method.

Qn: So how can Yahoo Mail users without a mobile plan (hence no SMS) secure their webmail logins ? (And in case it’s not obvious, smartphone apps are of no use to those without a mobile data plan, even if Yahoo Mail were to allow 2FA via smartphone authentication.)

Reply | Quote

Two-factor authentication is the best thing to come to security since not turning on your computer or putting it on a network.

Since it uses a completely different device to deliver a code for you to provide as something you know, it reduces significantly the risk someone somewhere in the world far away from you log successfully in your account using something stolen like user name, password and security questions.

You can try Google authenticator. This is an app for your phone. You scan a barcode online, then the app will show you a list of ever changing numbers you will have to use on any new device when you try to log in for the first time. Depending on your level of comfort, you might set, for example, to not ask for your desktop computer the code again, but leave it to ask if you logged in your personal account on a work computer you normally don’t use to access your email (which in the first place might not be such a great idea to use anyway).

For all of those who use Teamviewer, I highly recommend you use two-factor authentication. People think they have been hacked at some point, which is pretty terrible. They say it was just people with lazy security practice and not them having issues, but regardless, the possibility for hacking is very real, so limiting access to only your account using the whitelisting option, removing the random password and protecting your account with 2FA for this useful tool is a good idea.

2 users thanked author for this post.

Elly, Kirsty

Reply | Quote

Two-Factor Authentication is not a magic pill for security, sadly. Several articles on the topic have been posted in Code Red – Security advisories: Adding Extra Authentication Layers May Not Make You More Secure

2 users thanked author for this post.

AlexEiffel, Elly

Reply | Quote

Thanks Kirsty, but when I click on the link, there is nothing to read about 2FAs shortcomings. Care to elaborate? From what I read below, it seems to concern more intercepting SMS, but with Google authenticator, you don’t have this issue.

To me, it seems 2FA is a huge step above normal login and password with dumb questions security. It solves a good portion of having control taken from your computer because another piece of the puzzle is needed that is not on the device used to access. I am curious about what are the shortcomings. Maybe even if it is not perfect, it is still a much better security measure anyway?

Reply | Quote

My cynicism is nearly getting to the point of thinking security is an illusion – the human factor is often the weakest link, but as you say, there isn’t a perfect solution.

The future may be more promising (at least, I certainly hope it is) 🙂
I found this article a few months ago, on the subject:

Imagining frictionless authentication
What if we lived in a world without passwords?
on csoonline.com

1 user thanked author for this post.

AlexEiffel

Reply | Quote

Further on the subject of email security and U2F (Universal 2nd Factor)…

 
Google Reportedly Plans Stronger Authentication Options
Experts Welcome ‘Advanced Protection Program’ Involving Physical USB Keys
Mathew J. Schwartz (euroinfosec) • October 4, 2017

 
Google’s two-step verification setting, for example, sends a one-time login code to a user via SMS or a voice call, or a user can tap the Google Authenticator app to generate the code.

But these additional log-in factors can be intercepted by attackers.

“SMS is the weakest and not considered secure, especially for high profile users,” Chester Wisniewski, principal research scientist at British anti-virus firm Sophos, tells Information Security Media Group. “Time-based tokens like Google Authenticator are good, but can be phished. Google also offers push notifications to Android users, which are reasonably secure, but nothing really beats a physical token.”

Sean Sullivan, a security adviser at Finnish anti-virus firm F-Secure, tells ISMG that phishing attackers can send victims to sites that collect their Gmail login usernames and passwords, as well as their SMS codes or one-time tokens. Working quickly, attackers can log in to victims’ accounts before the codes or tokens expire.

 
Read the full article here

Reply | Quote

Twitter/ Zack Whittaker wrote:
Secure your Yahoo account with 2FA, but do not delete it. Deleting it will recycle your account after 30 days — and anyone can hijack it.

On a related note, “dormant” Yahoo Mail accounts automatically get deleted after 12 months of “inactivity” since the last-detected user login. So I guess these accounts are vulnerable to hijacking as well.

