New Filing Confirms Yahoo Was Aware of Large-Scale Email Hack in 2014

[MacRumors]

In September, Yahoo confirmed that at least 500 million of its users' accounts had been compromised during an attack in late 2014. Now, in a recent filing with the Securities and Exchange Commission, it was revealed that the company knew about the hack when it originally happened in 2014, but waited two years to divulge it to the public (via TechCrunch)

Describing the investigation, the new SEC filing notes a "state-sponsored actor" who gained access to the company's network in late 2014, along with Yahoo's awareness and identification of the individual in question during the same time period. Information stolen included names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers.

In late July 2016, a hacker claimed to have obtained certain Yahoo user data. After investigating this claim with the assistance of an outside forensic expert, the Company could not substantiate the hacker's claim. Following this investigation, the Company intensified an ongoing broader review of the Company's network and data security, including a review of prior access to the Company's network by a state-sponsored actor that the Company had identified in late 2014. Based on further investigation with an outside forensic expert, the Company disclosed the Security Incident on September 22, 2016, and began notifying potentially affected users, regulators, and other stakeholders.

Now a board made up of independent counsel and a forensic expert is said to be investigating "the scope of knowledge within the company in 2014," as well as Yahoo's basic security measures and related incidents. The filing describes $1 million in losses for Yahoo relating to the security breach so far.

Additionally, Yahoo said that 23 class action lawsuits have been filed against the company by consumers targeted by the security breach in 2014, in both federal and state courts, as well as foreign courts. Plaintiffs in the cases claim to have been "harmed by the company's alleged actions and/or omissions" relating to the hack. The scope and monetary damages sought by each consumer was not divulged.

In attempts to move past the incident, Yahoo is cooperating with federal, state, and foreign governments and agencies who are investigating the hack. The biggest blowback for Yahoo might still be in its planned sale to Verizon, the latter company now asking for a $1 billion discount due to Yahoo's current turbulent drama with the news of the 2014 hack.

Article Link: New Filing Confirms Yahoo Was Aware of Large-Scale Email Hack in 2014

 

[5105973]

My father was definitely affected. Yahoo has been vile. I hope they get what is coming to them.

 

[2457282]

I thought there was a law that stated that a company must go public within 90 days if more than 500 people were affected. If that is true and Yahoo waited 2 years to go public, then I see a huge class action lawsuit coming.

 

[A MacBook lover]

Marissa Mayer is a joke, how on earth is she still running yahoo?

 

[rizzo41999]

Mayer is a fraud.

 

[realeric]

As an user of yahoo email for 15 years, I'm closing the account now. Bye~

 

[justperry]

As an user of yahoo email for 15 years, I'm closing the account now. Bye~

Too late, the damage has already been done, I personally dumped Yahoo years ago since it was littering my
inbox with spam and Yahoo did little to nothing to get less spam, hell, I got more and more.

I have little to no spam nowadays, I also make aliases for companies I don't fully trust.
I had no spam at all over the few years I use others including Apple but there are also others out there, big ones like Google which I don't trust either.

 

[macduke]

I'd hope Yahoo gets into huge legal trouble for this, but all that does is hurt the lowly employees who lose their jobs as the company breaks apart. The executives that make these decisions never suffer any real-world consequences, and can bail out with their golden parachute as if nothing happened. We need to go after the executives and take the money out of their pockets. Once we strike fear into the heart of executives nation wide, then and only then will we have any real positive change for consumers. Executives who take clear, obviously negative actions that knowingly put their customers at risk should be held personally accountable—not the company itself. It should be a part of the assumed responsibility and risk you take in exchange for making millions of dollars per year.

 

[coolfactor]

Yahoo! had their day, but they let themselves get too messy and too complacent.
[doublepost=1478877614][/doublepost]Runbox has the majority of my email hosting these days, and they utilize Cloudmark spam filtering tech, which seems to be spot on.

