…one man's contribution to the Weeeeerly Wild World
Yahoo! likes to pester me about changing my password, confirming my telephone number, or choosing three security questions which either I can’t answer or I know too many other people who can.
Then, being on hand to fix other people’s tech issues I got called out last week to help someone with their BT Internet e-mail, which is a part-Yahoo! affair since BT decided to kind of team up with them (and seemingly breakup a little) at some point. One minute their telling you to log in via BT’s website, then they’re sending you off to a page titled Yahoo!.
The problem on this occasion turned out to be that this person’s BT Internet Mail account was linked to a Residential account, but they were paying for their internet via a Business account, and the former wasn’t being paid for so it got deleted. It took over two hours of web-chat and phone calls with various departments at BT to figure this out since it just stopped working.
Then I get called out to another client who had followed BT’s emailed instruction to change their password. Simple enough you’d think, but no, not when you have three devices that then refuse to retrieve your e-mails or tell you why. I’m going to call BT blatantly irresponsible here for this reason: they’d sent out a blanket e-mail to their customers, not addressing them by name, asking them to follow a link to change their e-mail. I’d followed the link carefully to confirm it was actually from BT, but Hello BT, anyone can send an e-mail claiming to be from you, asking the recipient to follow a link which may look genuine, but not be; really you should follow the banks’ and others’ approach and contact people by name (since they are your customers you should have it) and educate people about not clicking on such links; tell them to visit your website and then the other simple steps to follow, by all means… oh and also make it clear that they will need to instruct each device regarding their new password.
Not that I mind so much, I get paid for my time.
And then Yahoo! informs me (in addition to the usual badgering about my lack of password change) that they believe “an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts.” This explains why they’ve been badgering me for so long. Yahoo! are actually doing a responsible thing here and telling users:
The emails from Yahoo about these issues do not ask you to click on any links or contain attachments and do not request your personal information. If an email you receive about these issues prompts you to click on a link, download an attachment, or asks you for information, the email was not sent by Yahoo and may be an attempt to steal your personal information. Avoid clicking on links or downloading attachments from such suspicious emails.
The stupidity from Yahoo! comes when they reveal that, while the passwords lost to this “third party” were encrypted, the security questions and answers were not.
For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.
So, enough clear information to forge a user’s identity?
It’s like locking the door to your house but telling the would-be burglar that the key is under the mat, along with your car keys and your wallet. Because what Yahoo! don’t make clear, is that this “third party” could now use this information to not only gain access to your Yahoo! account but another account they might guess you have, since often a “forgot your password?” option will ask you such things. Great. Yes this is a little exaggeration on my part, since not all accounts ask for the same security questions, but it gives someone a means of painting a forensic picture of you.
And it doesn’t seem that Yahoo! are doing enough to mend their ways. They say they have changed their password-hashing method but have not said how they might be better protecting all the other data; what’s the point in changing your locks if you’re going to leave your keys in the same place. They blame this “attack” on a “state-sponsored actor”, but it seems this description has come by the way of the “law enforcement” and “outside forensic experts” (US Government funded I assume) who told them about the problem… maybe it’s all being played out so we continue to fear the various countries who are apparently good at this stuff.
I hope this goes some way to illustrate to people how unsafe our lives are in this digital age. Your bank accounts, pension schemes, government or otherwise, and benefit systems are not as safe as you might think; you could have your finances or sole-source of income wiped out, blocked or stopped at the press of a button. I’ve seen it happen, and this was by a third-party (Concentrix) given access by the government:
Concentrix, the firm accused of incorrectly withdrawing tax credits from hundreds of claimants, is to have its work brought back in-house to HM Revenue and Customs, staff have been told.
Work now being done by the US company will be taken on by HMRC immediately, said the Public and Commercial Services union (PCS).
I would say: “Nice work, UK government, for giving a US firm such access and responsibility regarding your citizens’ personal information and finances…” they may have given them the sack but what else have they left with? Not that it matters; the US (and whoever else) have got their hands down everyone’s pants.
P.S. BT, I might consider retracting this post if you upgrade my broadband speed from sh!t to acceptable 😉