Replies are closed for this discussion.
Many years ago, I tried to get a Yahoo account, but they never responded. Shortly after, I started hearing bad things about them so I never tried again. Sounds like I lucked-out.
On my new computer, I put them as one of my search engines, but after I read your post, I deleted them, just in case.
I have a Yahoo account and have had it for years. Just yesterday I got notice of all this from them and they caution about it in certain ways. I deleted the notice and will keep the account. Mostly this is because I don't trust any of them (even Google) and I have as little info on the sites as possible. Just enough info to operate is all I have. The most that will happen is:
1. Someone else turns up pretending to be me.
2. Same as the above but I'm suddenly locked out of my Yahoo site completely.
Since things like that happen daily all over the world I do have one big bit of advice for everyone. DO NOT store any online banking information on sites or even on your computer. Store it in your head or write it on a piece of paper and hide it in a drawer.
Whomever hacked Yahoo might end up with as much info on us as they could get otherwise from almost any information out there. If you do not fully trust sites as I suggest, here's a mock situation in e-mail you might receive if you are hacked:
"Grandpa, this is Tommy and I'm stuck in Canada and the police have arrested me too. I need $1000 as soon as possible so send it to this address."
"Tommy, what are you doing in Canada? How did this happen? Just yesterday I saw you at your mother's but I will get the $1000 to you as soon as I can."
The call I got was "This is your grandson. I'm in jail in the Bahamas and you need to send me $1000 to get me out." I asked "Okay, grandson. By the way -- what's your name?" click.
Why are we only learning about this now? Whatever damage the hackers would do with the information has been done.
I think your first idea was correct, Daniel. They wanted the sale.
Yahoo doesn't even ask that you change your password. I went to my account and all it suggested was deleteing yourr security questions. They don't even want them replaced.
The best protection you can have against hackers as an individual is learning how to defend against social engineering. You are far easier to hack than your phone, and you are more likely to be targeted directly in any attack. Why would I hack your phone when I can get you to give me your password without you ever even knowing, or getting you to install a malware that gives me access to your devices
(viruses/malware ect doesn't get on your machine unless you put it there, I know its not your fault you never know when its happening but that is the reality. even most pro's like me struggle to identify their personal vulnerabilities and end up getting hacked, its unreasonable to expect you to be equipped to defend yourself, still there's no other option we must rely on you not to let the hackers in, and we know you will often fail to do so. Which is why up to 90% of my customers call me because they got infected with a virus. They usually asked how the virus got in, unfortunately I often can't answer this cause I don't want them to get offended by the answer. If I told them "you kinda let it in" they'll think I'm blaming them and get pissed at me, that is not productive for anyone)
Just so you know, I've been hacked by co workers before. They can't help it its a compulsion. They also did nothing malicious and given our mutual understanding of our field were rather open and candid about the hacks. I valued the feedback from this activity as it helps me to improve my defenses.
In the infosec world there's a saying. "There's two kinds of companies in the world. Those who know they've been hacked, and those who don't know they've been hacked." Yahoo knew they were hacked. Unless things have changed drastically in recent years since I studied this in college, they are not legally required to report the hack in many/most situations. Reporting hacks is a tightrope walk between maintaining customer confidence and trust (which means maintaining revenue), OR announcing the hack and giving customers tools to help protect themselves in the aftermath of the attack.
That said there are a number of realities few people ever hear, most infosec professionals won't talk about this outside the industry, and even if they did few people would listen, and even if they listened it really wouldn't matter in the greater scheme of things.
One reality is there is no such thing as a system that can not be hacked. By design it is impossible to make a system that can't be hacked. The principles behind why vulnerabilities exist show that all systems can be compromised and that will likely never change. This is something hackers know well
(and the people who protect the systems are also hackers they use the same tools and methods as malicious hackers except they protect systems. They are usually referred to as "Ethical" hackers, or White hat hackers, there are also grey hat hackers and black hat hackers, I'm pretty sure anyone here can figure out the differences here).
I don't say these things to scare anyone, but Yahoo isn't evil or pathetic because they got hacked. I don't like that they didn't say anything about it, but odds are they broke no laws in keeping it quiet.
All companies get hacked, all governments get hacked, all people get hacked, most of the time they never even know about it. Wanna know how to secretly watch someone's webcam? its not hard to do, even if your not technical at all you can figure it out pretty easy if you really wanted to try it. Just to put it in perspective its most likely everyone reading this has been hacked and has had nothing bad happen to them as a result of MOST of that activity. However, there is that occasion something truly malicious does happen as a result (like loosing money), As with most things I don't pretend to have the answers, I fight for the right to strong encryption and fight to ban the governments attempts to undermine this protection because I care about all of you, all of US. These stories are 90% sensationalism, no one even know's what the hackers were after and motivation is a HUGE factor in this, It was possibly anon digging up dirt on yahoo or specific individuals (they are vigilante hacktivists), or it was hackers trying to get financial data. Even if they hacked financial data, that information is worth more when treated as a commodity therefor when it gets stolen its rarely used. It CAN be used and it does happen destroying peoples lives, but far more is stolen than is ever used. I can't condone the hacking, but I also can't deny the reality that nothing can completely stop it.
Got a RFI chip in your wallet? I can walk by and steal your credit card information without your wallet ever leaving your pocket, using only a cell phone. Many of the vulnerabilities in the "chip" cards are still there, never have been fixed though they've been known since before 2012. There are devices that can connect to your wifi from a mile away (even though you can't connect 100ft away lol) and your wifi can be connected to even if you hide your broadcast. It takes about 2 min and a cheep laptop to hack a wifi regardless of how strong you try to protect it, There are ways of protecting yourself, but most people won't pay for someone like me to set up their network as secure as it can be.
The general goal in infosec is to avoid being "the lowest hanging fruit" or to put it another way, they take a castle and mote approach in order to be less desirable targets compared to other targets, the more you have worth protecting the more you need to invest in that protection, mostly people are safe because they have little if anything of real value to hackers (many/most hackers have little interest in money, and those that do usually prefer big targets not little ones)
The reality is there's a lot of scary stuff in the world, but also how many of you have been directly impacted by this? how often has this ever impacted your life? My guess is not many and not often. When it does happen its devastating and anyone who's had identity theft can attest to that, but its not the norm because people like me understand these systems and fight to protect you.
The last reality is the government hacks you more than just about anyone else, and I'm for more concerned about them than I am any other hacker out there. So when I say you need to fight the government giving itself the right to break the law to hack an Iphone you should take me seriously, this not only hurts you in the obvious way, the government also can't keep a secret, anything they can do any hacker can do (in fact in the hacked iphone example the government found an outside hacker to do their dirty work for them, just to give you an example of how messed up all of this is). We need as much protection and privacy as we can get, every time we loosen our armor to "help" the government we're helping hackers AND the government spy and hack everyone else, this does not make anyone safer.
The internet has been tried more than once, this big version we know today is like our 3rd or 4th attempt, every previous time failed because the government got involved. Remember that. We won't last long as a species without the internet, its too late to go back now. Just like the reality of disease means we can't go back to living as we did in the 16th century. Our options are move forward or go extinct. Lets try to keep some perspective here and work on real fixes to real problems and not make emotion driven decisions from every overly sensationalized news story that comes out please.