Hacking News : Yahoo hit in worst hack ever, 500 million accounts swiped .

The internet company, being bought by Verizon, says a state-sponsored actor stole email addresses, passwords and birth dates. Change your passwords. Now.

Hackers swiped personal information associated with at least a half billion Yahoo accounts, the internet giant said Thursday, marking the biggest data breach in history.

The hack, which took place in 2014, revealed names, email addresses, phone numbers, birth dates and, in some cases, security questions and answers, Yahoo said in a press release. Encrypted passwords, which are jumbled so only a person with the right passcode can read them, were also taken.

The internet pioneer, which is in the process of selling itself to Verizon, said it's "working closely" with law enforcement. It called the hackers a "state-sponsored actor," though it didn't identify a country behind the breach.

Yahoo urged users to change their passwords if they haven't since 2014. The company has 1 billion monthly active users for all its internet services, which span finance, online shopping and fantasy football. Its mail service alone has about 225 million monthly active users, Yahoo told CNET in June.

The hack serves as a reminder of how widespread hacking is and highlights the vulnerability of passwords. Cybersecurity specialists recommend using a different password for each account you have on the internet. Other experts are working on alternatives to passwords, such as biometrics like your fingerprint or retina.

"Cybercriminals know that consumers use the same passwords across websites and applications, which is why these millions of leaked password credentials are so useful for perpetuating fraud," said Brett McDowell, executive director of the FIDO Alliance, an organization that vets the security of password alternatives. "We need to take that ability away from criminals, and the only way to do that is to stop relying on passwords altogether."

ud072517normal.jpg
The breach has exposed at least 500 million accounts' names, email addresses, phone numbers and dates of birth. In some cases, security questions and answers too.
Justin Sullivan, Getty Images
Verizon, which is paying $4.83 billion for Yahoo, said it was notified of the massive breach within the last two days. The telecommunications giant had "limited information and understanding of the impact," according to a statement.

"We will evaluate, as the investigation continues, through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities," Verizon said.

B. Riley & Co. analyst Sameet Sinha told The Wall Street Journal the breach was unlikely to affect the sale to Verizon.

Virginia Sen. Mark Warner, a member of the newly formed Senate Cybersecurity Caucus, criticized Yahoo for not discovering the breach when it originally happened in 2014.

PASSWORDS, PASSWORDS EVERYWHERE

• How to find out if you're at risk in Yahoo hack
• Welcome to the club, Yahoo: 10 other massive hacks
• World Password Day: Here are 4 tips for staying safe online
• Passwords and emails don't match up in cache of 272 million logins
• Lord of the Paranoids: New Yahoo security exec on protecting a billion-plus accounts
• Hacker trades 272 million passwords for social media likes

Hackers' sale of Comcast log-ins reminds us to change our password habits
"While we have seen more and more data breaches in the private sector in recent years, many of them affecting millions of consumers, the seriousness of this breach at Yahoo is huge," Warner said.

The Privacy Rights Clearinghouse, a nonprofit organization that tracks cybersecurity breaches, said the hack was the largest-ever publicly disclosed breach.

Yahoo has taken steps to protect its users, including invalidating security questions and answers, but the real risk lies in hackers using the passwords on other websites.

"We typically see a 0.1 percent to 2 percent log-in success rate from credential stuffing attacks, meaning that a cybercriminal using 500 million passwords to attempt to take over accounts on another website would be able to take over tens of thousands of accounts on most websites," said Shuman Ghosemajumder, Google's former click-fraud czar and CTO of Shape Security.

Facebook co-founder Mark Zuckerberg's Twitter account was hacked using a similar method after the passwords of more than 100 million LinkedIn members were leaked.

It will take Yahoo at least several months before it starts regaining users' trust, according to research from Alertsec. The encryption provider did a study that found about 97 percent of Americans lose trust in companies like Yahoo after massive data breaches.

"When a company has allowed their customers' data to fall into the hands of criminals, the resulting lack of trust is difficult to repair," CEO Ebba Blitz said in a statement.

On August 1, a hacker named "Peace" claimed to have breached 200 million Yahoo usernames and passwords from a hack in 2012, and offered to sell them on the dark web after trying to do the same with MySpace and LinkedIn accounts.

