Yahoo confirms that all accounts were compromised

In a statement published recently in an update about the 2013 breach Yahoo has now confirmed that Every single one of the 3 Billion odd accounts registered with them in 2013 where compromised.

https://help.yahoo.com/kb/account/SLN28451.html

This was the discovery of an unnamed security consultant.

“We recently obtained additional information and, after analyzing it with the assistance of outside forensic experts, we have identified additional user accounts that were affected,” Yahoo officials wrote in the update. “Based on an analysis of the information with the assistance of outside forensic experts, Yahoo has determined that all accounts that existed at the time of the August 2013 theft were likely affected.”

Passwords were stored as weak MD5 algorithm hashes.

In 2017 MD5 and cleartext are essentially equivalent due to the ease of cracking MD5. Meaning that anyone with a copy of the Yahoo data has likely deciphered just about every single password.

More details can be found here:

5 Likes

Hot damn i hope someone releases a copy of that password list. This is gonna be bigger for cracking stuff than rockyou

3 Likes

For some reason this came to mind…

com

4 Likes

I had a teacher with yahoo email … not stating i would do anything just curious if he changes his password regularly :smiley:

3 Likes

Glad i moved from Yahoo mail back in 2004.

1 Like

The @att.net e-mails are really Yahoo e-mail addresses aren’t they?

If so, I have to tell muh parents, before I get no inheritance.

Don’t worry, you will discover rich fortune, you are prince! Send money for plane ticket to receive fortune.

3 Likes

Hmmm while I’m glad that I deleted my Yahoo account more than a decade ago. My mum still uses it. I’m going to try and convince her to change email service provider. Any suggestions?

Pick literally anything. They all datamine and are all equally secure

Host your own.

Fastmail

Protonmail

Those are about the only options.

1 Like

That would only matter if the person hasn’t changed their password in 4 years. I have two yahoo accounts and have changed the password multiple times since and have 0 concern.

1 Like

i dont give a fuck about stealling accounts. would be nice to have a password list that is more up too date compared to rockyou

2 Likes

I can only imagine how juicy those rainbow tables might be

3 Likes

no shit. all the rainbow tables :smiley:

The problem with rockyou is that most of the passwords dont comply with standard password policys anymore :frowning:

Wouldn’t these ones also be somewhat useless if its the policies that youre after? these were passes from 2013 and policies have probably improved. Also arent most yahoo accounts old accounts that existed way back in the day?

pardon the noob questions. I dont really know much about this field

The point of rainbow tables is that you dont need to have a password list. It’s really just pre-computed brute forcing.

3 Likes

yes but you need ALOT of space for it

Maybe my perspective is skewed, but 5TB for a useful rainbow table isn’t too bad.

Best Buy has those 8TB reds on sale. Grab one, throw your RT on it, ???, profit!

2 Likes

the rockyou leak happened around 2009 so wont make much difference but the shear amount of passwords will make the difference.

Rockyou only required a 5 char pass so most of them were not of proper length compared to the modern 8

Crap. I had an old email account from Yahoo. Haven’t used it since 2011(?) but still not very good.