Yahoo says 1 billion user accounts hacked


Washington Post:

Yahoo says 1 billion user accounts hacked

Yahoo said Wednesday that 1 billion user accounts – meaning most of the Internet giant’s customers worldwide – were hacked in 2013, leading to the release of user names, telephone numbers, dates of birth and other personal information. News of the hack, coming after the announcement in September of a separate hack affecting 500 million accounts, means that Yahoo has been the victim of the two largest data breaches ever reported. Both have been announced since Yahoo agreed to sell its core businesses to telecommunications giant Verizon in July for $4.8 billion.

The incident raised new questions among analysts regarding the viability of that deal and whether the valuation will need to be changed, especially if the hacks triggers litigation against the company.
“This is another major blow,” said Jeff Kagan, a Georgia-based telecommunications industry analyst. "It throws into question what’s really going on at Yahoo. And if you don’t really know what’s going on at Yahoo, does Verizon have the guts to buy a potential bomb? This company could explode with major problems and major losses.”

Gee, ya think?


Thankfully the future may offer more security.


I got this notification in my Yahoo account? What’s next, though? I already followed their recommendation, like changing the password and so forth. The message is still there. No customer service can be contacted.


Yahoo has my name and email address. It does not have my (correct) date of birth, my (correct) physical address, my (correct) personal information. Why would anyone give that kind of information? But I am a luddite, and I don’t do social media either.


This isn’t the first time it happens to Yahoo. They should cease to exist. Even the Yahoo search engine is bad.


I’m not convinced that formal verification is The Answer. Certain systems do benefit from formal methods, but it’s a time consuming task and most companies and open source projects won’t bother. It’s well suited to things like aircraft, industrial control systems, or crypto that need high security/reliability but consist of a relatively small amount of code. Operating systems, web browsers, web servers, etc are just too big.

Besides, the problem hasn’t been that we lack the means to write secure code; it’s that it’s just hard and tedious. Worse, young developers are leaving their universities mostly or completely oblivious to security issues. That’s I want to be addressed immediately.


whoah, they have given me excellent service for many years.


I’m hoping workshops as the NSF workshop on Security and Formal Methods foster networking among participants and developers craft breakthroughs.

My perspective comes from having had some past experience in small to med sized colocation facilities. Learning some of the nuances of physical and network security. I was always disgusted by vendors who released buggy code and were slow in response. Or platforms that ran multiple services by default.

The lack of best practices of the user(s) is much easier to correct.

I wonder how a priority can be set for encouraging students and vendors to view security as the basic foundation of code.


Network appliances are actually a good place for formal methods because the code can be reasonably small. I think it is definitely useful, but the effort involved is too high for it to be widespread. Companies want to pump out code and treat security as an afterthought and most open source projects are reliant on developers who just don’t have the time.

I could go on and on about how poorly prepared the average CS student is. Most programs treat their CS departments like extensions of the math department. They consider the actual programming aspect to be a necessary evil in order to do fancy math on computers. That’s why they do everything in Java; they don’t want to bother having to teach students hard languages because it’s not about programming. Thus, they send a lot of students into the workforce with a poor understanding of the languages they’re using. When it comes to security, obscure details of those languages matter.

One way to fix it is to make a penetration testing course required for all CS majors. They need to see how the systems they will be building will be attacked, and the best way to do that is attack them themselves. This could be both a separate course and an element of their other courses. Have them attack their own code. Have them attack each other’s code. This will help get them to think of security as they write code rather than try to patch it in later.


DISCLAIMER: The views and opinions expressed in these forums do not necessarily reflect those of Catholic Answers. For official apologetics resources please visit