Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


2862 posts

Uber Geek
+1 received by user: 307


Topic # 204242 23-Sep-2016 08:19
Send private message

I've lost count..

http://fortune.com/2016/09/22/yahoo-hack/


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
Mad Scientist
19108 posts

Uber Geek
+1 received by user: 2484

Trusted
Lifetime subscriber

  Reply # 1639183 23-Sep-2016 08:43
Send private message

When they hack something like this, how do they get the password? Is it viewed like a word or excel file or something?




Swype on iOS is detrimental to accurate typing. Apologies in advance.


13349 posts

Uber Geek
+1 received by user: 6277

Trusted
Subscriber

  Reply # 1639193 23-Sep-2016 09:12
One person supports this post
Send private message

It was 2014 so any damage would have already occurred except for Yahoo!'s valuation which will take a hit especially i Verizons eyes




Mike
Retired IT Manager. 
The views stated in my posts are my personal views and not that of any other organisation.

 

 Mac user, Windows curser, Chrome OS desired.

 

The great divide is the lies from both sides.

 

 


3455 posts

Uber Geek
+1 received by user: 1918

Trusted
Lifetime subscriber

  Reply # 1639196 23-Sep-2016 09:16
Send private message

joker97: When they hack something like this, how do they get the password? Is it viewed like a word or excel file or something?

 

At the server end they are stored in database table, along with usernames, emails, other user details etc. . Depending on how retarded the admins of the site are, they could be plain text (very very bad), hashed with outdated crypto (e.g. MD5/SHA1, bad but still all too common), or hashed with newer crypto (e.g bcrypt).

 

Plain text passwords obviously need no further processing, hashed passwords need to be decrypted. 

 

Some example hashes from the LinkedIn 2012 dump:

 

4b1907a83126c4f55fc23e8f6ee6acda80811bfa
9c1a07a828d9cd1ecc0ddcd6cabf57619823fb0e
153a07a84cf81b3277aee94afb30251d444899b0
226207a86615fe49b3dd05c339b8d4f662b4db6b
ba6507a8bdf1ef98d3e4c6c38fb79e06e69aa967
749707a8dc383b7ce99152381538f4d8ac485b94
f9a107a8fd43081c807061e321cd007bfaea2953
c7ac07a85a69e5e0e8fe21b154873863ec8ec593
b2ae07a83125561bb73f3e63ae0fe1647676097d
9fbb07a81abb85cc0757eb6e653dc69c1d135070
8bbc07a877a436b94536c977f120838d173d9d48
a2c007a86a91880864912f6153b0a0639d300433
b2c007a8b2c28cd36e14d82ba85b92594454fa4c
c6c307a827e4b4e349b20cd7624f6443889dad61
e5d507a8808453f65a25c96806a2ac69653edd0f
73db07a8d97822e5f1f327e6d67fd3a95d01d711
9dfd07a864ae0cf3e9e0a0b5319c1a987bcc8d8a

 

 

 

 

 

 

 

 





Information wants to be free. The Net interprets censorship as damage and routes around it.


Mad Scientist
19108 posts

Uber Geek
+1 received by user: 2484

Trusted
Lifetime subscriber

  Reply # 1639199 23-Sep-2016 09:24
Send private message

So no guarantees they can decode that hacked data then?




Swype on iOS is detrimental to accurate typing. Apologies in advance.


6434 posts

Uber Geek
+1 received by user: 1571


  Reply # 1639208 23-Sep-2016 09:38
Send private message

joker97: When they hack something like this, how do they get the password? Is it viewed like a word or excel file or something?


They need to know Marisa mayer's mothers maiden name and the road she was born on. Then they can access all of Yahoo!'s database.

BDFL - Memuneh
61508 posts

Uber Geek
+1 received by user: 12227

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1639211 23-Sep-2016 09:41
Send private message

I have contacted Spark to find out more about possible impact on New Zealand users of their Xtra service with Yahoo. I am told more information will be forthcoming.

 

 

 

MikeB4: It was 2014 so any damage would have already occurred except for Yahoo!'s valuation which will take a hit especially i Verizons eyes

 

Not at all. Sometimes a leak like this can be stored for years before the perpetrators sell it. Same for Last.fm, Dropbox and others - some as old as 2012. Also because a lot of people don't change passwords (and we're talking 500,000,000 accounts) there's a good chance of hitting gold in a big number of accounts. Consider that a lot of people use the same password in multiple services then you can imagine the impact of such leaks.

 

joker97: So no guarantees they can decode that hacked data then?

 

There's never "no guarantees".





gzt

10264 posts

Uber Geek
+1 received by user: 1578


  Reply # 1639293 23-Sep-2016 11:14
Send private message

500 million user accounts, including security questions and answers. People tend to reuse those on other services which makes it very serious.

http://www.businesswire.com/news/home/20160922006198/en/

Yahoo is saying 'state sponsored actor' which would mean the information gained has been, and is, used for espionage purposes since 2014.

13349 posts

Uber Geek
+1 received by user: 6277

Trusted
Subscriber

  Reply # 1639302 23-Sep-2016 11:28
Send private message

freitasm:

 

I have contacted Spark to find out more about possible impact on New Zealand users of their Xtra service with Yahoo. I am told more information will be forthcoming.

