1. 27

  2. 32

    MD5 without a salt. It only could have been worse if it were plaintext.

    1. 11

      You’re probably right. If they had used ROT13, attackers probably wouldn’t have believed that they had obtained actual data, and promptly discarded everything, avoiding this whole debacle.

      1. 7

        Lmao. I would’ve recommended people try that if I was new to INFOSEC. The problem is that stuff like that happens enough in proprietary crypto that they’d believe they had the goods. Instead, your suggestion is good for a honeypot where it might get results. It would hilarious to see a billion fake accounts w/ honeypot-generated passwords encrypted with ROT13 posted to some underground forum trying to sell it. Then they find out the compromise alerted the company, vulnerabilities were closed, & their data isn’t worth shit.

    2. 15

      And the raging dumpster fire that is Yahoo blazes yet higher.

      1. 8

        I just logged into Yahoo! to change my password, and checked on my previous logins to see if there was anything wrong.

        In the past two years I’ve only logged in 4 times, all of them just to change my password

        I’d delete my account if it weren’t linked to Flickr.

        1. 1

          Flickr was my reason for holding out too, but I deleted my account a year or so ago now. They made it so hard to use the account that for me it was not worth it any more.

          1. 3

            Sad, but until something like safenetwork.org is massively adopted and we finally move away from hosting any user information centrally, I doubt this will be the last breach…

            1. [Comment removed by author]

              1. [Comment removed by author]

              2. 3

                “The company has not been able to identify the intrusion associated with this theft,”

                Amazing. They don’t even know how the data got out. The same gaping hole may still be wide open.

                1. [Comment removed by author]

                  1. 3

                    And the exclamation mark in their brand name! makes sentences hard to read.

                  2. 5

                    In general, the vast majority of intrusions go this way - detected after the fact but without a good way to figure out what happened.

                    EG: In a quite unsophisticated attack at $work, attackers launched a DDOS at 2am our time, then used stolen user credentials (eg by spearphishing our users) to post fraudulent listings on the site.

                    Trying to dig through logs to figure out where they were and what they did / didn’t do was made more difficult by:

                    • Tired operations staff the next day
                    • Logs full of messages resulting from the DDOS
                    • Logs full of ops changes fighting the DDOS

                    Note that all this required on the attackers part was some cleverly worded emails, paying a DDOS provider and running a wordpress site. Imagine facing someone with real technical skill on top of that.

                  3. 3

                    I’d like to say this event would be a wakeup call, but I can’t even write that without smirking.

                    1. 2

                      With all these hacks, I’m inclined to become a luddite.