Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[kitz]

Following their takeover of Yahoo, Verizon have now admitted that all 3 billion Yahoo account were hacked in the 2013 data theft. 

Both BT and Sky used Yahoo for email services as well as a few smaller ISPs were affected.  I can recall last year many BT customers trying to get confirmation if their BTYahoo account was hacked and if they were involved in what at the time was reported as 1/2 billion affected accounts.

So they were orginally hacked in 2013/2014, which they only admitted to last year when a hacker publicly disclosed that they had obtained Yahoo data.  Originally they said 500 million. Then a couple of months later admitted there was a second data breach bringing the total up to 1 billion and even then they were unsure if BT & Sky customers were amongst those affected.   

I guess now we have the answer

Yahoo on Tuesday said that all 3 billion of its accounts were hacked in a 2013 data theft, tripling its earlier estimate of the size of the largest breach in history, in a disclosure that attorneys said sharply increased the legal exposure of its new owner, Verizon Communications Inc (VZ.N).

Source:  reuters

[Moderator edited for typo fix -- s/2104/2014/.]

[burakkucat]

Link to a post by 7LM on the same topic.

[kitz]

Thank you b*cat for the linky.  Although I have vague recollections of the earlier attacks, I'd completely forgotten about that thread from 2013 and its contents, so I found it interesting re-read through it. 

It just confirms that Yahoo were
1) Lapse in security
2) In complete denial that their systems were under attack, despite evidence to the contrary and they failed to act in a timely manner.

To add further insult to injury, there was another data breach in 2014 which further confirms that

1) Yahoo were extremely lapse
2) Still in denial that their systems could be compromised.

...  and now we find out they lied and bluffed about the extent of the damage

I was wondering why they would do that, but during the 2013-2014 they held some pretty big contracts from some very large ISPs all around the globe which I bet they were scared of losing.  As I mentioned in my earlier post they never came clean with BTYahoo and even BT didn't have any idea the full extent of which their customers may have been affected.  All they knew was that "some may have been".

Considering they handled all the name@btinternet.com mail, I think its a fair bet to say that there was a strong probability that the EU's broadband account 'could' also have been accessed because most users got transferred over to BTYahoo using the same login/password info.   
I must stress that fortunately there is no evidence that the hackers went this far..  but the fact remains they could have done. Same with Sky.  I know for a fact that my @btinternet.com password was the same as what was then my bt internet & phone account.  Same with dads Sky broadband account.

[sevenlayermuddle]

Well I for one actually feel a little better.      That is the one and only time ( ) I’ve had an account hacked.   I never really believed that I’d opened any phishing emails, or clicked on anymalicious links.   And if absolutely everybody else was hacked too, I’d say it is safe to assume my innocence was proven, surely it was a solely server side hack.

The underlying characteristic of my experience was of course, that the hacker gained access to my acccount not many minutes after I’d logged in myself, the two had to be connected.   Yet I was certain I’d got to the login page by typing into the address bar, rather than clicking any links.   I did wonder if Yahoo may have actually been unknowingly hosting something malicious on their real login server?

[Bowdon]

I'm not sure if my experience is connected, but I remember around that time my email account was hacked with someone using the yahoo app from a mobile phone. He was from Poland, at least thats where the ip traced back to.

What's odd is he must have gained my password from somewhere because I never got the email password change confirmation. I just changed my password and he was locked out again. I wondered if there were some security risk with him using the mobile phone app to get in. I'd have expected him to use a computer.

[sevenlayermuddle]

Given the billions that were attacked, safe to assume I think, these attacks were fully automated with no human intervention.

If I understood right at the time, it’s possible that attacker never actually got, or needed, any passwords at all.   Rather, he (/it) was simply able to remotely take over an existing session, and then use it to harvest mail and spam contacts.  That would be consistent with my own experience, where contacts were spammed just after I accessed a rarely-used yahoo account.

I do emphasise ‘possible’ as I don’t think they’ve ever admitted what really happened, and/or it is also possible my understanding was wrong.