Yahoo Mail Breach

 

Does anyone use Yahoo mail? Did you receive Yahoo security notification? Yahoo mail security breach was all over the news yesterday. I just changed my password for the 2nd time this year.

NO this is NOT a phishing mail. I'm an IT person responsible for installing/configuring/maintaining mail servers so I know very well the difference between real or fake mail.

Here's the (partial) email I got:

NOTICE OF DATA BREACH

Dear [deleted],

We are writing to inform you about a data security issue that may involve your Yahoo account information. We have taken steps to secure your account and are working closely with law enforcement.

What Happened?
Law enforcement provided Yahoo in November 2016 with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with a broader set of user accounts, including yours. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.
...

more at these links:

Yahoo Security Notice (December 14, 2016)
https://help.yahoo.com/kb/account/SLN27927.html?impressions=...

Yahoo Security Notice December 14, 2016
https://help.yahoo.com/kb/account/SLN27925.html?impressions=...

I Received The Same Message

I believe it's authentic since I after signing into my account info page I see it appears I changed my password 4 times.

Recent account access changes

Password changed

on your account info page

Thu, Oct 6, 2016 12:49 PM EDT

Password changed

on your account info page

Mon, Nov 25, 2013 1:17 PM EST

Password changed

on your account info page

Sat, Jul 27, 2013 7:32 AM EDT

Password changed

on your account info page

Sun, Sep 9, 2012 10:10 AM EDT

However, it used to indicate my security questions is no longer available. On researching, I found security questions are no longer available in on my security page.

"Re: Security question change
Yahoo no longer uses security questions and answers as part of the account recovery process."

I wonder if Fios will cancel their interest in buying Yahoo.

Read About It Here:
http://www.nytimes.com/2016/12/14/technology/yahoo-hack.html...

--
Nuvi 2460LMT 2 Units

would not advise additional reaction

As the breach in question is reported as being longer in the past than the previously reported breach, for users who already changed passwords and such in response to the previously disclosed incident, I don't see the merit of doing it again.

But if someone has not yet taken measures, that would certainly be indicated.

A good general rule is never EVER, EVER click a link in a security breach warning e-mail. Instead go to the real website and interact in your customary way.

Fake warning e-mails with bogus links have become a favored form of spear-fishing to capture the credentials of credulous users. That was a prime method used in gaining access to Democratic National Committee individual e-mail accounts by persons unknown.

Even though this breach was real, I predict that some fake warning emails will be generated to take advantage of the credibility provided by the legitimate news stories.

--
personal GPS user since 1992

.

muell9k wrote:

I believe it's authentic since I after signing into my account info page I see it appears I changed my password 4 times.

The post isn't a question whether it is legitimate or fake mail. It's real without a doubt Yahoo is notifying perhaps all of their mail users.

archae86 wrote:

As the breach in question is reported as being longer in the past than the previously reported breach, for users who already changed passwords and such in response to the previously disclosed incident, I don't see the merit of doing it again.

I agree but it doesn't hurt to change our password again. The security breach (announced earlier this year) happened in 2014. This new one happened in 2013. It is older. I figure if nothing bad happens to me in 2-3 years, why worry about it now? However, I changed it regardless. Better be safe than sorry.

archae86 wrote:

A good general rule is never EVER, EVER click a link in a security breach warning e-mail. Instead go to the real website and interact in your customary way.

FYI there is no link in the email. Some phishing email does not provide links. It shows you a login prompt instead. Some inexperienced users can't tell the difference. They sign in on phisher's login form which of course sends the info to them.

archae86 wrote:

Even though this breach was real, I predict that some fake warning emails will be generated to take advantage of the credibility provided by the legitimate news stories.

No questions about that. I would expect to see those phish email in my mailbox too.

Use Yahoo, Did Not Get Email

However, I did read the news and changed my password.

--
Shooter N32 39 W97 25 VIA 1535TM, Lexus built-in, TomTom Go

it looks like they can hack anything

Time after time, the hackers have shown they can hack anything. Storing data on the cloud looks less and less viable. It could mean the end of the cloud as a business model. Changing passwords must be done, but it could be futile.

dobs108 smile

be careful

I got a warning that my bank account was breached the only problem was I don't have an account with that bank so guys think about it before you go clicking , they are trying to get you to reply by scaring you once you reply they can hijack your home page and when you click on it again to get out you get nailed by malware . so look at it hard before you click on anything !

