Yahoo Breached

Yahoo says huge security breach exposed account information for at least 500 million users
[ATTACH=full]58631[/ATTACH]
SAN FRANCISCO — Information from at least 500 million Yahoo accounts was stolen from the company in 2014, the company said Thursday, indicating it believes a state-sponsored actor was behind the hack.

The theft may have included names, email addresses, telephone numbers, dates of birth, and in some cases, encrypted or unencrypted security questions and answers, Yahoo said.

Even in an Internet-dependent population accustomed to the regular occurrence of massive data breaches, the size of this one — thought to be the largest ever in terms of user accounts — is attention-grabbing. And the possibility that another country could be behind the attack adds to the shock factor.

[URL=‘http://www.usatoday.com/story/tech/news/2016/09/22/yahoo-may-biggest-data-breach/90830270/’]http://www.gannett-cdn.com/-mm-/9065941e142eb769bb76794c742e08d1e14ee558/r=300/http/www.gannett-cdn.com/-mm-/9065941e142eb769bb76794c742e08d1e14ee558/r=300/http/www.gannett-cdn.com/-mm-/a8d74ce4c5056523d4a952d9007ba297071c7d0f/c=195-0-877-682/local/-/media/2016/07/25/USATODAY/USATODAY/636050361248847218-AX054-2D21-9.JPG
USA TODAY

Yahoo may be the biggest data breach

[/URL]
The FBI said it was aware of the intrusion and is investigating the matter but did not give any information about whether it had specific insight into who might have been behind the attack.

“We take these types of breaches very seriously and will determine how this occurred and who is responsible,” the agency said in an emailed statement Thursday.

Claims surfaced in early August that a hacker using the name “Peace” was trying to sell personal information of Yahoo account users on the dark web — a black market of thousands of secret websites.

[URL=‘http://www.usatoday.com/story/tech/news/2016/09/22/yahoo-breach-500-million-what-to-do/90849498/’]http://www.gannett-cdn.com/-mm-/9065941e142eb769bb76794c742e08d1e14ee558/r=300/http/www.gannett-cdn.com/-mm-/9065941e142eb769bb76794c742e08d1e14ee558/r=300/http/www.gannett-cdn.com/-mm-/f190cab1317d38eed458ba95ec68013e9c4c8267/c=412-0-2417-2005/local/-/media/2016/07/25/USATODAY/USATODAY/636050434014997528-40438JS002-YAHOO-REPORTE.jpg
USA TODAY

What Yahoo users should do

[/URL]
Reset passwords

Yahoo, which says about 1 billion people globally engage with one of its properties each month, said it was notifying potentially affected users and taking steps to secure their accounts, such as invalidating unencrypted security questions and answers. Users who haven’t changed their passwords since 2014 should do so, it said.

About 250 million use Yahoo Mail, while another 81 million use Yahoo Finance and tens of millions use Yahoo Fantasy Sports.

The Sunnyvale, Calif. company is also reaching out to users of Flickr, the 113-million-user photo-sharing service whose accounts may have been linked to their Yahoo IDs. No accounts on Yahoo-owned blogging site Tumblr should be affected.

Verizon sale in progress

The announcement comes at an awkward time for Yahoo. Pressured by investor activists disgruntled by stagnating growth under CEO Marissa Mayer, the company engaged in a multi-month sales process, culminating in a July deal to sell its core Internet business to media giant Verizon Communications. The $4.8 billion deal is expected to close in the first quarter of next year.

Verizon said it was notified of the Yahoo breach “within the last two days.” “We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact,” Verizon said.

Given the unsettled nature of Yahoo’s ownership just now, “regulators should be concerned with who will take responsibility for the response to this compromise. It can be easy for the ‘right thing to do’ to slip through the cracks in a multi-billion dollar transition," said Tim Erlin, senior director of IT security and risk strategy at Tripwire, a computer security firm.

The breach doesn’t threaten Verizon’s acquisition of Yahoo, says Robert Peck, Internet equity analyst with SunTrust Robinson Humphreys. But the investigation will likely lead to findings that perhaps 5% of users have left Yahoo and that could yield a lower price for Verizon.

Should the result be that Yahoo has has perhaps 5 million to 10 million fewer users than when the transaction was announced in July, “this could affect the Verizon purchase price from around $100 million to $200 million,” Peck said.

Yahoo’s has pledged to stay on with the company through the close of the merger, which is being overseen by Verizon’s Marni Walden and AOL CEO Tim Armstrong. Yahoo shares (YHOO) were flat Thursday. Verizon (VZ) shares were up 0.9% at $52.35.

http://www.gannett-cdn.com/-mm-/d44bf9ac740cfa2e4c015e985cf20e4ec8d6fdc9/r=540/http/videos.usatoday.net/Brightcove2/29906170001/2016/07/29906170001_5049628351001_5049629030001-vs.jpg

USA TODAY’s Matt Krantz explains why Yahoo CEO Marissa Mayer was awarded so much money as the company’s fortunes waned.