A person familiar with the situation said Peace's assertion prompted Yahoo to initiate an internal investigation. That investigation found no evidence that substantiated Peace's claim, but the investigating team found indications that a state-sponsored actor had stolen data in 2014.


Former Yahoo information security officer Jeremiah Grossman, now chief of security strategy at SentinelOne, said that internet companies, especially giants like Yahoo, face challenges protecting enormous computer networks because the networks offer so many points of entry to attackers.


"It's unsurprising when breaches, even of this magnitude, take place," Grossman said. "Yahoo certainly isn't the first. And they won't be the last."

News Source - https://www.cnet.com/news/yahoo-500-million-accounts-hacked-data-breach/

Hacking Updates : How Russian hackers could disrupt the U.S. election .

As U.S. authorities investigate whether Russia is attempting to alter the presidential decision, states are thinking about how to secure their frameworks and avoid cyberattacks amongst now and Election Day. 

Arizona and Illinois have effectively experienced endeavored hacks of their voter databases and a week ago, U.S. authorities said they are growing their request since agents trust extra states have likewise seen programmers effectively test their decision frameworks. Authorities have not openly said yet who they accept was behind the Arizona and Illinois breaks, yet just like the case with the Democratic National Committee (DNC) hack, Russia is suspected to be dependable. 

More than about six cybersecurity specialists CBS News addressed said it's reasonable Russia, which has among the best programmers on the planet, is attempting to impact the U.S. decision and that the odds of more cyberattacks amongst now and Election Day are high. 

Voter enlistment or voter move databases may be one bit of decision frameworks that could be helpless to further assaults, specialists told CBS. Authorities in Arizona and Illinois said voters' data was not interfered with, but rather it could be risky on the off chance that they break into the framework and erase documents. 

"The genuine peril is whether they can erase voter enrollments," said Herbert Lin, a senior exploration researcher for digital approach and security at Stanford University's Center for International Security and Cooperation. "Suppose they needed to intercede in favor of [Donald] Trump. At that point what you would do is discover a method for refuting the voter enrollments, erasing the voter enlistments of 10 percent of the Democrats in the state. That would make 10 percent of them ineligible to vote." 

Hypothetically, another sort of cutting edge assault, specialists said, would be to target and alter programming for voting machines with the goal that it could influence what names are shown or how votes are numbered, however specialists trust this would be excessively precarious, making it impossible to execute. 

"You could, in principle, hack into that product and change it so it would count something in an unexpected way. Yet, once more, those sorts of things are truly difficult to do just as far as really doing it, and doing it in an undetected way is much, significantly more troublesome," said Daniel Castro, VP at the Information Technology and Innovation Foundation. 

A few specialists are worried about states that utilization touch-screen voting machines that leave no paper trail. Five states are totally paperless: Delaware, Georgia, Louisiana, New Jersey and South Carolina. Nine different states have a few areas that utilization paperless frameworks: Arkansas, Indiana, Kansas, Kentucky, Mississippi, Pennsylvania, Tennessee, Texas and Virginia. 

States are now watchful for conceivable insecurities. A week ago, Washington state uncovered that its online instrument that permits voters to enroll, overhaul individual data and perspective a voter aide was inadvertently open through the site's improvement code. 

There was never a "security break" or "hack of the voter framework," the secretary of state's office said in an admonitory, and it was immediately altered. Be that as it may, the episode fortifies worries that state decision frameworks could be defenseless against potential cyberattacks. 

Specialists told CBS News that a definitive objective of these programmers is not to essentially change the result of the race; their primary target is to de-legitimize the result by sowing uncertainty, vulnerability and suspicion through a progression of cyberattacks. 

"I would contend this is a standout amongst the most noteworthy digital assaults that, as far as anyone is concerned, has ever been directed against the United States. The assailants are attempting to undermine the trust in the discretionary procedure," said Alexander Klimburg, partner at the Harvard Kennedy School's Belfer Center for Science and International Affairs, and writer of an imminent book called The Dark Web. 

"The test in digital operations is that the main confinement in what you can do is your own inventiveness," Klimburg said. "Whatever you can envision doing is practically conceivable in digital terms." 