It was on the news

This was all over the news tonight. I only use web mail and there was an email from yahoo, but it did not force me to change my password. They don't have any sensitive info anyway, like real name or credit card numbers.

yet

dobs108 wrote:

Time after time, the hackers have shown they can hack anything. Storing data on the cloud looks less and less viable. It could mean the end of the cloud as a business model. Changing passwords must be done, but it could be futile.

dobs108 smile

Yet more and more businesses/utlities are pushing toward online everything, like bill paying to "save paper" and postage costs.

--
. 2 Garmin DriveSmart 61 LMT-S, Nuvi 2689, 2 Nuvi 2460, Zumo 550, Zumo 450, Uniden R3 radar detector with GPS built in, includes RLC info. Uconnect 430N Garmin based, built into my Jeep. .

.

Shooter wrote:

However, I did read the news and changed my password.

Wifey uses yahoo mail and didn't get a notice either. From what I read this most current "news" is from a 2013 hacking, there was another more recent hack (within the past 6 months?) that she did get a notice about and did all the changes needed. My guess is that folks who changed stuff recently wouldn't need to for the one in the news now, other than for peace of mind.

--
. 2 Garmin DriveSmart 61 LMT-S, Nuvi 2689, 2 Nuvi 2460, Zumo 550, Zumo 450, Uniden R3 radar detector with GPS built in, includes RLC info. Uconnect 430N Garmin based, built into my Jeep. .

.

nrbovee wrote:

I only use web mail and there was an email from yahoo, but it did not force me to change my password. They don't have any sensitive info anyway, like real name or credit card numbers.

You don't see it the way I do. I use fake info on my Yahoo profile, fake date of birth, no address, nothing valuable in Yahoo profile.

However, here's how things can go from bad to worse. Technically, hackers can scour my mailbox and find that I got some email from banks, credit card institutions, online vendors etc. They go to the website and use the same password as my Yahoo password to sign in. Can't sign in? No problem, they'll click "Forgot password" link and an email to reset my bank account password is sent to my Yahoo. Voila, my bank account is theirs.

Do you still think there's no sensitive info?

Still In Danger

nrbovee wrote:

This was all over the news tonight. I only use web mail and there was an email from yahoo, but it did not force me to change my password. They don't have any sensitive info anyway, like real name or credit card numbers.

Are you absolutely sure that you do not use that password on any other account? That is the danger.

--
Frank Nuvi 3597LMT 37.322760, -79.511267

I cannot believe that

I cannot believe that security is not the top priority for any company with connectivity to private information. I find that the lack of tangible stimulation to quarterly earnings by increasing security drives some of this.

Lost cause?

ceevee wrote:

I cannot believe that security is not the top priority for any company with connectivity to private information. I find that the lack of tangible stimulation to quarterly earnings by increasing security drives some of this.

And this is not just with Yahoo. Many big companies have had this happen to them.(Or I should say, us).
I just wish that I could get back my bookmarks on the Yahoo tool bar. Anyone have any help with that?

--
nuvi 1390 LT, nuvi 1450 LMT, Vista, Win 10

.

jbees60 wrote:

~snip~

I just wish that I could get back my bookmarks on the Yahoo tool bar. Anyone have any help with that?

Not a yahoo user but maybe this will help?

https://help.yahoo.com/kb/toolbar

--
. 2 Garmin DriveSmart 61 LMT-S, Nuvi 2689, 2 Nuvi 2460, Zumo 550, Zumo 450, Uniden R3 radar detector with GPS built in, includes RLC info. Uconnect 430N Garmin based, built into my Jeep. .

Should be additional security measures in place

chewbacca wrote:
nrbovee wrote:

I only use web mail and there was an email from yahoo, but it did not force me to change my password. They don't have any sensitive info anyway, like real name or credit card numbers.

You don't see it the way I do. I use fake info on my Yahoo profile, fake date of birth, no address, nothing valuable in Yahoo profile.

However, here's how things can go from bad to worse. Technically, hackers can scour my mailbox and find that I got some email from banks, credit card institutions, online vendors etc. They go to the website and use the same password as my Yahoo password to sign in. Can't sign in? No problem, they'll click "Forgot password" link and an email to reset my bank account password is sent to my Yahoo. Voila, my bank account is theirs.

Do you still think there's no sensitive info?