 

 

 

MikeB4: It was 2014 so any damage would have already occurred except for Yahoo!'s valuation which will take a hit especially i Verizons eyes

 

Not at all. Sometimes a leak like this can be stored for years before the perpetrators sell it. Same for Last.fm, Dropbox and others - some as old as 2012. Also because a lot of people don't change passwords (and we're talking 500,000,000 accounts) there's a good chance of hitting gold in a big number of accounts. Consider that a lot of people use the same password in multiple services then you can imagine the impact of such leaks.

 

joker97: So no guarantees they can decode that hacked data then?

 

There's never "no guarantees".

 

 

 

 

excellent point, didn't think of that.





Mike
Retired IT Manager. 
The views stated in my posts are my personal views and not that of any other organisation.

 

 Mac user, Windows curser, Chrome OS desired.

 

The great divide is the lies from both sides.

 

 


3455 posts

Uber Geek
+1 received by user: 1918

Trusted
Lifetime subscriber

  Reply # 1639385 23-Sep-2016 13:15
Send private message

joker97: So no guarantees they can decode that hacked data then?

 

It depends strongly on how it was hashed, and who's doing the decrypting.

 

I did a bunch of hashcracking using a medium spec gaming rig ~18 months ago, as part of a project for a security course I was doing. I acquired some publicly leaked hash dumps, read some appropriate guides, and gave it a blast. 

 

For MD5 hashes, I was able to crack 492871 of 548636 hashes (89.83%) in 37 hours. For SHA1 hashes, I was able to crack 1303439 of 2935345 (44.4%) in 4 days, 23 hours, 52 minutes, 39 seconds. 

 

That's with one medium spec gaming rig, and no prior knowledge or experience, no custom dictionaries, etc. You can only imagine how much more efficient people with experience and/or significant computing power (e.g. Nation State sponsored hacking teams, the NSA or the Russian/Chinese equivalents) would be.

 

 

 

 

 

 





Information wants to be free. The Net interprets censorship as damage and routes around it.


1575 posts

Uber Geek
+1 received by user: 355


  Reply # 1640563 26-Sep-2016 11:45
Send private message

gzt:
Yahoo is saying 'state sponsored actor' which would mean the information gained has been, and is, used for espionage purposes since 2014.

 

I find that hard to believe . If State sponsored  they would want to keep it quiet & keep it to themselves . The state wouldnt want it being sold on the black market
Sounds like just another excuse.

 

The real issue is how long have Yahoo known & done absolutely nothing about this .

 

 


gzt

10264 posts

Uber Geek
+1 received by user: 1578


  Reply # 1640737 26-Sep-2016 14:33
Send private message

1101:

gzt:
Yahoo is saying 'state sponsored actor' which would mean the information gained has been, and is, used for espionage purposes since 2014.


I find that hard to believe . If State sponsored  they would want to keep it quiet & keep it to themselves . The state wouldnt want it being sold on the black market
Sounds like just another excuse.


The real issue is how long have Yahoo known & done absolutely nothing about this .


 


Yeah it could easily mean 'more technical than Yahoo'. There are laws in USA requiring disclosure. Yahoo would run foul of those without disclosure. But there is an exception:

"http://fortune.com/2016/09/23/yahoo-hack-legal/
There is, however, one explanation that could justify Yahoo’s failure to promptly disclose the hack. According to the Tantleff, the state laws make allowance for law enforcement proceedings. This means it’s possible Yahoo informed the FBI about the hack, and the agency instructed the company to wait before going public with the news."

There is also another explanation possible.

Keeping the price high for the sale of Yahoo to Verizon last month for 4.8 billion.

BDFL - Memuneh
61508 posts

Uber Geek
+1 received by user: 12227

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1640840 26-Sep-2016 17:42
Send private message

Received from Spark:

 

 

Yahoo announced late last week that a copy of some of its user account information was stolen from the company’s global network back in November 2014. Yahoo has since confirmed that information from some of Spark’s Xtra customers is included in the stolen data. 

 

Spark was notified on Friday and staff have been analysing the data provided by Yahoo to identify the Spark customers who Yahoo believe may be affected.

 

We take this matter very seriously and will be progressively communicating directly with these customers who may have been impacted, from today, and over the course of the next 48 hours. The number of email addresses potentially at risk is 130,000, which is around 15% of the total Xtra email address base.

 

Spark will be asking these customers to immediately change their passwords (if they haven’t already.)

 

Yahoo has told Spark it has no evidence that the stolen information has been used to gain unauthorised access to Spark accounts.   

 

To maintain a secure online profile, Spark advises all Xtra users to regularly update account settings with a strong, difficult-to-predict password. All Xtra customers who have not changed their password since 2014, or are unsure if they have, should do so now on the Spark website using this link: www.spark.co.nz/changepassword

 

As previously announced, we are currently in the process of preparing to move all of our email systems back home to New Zealand. If customers have already registered to have their email moved to SMX, they don’t need to do that again.  Similarly if customers have changed their password as part of the SMX registration process they won’t need to do it again.

 





7889 posts

Uber Geek
+1 received by user: 795

Subscriber

  Reply # 1640887 26-Sep-2016 19:39
2 people support this post
Send private message

I think if I was an Xtra user this would have been the straw that broke the Camels back. 





Regards,

Old3eyes


Mad Scientist
19108 posts

Uber Geek
+1 received by user: 2484

Trusted
Lifetime subscriber

  Reply # 1640900 26-Sep-2016 20:09
Send private message

old3eyes:

 

I think if I was an Xtra user this would have been the straw that broke the Camels back. 

 

 

I think the back would have been broken 2-3 straws ago :)





Swype on iOS is detrimental to accurate typing. Apologies in advance.


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.