Vocal Voices

[Suff]

For those who are listening to this or reading about it, you can find the details of the hack here.

I've read the Independent "advice" on how to deal with this and they're a bunch of numpties. There are some critical pieces of knowledge in here and it's useful to know them.

When.

This is the most vital and critical piece of information and virtually nobody is talking about it. The breach was late 2014.

Passwords.

All the passwords, known to have been compromised, were encrypted and done so with a mechanism known as bcrypt. It's an incredibly good encryption mechanism which even blocks brute force attacks by slowing down the attack. So even if we took the whole computing power of the internet to work on it, it would still take a long time. There is a way but only Governments have the resources to apply it as it would require millions of machines, not millions of processors in one machine, to break the password.

500 million passwords were stolen. At the current level of technology, even with a simple password algorithm, it would take the next few thousand years to crack them all. With bcrypt it would take the next billion years or so and we're likely to have quantum computing before we could crack even 10% of them.

In short, the chances of your password having been hacked? Minimal.

Other data.

The most vital part of this whole communication is that your security questions may have been breeched unencrypted. That means if you use those security questions elsewhere you need to change them. This is another point that nobody is talking about but is important to know.

Other issues.

BT also used Yahoo accounts and if you had a BT Yahoo account in 2014 your details are likely to have been compromised. So change your security questions on other sites if you have used them again. Yahoo have already invalidated all security questions that were compromised, encrypted or not.

On the + side no payment/card/bank data was taken because it was not in the system that was compromised. Which also means the government agency knew exactly what to attack and the easiest way to do that is to get someone working there who can report back the setup...

Anyway, it's doing the rounds but reality is that Yahoo had taken very reasonable precautions and the impact is very low.

I did the research because I have a yahoo mail account and I have a Yahoo small business account for the family mail (now Abaco).

[Workingman]

This news was breaking late yesterday and this morning I have been reading a few articles on it.

It is so damned annoying that most of the concentration is on the company, the when, and the numbers involved. Yes it's Yahoo, and yes 500 million is a lot of accounts and yes as it happened in 2014 the news should have been out some time ago.

What is largely missing is the sort of advice given here by Suff on how customers should proceed. It is all bog standard for those of us who are, or were, in the Intersphere and ever so simple to do. I am not with Yahoo! so am not particularly bothered, but as a general rule I am very wary of the information I put into emails and I never, ever, click links to do any business. I do not mind going to a registered website or using a listed phone number (landline) but knowing how easy it is to create pixel perfect company letters with spoof links I will not touch emails with a bargepole.