I agree that access to one's email could give someone clues that might lead to a more serious hack. However, in the situation you described above, at least my bank and other financial institutions have additional security questions needed to change a password. I understand that if you gather enough information about an individual through email and social media, a sophisticated hacker might be able to correctly guess those answers, since many people chose simple questions/answers. All the more reason to use strong passwords and change them frequently.

--
Shooter N32 39 W97 25 VIA 1535TM, Lexus built-in, TomTom Go

Read to do this

chewbacca wrote:
nrbovee wrote:

I only use web mail and there was an email from yahoo, but it did not force me to change my password. They don't have any sensitive info anyway, like real name or credit card numbers.

You don't see it the way I do. I use fake info on my Yahoo profile, fake date of birth, no address, nothing valuable in Yahoo profile.

However, here's how things can go from bad to worse. Technically, hackers can scour my mailbox and find that I got some email from banks, credit card institutions, online vendors etc. They go to the website and use the same password as my Yahoo password to sign in. Can't sign in? No problem, they'll click "Forgot password" link and an email to reset my bank account password is sent to my Yahoo. Voila, my bank account is theirs.

Do you still think there's no sensitive info?

Not sure where I read this but you should have a separate email account for important things.

I have a regular email for just stuff.
I have a different email for banking and only us it for banking.
I have a different email for credit cards and only us it for credit card companies.
I have a different email for my mother's business I take care of.

I need to do another regular email for shopping but use my just stuff regular email. May add one more email address.

It may have been Norton that said to do this but can't remember.

--
Mary, Nuvi 2450, Garmin Viago, Honda Navigation, Nuvi 750 (gave to son)

Thanks

soberbyker wrote:
jbees60 wrote:

~snip~

I just wish that I could get back my bookmarks on the Yahoo tool bar. Anyone have any help with that?

Not a yahoo user but maybe this will help?

https://help.yahoo.com/kb/toolbar

Not sure when the help list was produced but my Yahoo toolbar does not have any of the items listed. No + sign, no cog wheel. Thanks for trying.
This has been this way for a long time. Something to do with their being hacked no dought.

--
nuvi 1390 LT, nuvi 1450 LMT, Vista, Win 10

.

Shooter wrote:

I agree that access to one's email could give someone clues that might lead to a more serious hack. However, in the situation you described above, at least my bank and other financial institutions have additional security questions needed to change a password. I understand that if you gather enough information about an individual through email and social media, a sophisticated hacker might be able to correctly guess those answers, since many people chose simple questions/answers. All the more reason to use strong passwords and change them frequently.

I think password recovery security questions weaken the security itself especially if you're a well known person. If I remember correctly, some hacker broke into a celebrity online account by correctly answering "what's my dog's name?" Doh! The whole world probably knows her dog's name.

I deliberately give random answers to security questions. For example: what high school did you go to? Answer: dcy cjnmu nkehc. No one including myself will be able to guess that. I keep a record of all the Qs and As. Can't remember them if I don't save them somewhere.

If this doesn't get you to get rid of yahoo mail, what will?

Yahoo

Not just Yahoo ...

Frside007 wrote:

Yahoo

... but anything connected to the internet. Not much you can do about it other than limit the online information and use strong passwords. I use a password protected password vault that keeps it's encrypted data file on my main computer to generate strong passwords, remember them and cough them up when needed. At least I just have to remember one password. Even that represents some risk ...

--
Nuvi 2460

No suprise here..

This companies been on the down for several years now.

.

Frside007 wrote:

If this doesn't get you to get rid of yahoo mail, what will?
Yahoo

Why stop there? Stop using computers, tablets and smartphones. Close your bank accounts. Keep the money at home. It's not safe. Banks can get hacked too.

New news of old news

Unfortunately, the recent news is for Yahoo breaches from years ago.

nope

old email service which must now be obsolete...don't know anyone who still uses it...

--
Bobby....Garmin 2450LM

Obsolete? No.

Their service is not obsolete, but Yahoo themselves failed to innovate when they had the opportunity, which leads to the current state of affairs. I still use Yahoo, and have never had a problem with their service in the 20+ years I've used them. These days however, I have my Yahoo and GMail accounts linked, simply so I can access all my email from GMail and/or my smartphone.

--
"Anyone who is capable of getting themselves made President should on no account be allowed to do the job." --Douglas Adams

Yahoo seems to be far behind-the-times in so many ways.

Yahoo seems to be far behind-the-times in so many ways.