 

[now i see it]

Actually, having (or keeping) a yahoo email account right now is a great idea.

They are under so much scrutiny right now and under the gun, nothing nefarious is going to happen.
Anyway, anyone sending sensitive information via email is a moron.

 

[iapplelove]

Way to be honest and transparent with your users Yahoo.

 

[nwcs]

Sorry Verizon, it couldn't happen to a better company There were reports that they knew and didn't reveal which is shameful. I lost all trust in Yahoo and deleted my flickr and yahoo accounts. Who knows how much of the spam I get now is directly due to this? Of course, as someone who is currently dealing with OWASP stuff, I can tell you that the security of the Internet of Things and security of many companies is sadly lacking. This will only get more common until there will be very little that stays private.

 

[CarlJ]

Information stolen included names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers.

This is why not only do I have separate, long, random, passwords for every single site (thanks 1Password), but I also never answer "security questions" with legit answers. It's like they're saying, "please set up one secure password, plus three more that someone can find out by googling you". So my "security answers" are all completely nonsensical. By the way, my parents are Atilla the Hun and Joan of Arc, and I was born in 1752 in Mare Tranquillitatis on the moon.

 

[Oblivious.Robot]

I feel like a sucker for sticking with yahoo, as it was probably my first ever experience of the internet!
Ah the joy of a 10 year old me, clicking the yes I'm 18 and over box. lol

Anyway, does anyone know better and far more secure email account?
I don't even want to entirely depend of iCloud.

 

[C DM]

I feel like a sucker for sticking with yahoo, as it was probably my first ever experience of the internet!
Ah the joy of a 10 year old me, clicking the yes I'm 18 and over box. lol

Anyway, does anyone know better and far more secure email account?
I don't even want to entirely depend of iCloud.

Some alternatives discussed in threads like https://forums.macrumors.com/threads/gmail-alternatives.2012269/

 

[RichTeer]

Anyway, does anyone know better and far more secure email account?
I don't even want to entirely depend of iCloud.

I realize that this isn't an option for the vast majority of people here, but I've always ran my own private mail server, going back to the 1990s. Initially because I had no choice (that's how the ISP I was with at the time operated), but since 1999 it's been out of a desire to be in control of my own email. I trust no one more than myself with my email!

 

[wackymacky]

I realize that this isn't an option for the vast majority of people here, but I've always ran my own private mail server, going back to the 1990s. Initially because I had no choice (that's how the ISP I was with at the time operated), but since 1999 it's been out of a desire to be in control of my own email. I trust no one more than myself with my email!

Great if you're got the technical skills to do so, though I suspect most don't to set one up that proves very secure, and also off site from their main residence in case of theft/fire etc.

I agree if the sentiment. I do occasionally get worried about information sent back and forwarded by email.

My work email is maintained on a hardened system which is their problem to keep secure (and had a legal requirement to be well maintained), though I strongly resist using it my personal emails given an implicit understanding that they could be viewed and audited and hence have no expectation of privacy.

So I'm left using systems I have little faith in when I receive emails from lawyers/banks/friends/airlines etc.

 

[duervo]

Screw Yahoo! Mail. I setup my own personal email server. It has classified material in it, but I don't care.

 

[justperry]

This is why not only do I have separate, long, random, passwords for every single site (thanks 1Password), but I also never answer "security questions" with legit answers. It's like they're saying, "please set up one secure password, plus three more that someone can find out by googling you". So my "security answers" are all completely nonsensical. By the way, my parents are Atilla the Hun and Joan of Arc, and I was born in 1752 in Mare Tranquillitatis on the moon.

I mostly agree, you're doing a good job here, 1password seems to be a good App, but, to me Apple's Keychain Access is doing the job nicely too, no need for a separate "expensive" App. I understand though it's cross platform, KA is not).
I never understood those security questions, it's crap, and, if I am not wrong, even American banks use them.
Here, somewhere in Europe, I use a random reader for accessing my online bank account which is so much safer than using a Username/Password (accompanied by security questions).

