Yahoo Was Breached


Yahoo confirmed that they were breached in 2014 by presumably a state-sponsored hack. 500 million user credentials were stolen.

The stolen data include names, email addresses, telephone numbers, birthdays, hashed passwords, and some “unencrypted security questions and answers.”

If you’ve got any kind of Yahoo/Flickr/Tumblr account, probably wise to change passwords now.


It looks like Yahoo added 2-factor authentication, too. Probably wise to activate that.


Done and done, thank you!


I just logged into some alt accounts and Yahoo forced me to update the password after login.

Also, if you had set up security questions/answers, disable them in your account settings. That information was unencrypted and is therefore compromised. Hope you didn’t use those same questions/answers for other sites.

And, yeah, 2-factor set up on all accounts.


Good luck with that since every site uses the same set of easily found or socially engineered information as security questions! Sorry. I hate hate hate security questions and can’t wait for them to die in a glorious fire. The good news is that since this was 2 years ago the data has probably already circulated.


Yeah, this is pretty bad. They didn’t just get logins and hashed passwords, but they got a lot of personal info on each user.

Wonder if Verizon is gonna have second thoughts about that $4.8 billion?


Every site gets hacked. It’s guaranteed. Don’t re-use your passwords to limit your exposure, and use two-factor whenever possible. That’s all you can do.


The security questions getting hoovered up unprotected does blow, particularly because:

A) As @LockerK notes, everyone uses the same damned questions. I’m about half a minute away from just using LastPass to generate randomized answers to those, too


B) While 2FA is definitely becoming noticeably more common, it’s still not nearly as universal–or convenient–as I’d like.

Bah :(


That is exactly what I do, and you should too.


It’s nice to get that early heads up on stuff like this. 2014? Sheesh.


Me too. Favorite car? w[?#.GccV)VkG>8M First pet’s name? mcy};hA9s!AM(!f_

Works great. I store them as notes in the associated lastpass login


The rumble is that this has been known for months, but was kept hush-hush by Yahoo because someone was buy trying to sell one’s megacorporation to an even bigger megacorporation.

Wonder if this was caught by the due diligence folks. If not, that check Verizon writes could suddenly be smaller.


I read about this here and immediately changed my password, set up 2 factor authentication and turned off the security questions. I got the email from Yahoo about this just this morning. Great work Yahoo.


Yeah, I activated the 2-step a while back when they told me someone was trying to log into my account from the Ukraine or some such country.

My advice to anyone who will listen to me is that if there’s money (including access to your cc numbers) involved, ALWAYS use the 2-factor authentication.


So what’s the legality of them sitting on this info for the best part of two years? Don’t they have some legal obligations to report this kind of breach in a within a reasonable period?


Yeah, I was wondering why every time I logged in, Yahoo would suddenly and repeatedly prompt me to replace my password… After ignoring it for a few days I changed the password and suspected they’d been hacked but hadn’t come out and said as much (this was before it became public knowledge). That the whole thing happened two years ago, is an absolute joke! Seriously, they can’t just sit on that info for THAT long and not say a peep!


Shows you how much you can trust them. I’m curious about the fact that they asked me to straight up remove my security questions, not change them. They also have an obnoxious prompt to restrict access to “secure” apps, without showing in any way what apps will get denied, even after the fact.


Well, they’re not alone. NSA lost the tools leaked by “The Shadow Broker” 3 years ago, and didn’t say anything until they were “officially” out in the wild. Meanwhile Cisco and other vendors had vulnerable products with no knowledge about it for years.

I like how, when I logged into Yahoo! To! Change! My! Password! they! Immediately! Asked! if! I! Wanted! To! Add! My! Phone! Number! (Presumably, so they could leak that as well…)


Another good reminder to use random passwords and not the same one for EVERYTHING (as I admittedly used to be guilty of)


I also am a fan of the greater than 8 cylinder Model M.