Here we go again. Friggin' Yahoo. Sigh.
Earlier this year, the company announced that 500 million Yahoo accounts were hacked in a massive breach. This was very upsetting, as it happened back in 2014, meaning users were not made aware for years. Today, an entirely different hack is brought to light. It is even worse than the previously announced breach, as it happened a year earlier (in 2013), and it impacts twice as many accounts -- more than one billion!
"For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected", says Bob Lord, CISO, Yahoo.
Lord further explains, "separately, we previously disclosed that our outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. We are notifying the affected account holders, and have invalidated the forged cookies".
Are the same hackers responsible for both the 2013 and 2014 hacks? Maybe. Yahoo says there might be some proof of a link, but quite frankly, after all these hacks, I don't trust a thing the company says regarding security. Yahoo has failed the world twice now -- all trust is gone. Thankfully the company is working with law enforcement, so there may be some competent eyes on this issue too.
The company will be notifying impacted users, but since there are over a billion of them, that may take some time. Quite frankly, to be safe, I would suggest assuming you have been hacked regardless of whether Yahoo alerts you or not. The company shares the following steps that it recommends users to take.
There is another step that the the company fails to list -- deleting your Yahoo account. That would be my recommendation to anyone reading this. Look, there are plenty of other email services -- move to something else. Yes, switching an email address can be a pain in the rear-end, but it is worth it in this case. True, the company offers other services besides email, but those things can be found elsewhere too.
To paraphrase the old saying, "Fool me once, shame on you. Fool me twice, shame on Yahoo". Don't get fooled for a third time.
What do you think of the hack? Do you trust Yahoo? Should Verizon cancel its acquisition of the company? Tell me in the comments.