Yahoo Was Breached


I prefer the ≥ 8, myself.


Not about Yahoo, but how safe would those ‘random passwords suggested and stored by Safari’ be? I usually don’t like to pick those because it means it’s all but impossible for me to log in to website X without a Mac or iOS device nearby - admittedly, a rare thing - but also because i might accidentally overwrite the default-in-cloud-memory password at some point. But in theory, they should be pretty secure since the passwords they suggest are so random. Unless iCloud/Keychain suffer a hack.


Handy site:

Enter the email address you want to check and it’ll list all the sites associated with it that have been compromised, when they were compromised, and what sort of data was compromised.


Love that site.

My main email: 10 compromises, my other email: 3 compromises.
Wish companies would do more to secure my data - or at least that they were punished in relation to how many steps they took to secure the data.

The most fun was that MySpace apparently waited 8 years before notifying about them being hacked.

(Weird, unable to paste link in here…)


On my main:

Gamigo, LastFM and Linkedin. Three sites that I haven’t used in years. None on my secondary.


Lord of the Rings Online for me. Ha! Good luck with that one hackers! Enjoy my scrubby low-level hobbit.


It was just the forum.

suppose you re-used password? :)


Could be. I don’t even remember what that login/password was. Enjoy my handful of technical support posts thieves!


Verizon’s top lawyer dropped hints today that they could kill the yahoo deal over this.


How do you set that up? I use last pass, but when I get an extra security question with an answer, if I use last pass to change that, it then thinks this is the main password for the site, not just some kind of sub question.

Ie: If my password to is “cat” and then bob asks me a security question and I have last pass generate a password which ends up being “dog”, then when I log into, it now thinks the main password is “dog”, not “cat”.


I just hit ALT-G to generate a new password, then edit the entry in Lastpass and put in the notes field:

Mom’s maiden: I$8oAn4eDlZet8
Street I grew up on: Hvg#1xNu3$JLpD
Childhood best friend: wN5s6hA7*Y6w


Ill have to try and remember that trick. I always just clicked on the icon last pass puts in and tell it to let it generate a password for me.

Currently I do not have last pass installed at work. Its a bit inconvenient sometimes. I wonder if its worth the risk installing and using it considering that IT people can remote it to my box.


They could install a keylogger too. You need to accept that risk.

Basically, install lastpass and set it to log-out when you close your browser or it’s idle for an hour. Then close your browser when you go home at night.


Yeah, that’s a good tip. I find letting lastpass change and keep the passwords up to date automatically is not the best way to do it. I usually manually update passwords and just use lastpass to store and retrieve passwords.


Yahoo has identified an earlier breach, in 2013, that involves a billion accounts being compromised.


From an email:

[quote]We are writing to inform you about a data security issue that may involve your Yahoo account information. We have taken steps to secure your account and are working closely with law enforcement.

What Happened?

Law enforcement provided Yahoo in November 2016 with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with a broader set of user accounts, including yours. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.[/quote]

Meanwhile on their info page disclosure of a 3rd breach:

Separately, our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, the outside forensic experts have identified user accounts for which they believe forged cookies were taken or used in 2015 or 2016…

Based on Yahoo’s ongoing investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies.[/quote]

Stealing Yahoo’s security code surprised me for some reason but really it shouldn’t.


How laughable to get an email letting me know about a breach that happened several years ago and that I should change my password…thanks Yahoo you guys rock…


Verizon to Yahoo: According to our calculations, you now owe us $5 billion for taking your remaining assets.

Seriously though, Verizon was stupid for making an offer for them in the first place, and their due diligence was obviously not diligent enough. But Yahoo really deserves to be totally destroyed for this, liquidated completely with no money from VZ at all. Sucks to be one of their shareholders if you’re an ordinary person, but otoh those shareholders had 10 years to get out from under during which it was obvious to everyone in the world the company was spiraling the drain.



To put that number in perspective, there are currently ~7.5 billion humans living on the planet.

Some people have multiple accounts, etc, sure, but it’s reasonable to just eyeball it and say the Yahoo hack covers everybody who ever used a computer or cellphone.