Credential stuffing

Most consumers might not think there’s much in their Yahoo account that would be of use to hackers, which typically might only include their email and Yahoo password. However, those two bits of information offer multiple uses for ingenious hackers bent on extracting the maximum value from information, say experts.

According to a Gartner survey, 50% of users reuse their passwords across multiple platforms. So armed with an email address and Yahoo password, hackers might be able to gain access to multiple accounts.

The technique is called “credential stuffing” and it’s become epidemic over the last year and a half, said Avivah Litan, a vice president and analyst at Gartner Research.

“The bad guys get lists of user IDs and password and then test them, they run through them at all the sites they want to attack to see where they work,” she says.

Once hackers gain access to other accounts, they are able to assemble dossiers on individuals. These are called “fullz” and include as much information as the hacking group has about a person, assembled from multiple sources over time. Typically they contain the person’s name, Social Security number, birth date, address, birthday, account numbers and other data.

"There are fullz available probably for most of the U.S. population,” said Litan.

The attackers don’t only use that information to go after bank accounts and credit cards, but also less obvious and harder to track information that is still worth money on the black market.

That can include loyalty points at hotel chains and airlines, avatars and points from online games, even stored value in coffee cards. Once accessed, all of these can be siphoned off, bundled and then resold.

“They’ve gone low, slow and distributed. You used to be able to see these attacks coming through really quickly after a breach,” said Litan. Instead organized crime groups take their time, harvesting points and value.

“It’s very lucrative,” said Litan.
http://www.usatoday.com/story/tech/2016/09/22/report-yahoo-may-confirm-massive-data-breach/90824934/

its amazing how long it took them to publish this information to the masses about the hack which happened sometime around September 2014. wonder why its taken 2 years

what!!!, you mean si ya jana?

N0 sio jana, it actually happened in 2014, thats why they are down playing it by saying people who haven’t changed their passwords since 2014 “MIGHT” be affected. infact they did not just get the usernames list.

They took the full shebang

  1. email addresses
  2. alternate email addresses (the ones you listed for recovery ),
  3. phone numbers
  4. hashed passwords
  5. all the recovery questions and answers, bulk of which were not hashed (that shit they ask you for a security question so that you can verify your account if you have forgotten the password)

it was a proper cleanup

the only reason why they are admitting it right now is because most of the trove was put up for sale on the dark web last month

tahnks for info, hio trove yauzwa mangapi? asking for a friend

3 bitcoins only (1800 dollars ) by a hacker going by the name “peace” same guy who cleaned out linked in

am pretty sure they already sold the real stuff they were looking for so right now they are just taunting yahoo, why go to all that trouble for 3 bitcoins

P.S tell your friend thats a no go zone right now

Hiyo $1800 ni mingi angesema $100 tungeongea, my first email address was yahoo when i was a player mbaya. There is a treasure trove of contacts there i lost when i forgot the password and couldn’t figure out the reset email address.

btw the information was verified by motherboard.vice.com last month, they got a subset of the trove and tested against over 5000 email accounts and they all checked out, but as i said in previous post, right now dont even think of touching it even with a long pole, its a hot potato because the FBI are keen to pin someone to divert attention because based in the chatter , it was actually a government sponsored act, they only went shy of naming the government

Nataka kujaribu kumine bitcoins.

:D:D:D:D:D

Dont try it on this one, though there is a huge business opportunity, can you imagine if you just got hold of 100000 accounts, locked out the users and you charged them 100 shillings to recover their passwords, assuming you even get hold of 10000 users, that’s a clean 1M

P.S dont try this at home, at work , at school or any where :smiley:

:D:D:D:D:D:D:D:D:D

Biashara ni biashara

mkubwa ni nini ii naskia inaitwa darkweb market? how does it operate? how do people sell those hacked account passwords, how do you open one, mbona tusipatikane tukirun website ya chini ya maji? etc
Nisaidie in layman’s terms angalau nielewe what it is

this one requires a very looooooooooong explanation but in short and loosely put and for educational purposes only, most web applications run on TCP and UDP which are easily readable by search engines so an encryption was added to the application communication layer of the protocols which does multiple encryptions to the full data packet right from senders IP to recipients IP (and i mean multiple layers laid on top of each other) and the actual payload and a new routing mechanism added to use virtual nodes to make the communication practically untraceable/untrackable. This network which is bigger than the indexable web is what makes up the darkweb or deepweb and thats where all illegal stuff happens

i suggest you read about the onion project/Router (commonly known as TOR) will be a long read but will give you more detailed information than i can give you here

you might also want to check out some other interesting things like cicada 3301 (if you are a geek, this is where to do a dick measuring contest) and the A858 (this one no one has every cracked yet since it surfaced in 2011 until it went dormant a while back, it still has a cult like following)

I floated! :smiley:
Wacha nifanye though survey ya kugoogle niisome vilivyo. Thanks

Some of these Ukrainians are very idle with the economy bungled.

Try. You will be famous. You will equal mwau in being badass.