UK ISP BT Warns Email Using Customers After 2nd Massive Yahoo! Hack
A staggering 1 billion accounts belonging to Internet giant Yahoo! have been breached by a second major hack, albeit one that occurred in August 2013. Today BT Retail and other broadband ISPs that have used the firm for their email (e.g. Sky Broadband) are warning customers to change their passwords.
The latest confirmation of such an event follows a similar, if separate, incident that was first revealed in September 2016 after Yahoo! confirmed that at least 500 million of their accounts had been stolen in 2014 by “state-sponsored” hackers (here). Apparently Yahoo! didn’t realise that the theft had occurred until years later.
At the time the situation created an additional headache for BT and Sky Broadband because both ISPs had made use of or continue to use Yahoo!’s platform for some or all of their email services. In BT’s case it was merely a “legacy product used by some customers“, while Sky’s Yahoo! based Sky Yahoo Mail service was still at the centre of their email platform.
Hopefully anybody with a Yahoo! connected account or service, even if they weren’t among those affected, will have already changed their password. However if you haven’t done so then take note that Yahoo! has now disclosed that they were also hit by a similar incident in 2013, which apparently resulted in double the amount of accounts being stolen by hackers. Ugh!
At present Yahoo! doesn’t even seem to know how the data was stolen, which is troubling.
Bob Lord, Yahoo’s Chief Information Security Officer, said:
“As we previously disclosed in November, law enforcement provided us with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.
For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected.
Separately, we previously disclosed that our outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. We are notifying the affected account holders, and have invalidated the forged cookies. We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.”
Yahoo!’s old MD5 algorithm for hashed passwords should not be banked on as it can easily be broken, which would expose the passwords. The theft of unencrypted security questions and answers is similarly dangerous because these often form part of Two Factor Authentication (2FA) systems and a lot of online services ask the same questions.
Today BT has been the first out of a gate with the warning for any of their customers who might still make use of the old platform, albeit so far only via Twitter but they do have a website that was setup for the original incident (here). Sky has yet to issue a similar notice, but we wouldn’t be surprised if they follow suit.
We're recommending that if you have BT Yahoo Mail & haven't changed your password since Aug 2013, that you do so now https://t.co/SfzM318GRI
— BTCare (@BTCare) December 15, 2016
Meanwhile Yahoo! claim to be notifying potentially affected users and have taken steps to secure their accounts, including requiring users to change their passwords. The company has also invalidated unencrypted security questions and answers so that they cannot be used to access an account. More details here.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, Google+, Facebook and Linkedin.
« Plymouth Science Park Upgrades 120 Businesses to 100Mbps Broadband
Comments are closed.
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.
Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.
NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
I don’t know why people use free ISP e-mail when it’s so cheap to have your own hosting and an e-mail address you can take anywhere with you
Not everyone knows this.
Example, when it comes to cars, I’m hopeless and will do anything my mechanic says.
…because UK customers only think of one thing – MONEY and how cheap can they get it.
So if it costs more get your own domain even if is only a “small” amount – they ain’t paying: end of story.
@Peter: What about a free gmail account?
John fancy giving us a few links to look at?
Lucky Yahoo spotted this … after Verizon agreed to buy them … that’s clearly why Marissa is paid big bucks.
About the only decent thing I can say about Yahoo Mail security is that as soon as you try to log in with a new browser, OS, IP – it reverts to requesting a verification code sent to a secondary e-mail address/phone number.
It’s actually a bit of a pain, but it is going to catch out attackers – even if they have your address and password.
As for MD5, not that I know much about crypto, yes it is no longer secure because it is vulnerable to collision attacks – which is the death of a hash function – but passwords will be exposed using rainbow tables, the same as secure hash functions.
I have a yahoo address which I rarely use, usually only when I dont completely trust the site with my normal one. However I cant change the password to use it in the future as the both the phone number and secondary email address are out of date.
The deal is subject to a material eventualities clause – as all such mega deals are and this is very much in that frame of a material change to the company’s circumstance since the agreement.
So Verizon could well walk away or the deal might be re-negotiated.
@Peter
I realise Verizon have room to manoeuvre, but would they have got entangled in this mess in the first place if the security issues had come out earlier? Mayer may well have known more than she has let on and engaged in “sharp practice”.
Same as Gerada, an ancient pre millienia account sent up, unused for over 10 years, and now unable to access as all the other info is long out of date.
Even worse, it has an auto forward to one of my gmail accounts, so I still get all the crap.
Yahoo have to be really, really negligent to not have noticed something widespread going on. Even I noticed it in early 2013..
I quote.. from conversations with my colleague in 2013:
:: Tom ::, 12/03/2013 20:16:36:
yahoo has to have had some massive security problem
:: Tom ::, 12/03/2013 20:16:44:
so many yahoo accounts hacked in the past 2 weeks
Alan, 13/03/2013 18:17:55:
boy am i sick of getting email from people with compromised yahoo accounts
Alan, 13/03/2013 18:57:13:
why has this not appeared in the tech news
:: Tom ::, 09/05/2013 18:06:40:
BT / Yahoo flaw will likely be on channel 4 news on Monday night for the second time
I’ve been emailing some guy at ITN news (who produce C4 news) after he asked people, on the BT forum, to contact him – and his post was deleted only a few minutes later 😀
:: Tom ::, 05/06/2013 10:46:45:
another round of BT / Yahoo hackings going on
:: Tom ::, 07/02/2014 11:09:47:
someones just hacked into my test yahoo account
(This account has a password manager generated password that even I don’t know).
Agree, they have been deliberately “forgetting to mention it”.
Everyone and their cat knew Yahoo were hacked in 2013, as everyone and their cat had their account hijacked in 2013.
I was only still using it for my local Freecycle group, and it seemed every member got their account hacked over a two week period.
Im with BT and have an email address with them though never use it, how do i know if it is Yahoo based? Is there a way to check?
I’ve now moved almost all customers to their own e-mail service (or CriticalPath’s at least?) so unless you remember if it ever said BT Yahoo if you logged into e-mail – it is unlikely you can ever find out if you once were on Yahoo.