In this way, Obama organization authorities have put forth no obvious expression either recognizing the Russian government as being behind the cyberattacks or undermining countering. Be that as it may, Russian President Vladimir Putin, in a meeting a week ago with Bloomberg denied that his legislature had anything straightforwardly to do with the DNC hack. "I don't know anything about it, and on a state level Russia has never done this," he said. 

The Department of Homeland Security has offered states backing and help with ensuring against cyberattacks. Alongside the general security proposals made to make frameworks more secure, such as changing passwords and introducing firewalls, one master said the most vital move states can make is performing full trade off evaluations to figure out whether a system has as of now been encroached and observing all PCs on a system that have anything to do with vote counting or the exchange of voter enrollment data. 

Specialists push that programmers won't not plan to utilize these assaults to influence the decision - to support Trump, for instance - yet they are a piece of Russia's long haul methodology to test Western popular government and to upset and debilitate the U.S. political framework. 

"They've as of now accomplished some of their objective," said James Lewis, senior VP and chief of the vital advancements program at the Center for Strategic and International Studies (CSIS). "When they get nearer to November, they'll need to keep up the weight, keep up the disarray. They'll most likely search for ways, if Trump loses, to plant data or make drives that propose by one means or another the race is fixed." 

Trump has over and over cautioned that the decision may be "fixed" and said in a meeting with Larry King a week ago that it's "really improbable" that Russia would interfere​. 

In any case, Lewis said he trusts Russia is behind the DNC assault and interruptions at the state level and said there are several variables that are likely inspiring these programmers. 

"A portion of the objectives are to check whether you can drive a wedge between the U.S. what's more, Europe and some of it is simply fight," he said. "Despite everything they haven't pardoned us for what happened toward the end of the Cold War." 

Yet, FBI Director James Comey said last Thursday that any cyberattacks won't influence the result of the 2016 race since it would be excessively confounded, making it impossible to assault the country's various voting frameworks on a substantial scale. 

"The genuine vote numbering is cumbersome," Comey said. "As it were, that is a gift since it makes it stronger and more distant far from a performing artist who may hope to creep down a fiber optic link." 

Dmitri Alperovitch is the originator and boss innovation officer of CrowdStrike, which has been examining the hacks at the DNC and DCCC, and that distinguished two gatherings, connected to Russian insight offices G.R.U. also, F.S.B., invaded the DNC free of each other. 

While Alperovitch concurs that Russia is attempting to primarily bring about devastation in the U.S. race framework, he said "we can't markdown the likelihood" that programmers could really change the result of the race. 

"On the off chance that it's nearby, and on the off chance that it's truly going to come down to a couple votes in a couple of regions, kind of like the 2000 Bush versus Blood race, then you don't have to hack into each state and each province," he said. "You may need to do one hack and swing a couple of hundred votes." 

Since states and neighborhood purviews run races and utilize diverse frameworks, a few specialists and authorities say its decentralized nature could in itself secure against a huge scale assault. In any case, the way that there isn't an all inclusive framework to hack into likewise displays a drawback. 

"What that implies from an aggressor's perspective is you can look through each state in the country and search for the ones that have a few shortcomings," said Steve Grobman, boss innovation officer of Intel Security. "There's an amazing preferred standpoint for the enemy here in that dislike there's one kept entryway that is worked out of the field that they need to make sense of how to enter. They essentially have 50 entryways that are produced using a wide range of various merchants and a wide range of various advancements and they can squirm all of them, take a gander at every one of them, and locate the loosest one." 

It would be troublesome, in any case, to control the vote extensively, Grobman said. 

Rather, Grobman said his top concern is the way they could impact the race before Election Day in which programmers would discharge bona fide information and interweave it with information that they would manufacture, giving it the presence of everything being reasonable. 

"One of my worries is this is precisely what might happen in the decision cycle where late in October, we would see an arrival of information that would have some bit of dooming substance that would possibly impact the result of the race and...people would expect it's believable, particularly on the off chance that it's interwoven with bona fide, stolen information," he said. "The issue would be there wouldn't be sufficient time to look into and accept that it would be a creation." 

"The Russians are going to choose the Americans are still conflicted about how to react to us," Lewis said in regards to the most recent remarks from key organization authorities, "And they'll see that as a greenlight." 

Solicited what the odds are from Russia making more move - undetected or identified - before the race, Lewis said, "100 percent."