But the thing is: “Inactivity” might merely mean that the Yahoo Mail system doesn’t detect any user login via a desktop browser. It is not clear if regular mail synching/sending via standalone mail clients or accessing Yahoo Mail via a mobile interface are regarded as valid logins.

For the case of Outlook.com/ Hotmail, I understand that one has to login using a desktop browser at least once every 270 days, because other means of accessing the webmail do not appear to constitute as a login.

Reply | Quote

anonymous wrote:

For the case of Outlook.com/ Hotmail, I understand that one has to login using a desktop browser at least once every 270 days, because other means of accessing the webmail do not appear to constitute as a login.

If I remember correctly, in the “old days” at least, Hotmail and free Yahoo mail could not be “popped” using a mail app. You had to pay Yahoo an annual fee to get that facility. That would go along with the necessity to log in from a browser.

Reply | Quote

Yep, I still pay around $20USD per year for a Yahoo Mail Account with better spam filtering, fewer ads and POP-3 access from my desktop (Linux) client. And I was notified of the 2013 security breach — in 2016! So now even closing your Yahoo Account can put you at risk? Will tech wonders never cease! Security breaches — the gift which keeps on giving.

All of this does NOT require logging in with a desktop OS or a web browser. To my knowledge, only Hotmail and maybe GMail require this. Outlook in the Cloud I don’t know about.

2FA only requires using two different devices when logging in. Could be 2 different phones, for all I know.

-- rc primak

Reply | Quote

rc primak wrote:
Yep, I still pay around $20USD per year for a Yahoo Mail Account with better spam filtering, fewer ads and POP-3 access from my desktop (Linux) client. […] All of this does NOT require logging in with a desktop OS or a web browser.

The reason why you do not need to login to the paid Yahoo Mail using a desktop browser is because the paid version does not become expired/ deactivated even if you do not periodically login or even actively use it — ie. as long as you keep paying for it.

Other benefits of the paid Yahoo Mail are: (1) No adverts, (2) Better spam filtering, (3) Priority support.

Note that you aren’t actually paying for POP3 access nowadays. Yahoo Mail’s POP3 has been free to use since at least 2013, while its IMAP is free to use since as long as I can remember.

As Yahoo Mail’s free users do not have the privilege of no-account-expiry, one needs to login using the DESKTOP browser at least once every 270 days (the current limit, subject to change) in order to keep the account alive.

Reply | Quote

Edit to my previous comment (Reply  #135494):

I meant to say that Yahoo Mail free users need to login using DESKTOP browsers at least once every 12 months.

The once every 270 days login apply to Outlook.com/Hotmail users.

Reply | Quote

rc primak:
2FA only requires using two different devices when logging in. Could be 2 different phones, for all I know.

Interesting, but 2FA requiring 2 smart devices (each with its own mobile data plan) seems a step backward.

Webmail was in common use even before “dumb” mobile phones became available. To me, access to webmail should be regarded as a basic web service.

Requiring 2 smart devices for webmail 2FA is akin to needing to have 2 electronic talking toothbrushes on hand, before one is allowed to enter an ordinary washroom.

Since not everyone has access to 2 electronic toothbrushes — or 2 internet-enabled mobile smart devices, it is better to design a more accessible but still secure method for 2FA. Otherwise, many people would be shut out of webmail.

Reply | Quote

PKCanto:
If I remember correctly, in the “old days” at least, Hotmail and free Yahoo mail could not be “popped” using a mail app. You had to pay Yahoo an annual fee to get that facility. That would go along with the necessity to log in from a browser.

I’ve been accessing Outlook.com/ Hotmail.com/ Live.com etc. via IMAP using a standalone email client since 2010, free of charge. As such, there is no need to login using a desktop browser — unless it’s to prevent the email account from being deactivated due to lack of desktop browser logins.

I recall that Yahoo Mail’s IMAP & POP3 access have been free for several years. Hence no need to login via the desktop browser either. Further info at: Quora, Google Groups, QuickOnlineTips

Reply | Quote