New Yahoo Breach Affects 1 Billion Accounts

John Lister's picture

Stolen Yahoo account details could be changing hands for as little as three-hundredths of a cent according to security researchers. It follows a hack of more than a billion accounts.

It's the second Yahoo breach reported this year. Back in September the news broke that details of more than 500,000 accounts had been accessed by hackers in 2014. Now Yahoo has confirmed a separate attack in 2013 involved the theft of data for more than a billion accounts, something security experts believe makes it a record breach.

It's suggested that the stolen data includes email addresses and passwords, plus access to phone numbers, birthdates, and security questions - information which could potentially be used to unlock other accounts with more sensitive information. (Source: businessinsider.com)

Yahoo Points Finger at Foreign Governments

Yahoo has suggested either or both breaches could be the result of attacks financed and backed by a foreign government. However, experts have questioned that idea, asking why a government would want such details.

Instead the motive appears to be profit, with reports suggesting that copies of the 2013 database have sold for $300,000. That would put each account's "value" to buyers at just 0.03 cents, compared with a price of between 70 cents and $1.20 as the going rate per account on the black market, according to a recent study. (Source: sophos.com)

One theory is that the price was so low because buyers were only interested in the details of a specific section of users, namely US government and military staff. The database is known to have accounts for around 150,000 people in this category, meaning the buyers spent around $2 per address. (Source: bloomberg.com)

Stolen Data Buyers Targeting Military

It seems the buyers may not be primarily interested in accessing messages of stolen accounts; instead, they may be looking for cases where the user had listed a government or military email address as their back-up account in their Yahoo settings - for resetting a password, for example. Having the combination of a person's name and work email could make it much easier to carry out successful spear phishing attempts.

Spear phishing is an attempt to fool a specific set of users (usually belonging to an organization) in order to further obtain credentials or access to sensitive information, so that hacking attacks (such as espionage) can be carried out. These are reportedly the most successful type of attack made on the Internet today.

For example, cyber criminals may pose as one of the hacked yahoo accounts belonging to military personnel, then send bogus email messages to trick colleagues into handing over data, or by having them click on a link which installs spyware onto a company's server. If a cyber criminal has the correct name and email address of certain users, it makes the messages seem much more believable, and thus the attack much more successful.

What's Your Opinion?

Is Yahoo's reputation shot by having a second high-profile breach on such a scale? Are you surprised that account details change hands for such little money? What measures could tech firms, employers and users take to prevent either the motivation for or success of such hacking attacks?

Rate this article: 
Average: 5 (4 votes)

Comments

Dennis Faas's picture

Back in February 2008, Microsoft offered to buy Yahoo for $44 billion. Now Verizon is looking to purchase Yahoo for only 1/10 that - only 8 years later.

At any rate, this second hack revelation is surely going to have people cancelling their email accounts in droves and looking for an alternative.

Personally, I have one Yahoo email account that I use when I sign up for free offers online - so it's just a "junk email account". I would never use their email service for anything else simply because their email web interface shoves advertising down your throat like it's going out of style. It's absolutely horrendous.

ecash's picture

How many services give you the Ability to Cancel, Quit, END and account?
THEN...how many will DO IT..Erase it all..

How many online Games..
Online services like Kongregate..
From Amazon/newegg, Any service...can you Drop erase your WHOLE profile??

I figure I probably have 200 accounts around the net, over the last 15 years..

JimBo's picture

Dennis, good article but did you know that AT&T internet users receive a Yahoo email account. It's not exactly the 'free' variant but apparently uses the same servers. AT&T notified me of the breach and instructed me to change passwords, challenge questions, and personal info. Thank goodness the only personal info I had provided was my 'required' zip code. How many DSL and U-Verse customers do you think are out there that got hit? Hint: all of them...

That said, you are possibly the perfect guy to research something that might help us out. There are several private email service providers out there that claim they offer exceptional security and privacy. They usually charge a fee of $50 to $100 a year which could be well worth it if they aren't just blowing smoke with their claims. Would you consider looking into this and let us know who is the best of the best?

Obviously, using WEB Mail is serious mistake for many reasons. I believe it is all you can get with a 'free' Yahoo account. AT&T Yahoo accounts allow you to 'POP' to a mail client such as Outlook or Thunderbird where you can as least manually filter without ever touching or downloading mail. You do this from your client by selecting 'Download Headers', then hit delete on ones you don't want and mark the keepers using 'Mark to Download', when done run 'Process Marked Headers' to bring down only the ones you wanted to your client. What a pain but it is much safer. It's like handling email with rubber gloves.

I'm not sure why but I always feel like I'm being preyed upon by someone when I'm using email. This is just not right.

One other thing I feel the industry should adopt is ones ability to select a permanent email address that can move with you from one provider to another. That will help develop a climate of competition among the various providers. Yea, I know, it's the domain name thing and various DNS issues but the telephone industry decoupled area codes and exchanges a while back, which, in effect, now allows a cell phone or ooma user residing in Utah to have a Florida area code and exchange. This could get done and it would help....

So, who really owns my email addresses anyway? Can't make much of a legal case about any kind of wrongdoings if it doesn't belong to me in the first place.

Email users need a voice, so keep up your good work reporting on these important topics. My bet is that email will be with us for at least another 10 years or so.

matt_2058's picture

I don't like using Yahoo, but it's not because of security. I just don't like the bombardment I get. To help prevent attacks, the prize must not be so appealing. Maybe if businesses stopped trading personal data and did something to isolate the data from the user except when in use. Maybe they do that already.

JimBo is right about AT&T email accounts. Have had one for 6yrs now because it was required to get my internet. Nothing goes there, not even statements. It's on my list of semi-annual tasks..."log into the ATT.net acct".

I keep one email account for things that have personal info or business-like stuff: utilities, internet, CCs, etc. Another for things that have limited personal info, like stores I order from online, organization memberships, etc....basically real name and address, but not b-day, SSN, etc. And a 3rd email account for stuff that does not need "real" information, like newsletters, free stuff, etc. I rarely use real info to register for the email account. The initials may be right, but that's about it. I usually use a different zip, too. Pandora gives me mostly Manhattan ads even though I am on the Gulf Coast.

guitardogg's picture

Okay, these breaches happened 2 and 3 years ago. I would expect that I would have been affected by this by now if I was going to be. I have changed passwords a few times since then as well. Here's the problem, I got my email address MANY years ago though my AT&T account (my address is not @yahoo.com, but it's still Yahoo mail). The hassle involved in changing is huge! The question is, how effectively have they "plugged the leaks"? I also hope whoever buys them out will let me keep my address.