Are you taking appropriate on-line precautions? 500 million Yahoo account access details confirmed stolen

Are you taking appropriate on-line precautions?  500 million Yahoo account access details confirmed stolen

'Yahoo “has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor,” the company posted on its investor relations page.

The stolen data include names, email addresses, telephone numbers, birthdays, hashed passwords, and some “encrypted or unencrypted security questions and answers.” Yahoo says it believes no payment card or bank information was stolen.

Yahoo believes that “at least” 500 million user account credentials were stolen, which would make it the biggest breach of all time, bigger than the MySpace breach of 427 million user accounts.'

businessinsider.com.au/yaho...

This is just one of many massive on-line account detail thefts of late, with MySpace, eBay, Target, LinkedIn, Sony, Tumblr and Dropbox and many more having huge account login data losses. This site provides a regularly updated infogram of data breaches: informationisbeautiful.net/...

Read this pinned post: healthunlocked.com/cllsuppo... for security tips to minimise any inconvenience to you from having your on-line access details stolen. Feedback on this post is welcome.

If you use Yahoo or any of the above mentioned websites, you have changed your password lately haven't you?

On a related matter, Google is at least being transparent about the data it collects on your on-line activities and allows you to examine and delete it if you wish. Just log in with your Google account here:

accounts.google.com/Login?c...

Neil

Last edited by

7 Replies

oldestnewest
  • Nothing like prompt disclosure... 🙄

  • Ugh. I don't even know where to start.

    Thanks for sharing this Neil.

  • State sponsored actor - according to the news is a foreign site? I'm not much into computers - I need a neighbor like Chris or Neil - and had no idea what that meant.

  • It can be any government. 'State affiliated or sponsored actors often have particular objectives aligned with either the political, commercial or military interests of their country of origin.' and it's a growing problem: mwrinfosecurity.com/our-thi...

    This is a good overview of what was discovered by the major internet firms a few years ago: wired.com/2014/01/how-the-u...

    As you can read, there were two main ways data from these firms was captured by one state sponsored actor. One way is now gradually being closed off by the Internet companies changing to encrypted connections to their websites and between company servers. (In plain English, it used to be possible to read any communication, including emails being sent between countries, simply by monitoring the servers at one end of the connection. *Websites without a https:// suffix don't have encrypted communications). HealthUnlocked is the only web based CLL Forum that uses encrypted connections - it was designed this way from the start to protect sensitive member information.

    Prior to the disclosure discussed in the Wired article, emails were often sent between email provider servers using what's termed 'clear text' or 'plain text'; i.e. text that has not been encrypted and thus can be read by anyone able to monitor the traffic, simply by reading it as it flows through Internet servers which direct the email along its way.

    Neil

    * http is the abbreviation for Hyper Text Transfer Protocol

    https is the abbreviation for Hyper Text Transfer Protocol Secure. It was initially mainly used for sending credit card information and connections to financial institutions, but now is increasingly used to keep traffic secure from other than the intended recipients. https://healthunlocked.com tells you that whatever you read and write to HealthUnlocked is secured by encryption.

  • Email is starting to be encrypted now through services like Protonmail in Switzerland and others... These use open source code to encrypt like OpenPGP... Pretty Good Privacy.

    protonmail.com

    en.m.wikipedia.org/wiki/Pre...

    These cyphers algorithms have been around for years, but for obvious state security reasons governments haven't been very keen on their implementation...

    I think in the next few generations of mobile devices, all communications will be encrypted, but there are still struggles ahead with regulators, who want a 'back door' to access all encrypted data.

    Raises lots ot ethical, moral and security issues... individual rights verses the rights of a society...

    web.cs.ucdavis.edu/~rogaway...

    ~chris

  • Sadly, it seems we'd be foolish to expect businesses to invest in better security to prevent these breaches. From an article in The Register: 'Romanosky analyzed 12,000 incident reports and found that typically they only account for 0.4 per cent of a company's annual revenues. That compares to billing fraud, which averages at 5 per cent, or retail shrinkage (ie, shoplifting and insider theft), which accounts for 1.3 per cent of revenues.

    As for reputational damage, Romanosky found that it was almost impossible to quantify. He spoke to many executives and none of them could give a reliable metric for how to measure the PR cost of a public failure of IT security systems.

    He also noted that the effects of a data incident typically don't have many ramifications on the stock price of a company in the long term. Under the circumstances, it doesn't make a lot of sense to invest too much in cyber security.'

    theregister.co.uk/2016/09/2...

    Which puts the onus for security back on us...

  • Will the hack of 500 million Yahoo accounts get everyone to protect their passwords? David Glance, Director of UWA Centre for Software Practice, University of Western Australia looks at how Yahoo has learnt from this hack and last year (2015) introduced a new service to improve security called 'Account Key' which requires someone to have your mobile phone to gain access to your account. He also explains how two factor authentication, which works on the principle of using “something you know”, i.e. your password, and “something you own”, i.e. your phone, is available on Apple iCloud, Google, Facebook, Yahoo and other accounts: theconversation.com/will-th...