I think the Yahoo CEO, Marissa Mayer, is just wanting the Verizon deal to close so she can make $57 million if Verizon decides not to keep her on. Verizon doesn't want her! Why should they? Everything she has touched at Yahoo has been a failure. But, Mayer will take home $219 million for her four years of doing practically nothing at the helm. If the Yahoo-Verizon deal goes through the Yahoo Board can thank Goldman Sachs, JPMorgan and PJT Partners, because she did nothing to make it happen.

--
Politicians and Diapers must be changed often for the exact same reason...

Yeah, time to totally

Yeah, time to totally abandon my account. I never used it for much of anything. Yahoo always had issues with leaking contacts. Every time I received a phishing email it was from someone I knew with a yahoo acct. I never had any contacts on yahoo, good thing.

WOW!!

WOW!!

I like Yahoo mail.

I like Yahoo mail. It’s simple, efficient, and works consistently. I hate the way gmail links multiple emails into threads. Once the thread gets interesting and bifurcated it gets painful to find what is new. I do not find all those fancy improvements to actually be an improvement.

Keep in mind ...

zeaflal wrote:

I like Yahoo mail. It’s simple, efficient, and works consistently. I hate the way gmail links multiple emails into threads. Once the thread gets interesting and bifurcated it gets painful to find what is new. I do not find all those fancy improvements to actually be an improvement.

Yahoo has to much junk mail ... I like Hotmail much more easy to use that both Gmail and yahoo.

But all of the online Emails have there good points and bad for each type of user or usage for the email.

We need Gmail for all the Android phones/tablets and we need Me.com/Icloud.com for all the IPhone/Tablets/Music.

So most people will have more than one account and most likely be on different email platforms too...

--
Bobkz - Garmin Nuvi 3597LMTHD/2455LMT/C530/C580- "Pain Is Fear Leaving The Body - Semper Fidelis"

.

bobkz wrote:

Yahoo has to much junk mail ... I like Hotmail much more easy to use that both Gmail and yahoo.

But all of the online Emails have there good points and bad for each type of user or usage for the email.

FYI - junk mail depends on the users habit. If you post your email address carelessly, you deserve to get a ton of junk email.

At the moment I have 2 junk email in my Yahoo spam folder. My Yahoo account has been active since late 90s. I have more junk email in hotmail but 100% go to spam folder unless I whitelist them. My hotmail setting is set to accept only those in my contact list. The rest goes go spam folder. I have no junk email in GMail (this mail account is about 3 years old).

You are correct

Chewbacca wrote:

FYI - junk mail depends on the users habit. If you post your email address carelessly, you deserve to get a ton of junk email.

I agree with that statement!

However, there are exceptions to that rule, One of them being that I have a Verizon email account which I never used once and that gets 30 - 40 junk emails a day.. Worse part is that Verizon email doesn't have a good way to filter out all the junk mail properly.

--
Bobkz - Garmin Nuvi 3597LMTHD/2455LMT/C530/C580- "Pain Is Fear Leaving The Body - Semper Fidelis"

thanks

thanks

Finally

Just got my email from Yahoo informing me of this problem. Not sure why it took so long.

--
Shooter N32 39 W97 25 VIA 1535TM, Lexus built-in, TomTom Go

It Can Get Worse

AT&T subsidiaries outsourced their email handling to Yahoo years ago. My sources indicated Yahoo is only notifying accounts they have determined were actually impacted by that 2013 breach, which would explain why I've only received 1 notification out of 3 possible targets.

Because the email addresses remained unchanged (keeping the original @subsidiary.xxx), AT&T handles front-end authentication to access the Yahoo-hosted email, the non-linked URL in the notice sends users like me to AT&T's web site via a page that redirects to a blank page (as of 24 hours ago when I last checked, via multiple browsers, using all the customary "extra measures" to insure anything there would be revealed).

After all that, I decided to take the old fashioned approach by searching through their nightmare of support and login combinations until locating a working page to reset the password for that account. On the same page as the password reset AT&T included the option to reset a pair of security questions, indicating it could also wait until later. Not wishing to re-navigate back later, I picked some Qs & As and submitted the set of changes.

A short time later, confirmation email arrived to let me know about the changes made, except no mention of any change of password. Since I run an email client locally and it hasn't yet complained of any password mismatch, I presume I'll be going back for more pain navigating AT&T's web of incompetence through over-complexity.