 

[CarlJ]

I mostly agree, you're doing a good job here, 1password seems to be a good App, but, to me Apple's Keychain Access is doing the job nicely too, no need for a separate "expensive" App. I understand though it's cross platform, KA is not).

I love Keychain Access, and I keep a lot of "low value" passwords in it for easy autofill, but I use 1Password extensively for a few other reasons:

1. Apple doesn't have a Keychain Access app for iOS, so you can use it for autofill in Safari, but if I need the password that goes with a website in order to enter it into the website's corresponding iOS app, I'm out of luck - with 1Password, I can open the app to look up passwords, and copy/paste them into apps as needed.

2. The cross-platform aspect doesn't do much for me, as I don't do Windows or Android, but cross-browser on the Mac is quite helpful - I usually use Safari, but having full access to website passwords from inside Chrome is helpful on the occasions when I use it.

3. I keep a lot of other bits of information encrypted in 1Password (account numbers and such), and it's nice to be able to access those as easily from my phone, wherever I may be, as on the desktop. Keychain Access can store "Secure Notes", but it isn't as convenient, and isn't accessible from iOS.

4. The password generator in 1Password has knobs to play with, unlike Safari Autofill's password suggestions - the passwords Apple suggests are good, but if I want, say, 50 characters completely random upper/lowercase with a specific mix of digits and punctuation, in order to secure the nuclear launch codes, 1Password will help me with that, providing, say, "snBirpBY}CofFsxwf]n%=twk?&oHnpmwJZ2v2wc]+879%hbK(s" (and I can keep clicking for new ones until one amuses me), while Safari will just say, "here's your suggested password: blurf-smop-faddle".

 

[pat500000]

A new company, "Ya..who?"

 

[r03dz]

Outlook.

 

[tdiaz]

Marissa Mayer is a joke, how on earth is she still running yahoo?

You expect more from a bunch of Yahoos?

 

[JamesPDX]

Actually, having (or keeping) a yahoo email account right now is a great idea.

They are under so much scrutiny right now and under the gun, nothing nefarious is going to happen.

You're thinking of air disasters.
[doublepost=1478920445][/doublepost]

A new company, "Ya..who?"

Yeah, sue!
[doublepost=1478921205][/doublepost]

Great if you're got the technical skills to do so, though I suspect most don't to set one up that proves very secure, and also off site from their main residence in case of theft/fire etc.

I agree if the sentiment. I do occasionally get worried about information sent back and forwarded by email.

My work email is maintained on a hardened system which is their problem to keep secure (and had a legal requirement to be well maintained), though I strongly resist using it my personal emails given an implicit understanding that they could be viewed and audited and hence have no expectation of privacy.

So I'm left using systems I have little faith in when I receive emails from lawyers/banks/friends/airlines etc.

Word. Many of those companies using these so-called hardened systems will not even let their employees use Google Authenticator as an extra layer of security for email logins. That would be good IT security all around, right? But then, many of the same companies are using self-signed (fake) TLS certificates that look legit inside the company walls, but are actually SSL3/TLS1.0 which is a sloppy-diaper, broke-ass protocol. -And they're still using Java, Flash, and Silverlight. A "systems" manager (non-IT) once told me that Firefox was a virus. Yeah. It's like that.

 

[dekadent]

I love Keychain Access, and I keep a lot of "low value" passwords in it for easy autofill, but I use 1Password extensively for a few other reasons:

1. Apple doesn't have a Keychain Access app for iOS, so you can use it for autofill in Safari, but if I need the password that goes with a website in order to enter it into the website's corresponding iOS app, I'm out of luck - with 1Password, I can open the app to look up passwords, and copy/paste them into apps as needed.

You are not out of luck, KA works exactly as 1Password in this aspect. Settings -> Safari -> Passwords -> search for site -> long press on Password -> Copy -> Paste in app