This morning I received an email from Yahoo entitled “Important Security Information for Yahoo Users”. Five minutes later I’d closed my account.
The email was Yahoo’s admission that I was one of 1bn victims in a data breach of staggering proportions.
It wasn’t that this could be the biggest breach ever that pushed me over the edge and made me close my account. Nor was it that this was the second mega-breach that Yahoo has fessed up to just this year.
It wasn’t even that Yahoo apparently had no idea that this three-year-old breach had even occurred until law enforcement told them about it (although that certainly helped to convince me).
The straw that broke this camel’s back was this section of Yahoo’s email:
The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.
There’s plenty to get your teeth into there, and plenty to be mad about (date of birth in the wild for 3 years…) but I’m a password nerd and I was drawn to hashed passwords (using MD5).
MD5 is a hashing function. The idea is that no matter what you feed it, whether it’s an eight-character password or the complete works of Shakespeare, you’ll get a pseudorandom 128-bit hash value out of it.
What makes hashes useful for password storage is that those outputs aren’t reversible: if you know the password you can calculate the hash but if you know the hash there’s no way to unravel it back in to the original password.
Hashing allows websites to check that your password is correct without actually having to store it. So long as the hash of the password you use when you login matches the hash on record, you must have entered the correct password.
MD5 isn’t a good choice for this kind of hashing because in reality it doesn’t produce truly random hashes, and it’s possible to create MD5 “collisions” where two different inputs produce the same hash.
Its use has been discouraged in favour of better hashing functions for two decades.
But that isn’t why I closed my account.
I didn’t close my account because Yahoo used MD5 rather than a more collision-resistant hashing function. I’d still have closed it if Yahoo had said it was using SHA-3.
I closed it because a plain old hash by itself isn’t really enough to keep my password a secret.
A crook who steals a database of password hashes has to guess at the passwords it might contain. The process is something like this: guess a password, pass it through a hashing function and see if the resulting hash matches anything in the database.
The guesses the criminal makes are important but speed is king. The more guesses they can make, the more passwords they’ll uncover.
In an offline attack against a victim who has no idea their password has been stolen the criminals hold most of the cards. They can use whatever specialist password cracking hardware they can get their hands on and they have all the time in the world.
Effective password storage is about making your password too difficult, too time-consuming or too expensive to be worth bothering with even if your adversary can generate hundreds of billions of hashes per second.
By themselves hashes just don’t pose enough of a barrier. Instead they should be used as one component in a more complex “salt, hash and stretch” password storage routine like PBKDF2, bcrypt or scrypt.
Salting adds a unique secret to your password so that if even if somebody else is using it you’ll still have different hashes. Crooks will have to make two successful guesses to crack two identical passwords, not one. It also stops attackers from using lists of pre-computed hashes, because they now need a hash lookup list for every possible salt.
Stretching means repeating the hashing process over and over and over again, usually many thousands of times for each password.
To see the difference that password storage choices, just look at Ashley Madison. When the adultery website was breached, its password database was picked up by security researchers. Some passwords were stored as MD5 hashes and others were salted, hashed and stretched using bcrypt.
A lot of security researchers simply didn’t try to crack the bcrypt hashes, but one blogger who did managed to recover 4,000 passwords after seven days of 24-hour password cracking. A different blogger spent 10 days cracking the MD5 hashes and successfully guessed 11 million of them.
So, sure, Yahoo might have been using MD5 as the hashing algorithm at the heart of a salt, hash and stretch routine, and if they did, why not say so? Would you use a phrase that’s already used to describe a popular but ineffective form of password storage to describe one that isn’t?
The company left me having to interpret its words and my filter for that was all that has gone before. There was no doubt. From upgrading RSA keys at the last minute to delivering TLS years after its competitors, Yahoo has made a habit of being late to the party.
In the context of that tardiness, the idea that in 2013 Yahoo was using password storage from a bygone era does not seem far-fetched. Plenty of others were doing the same.
To close your Yahoo account, as I have done, read Yahoo’s guide to closing your account. If you do close your account, be warned that it takes 90 days so be sure to change your password as well.
For the definitive Naked Security guide to password storage, take a look at Paul Ducklin’s How to store your users’ passwords safely.
29 comments on “Yahoo breach: I’ve closed my account because it used MD5 to hash my password”
Great article with a low-geek factor. Understandable explanation of the problem.
Considering that Yahoo will recycle deleted e-mail addresses after a year wouldn’t it have been better to hang on to it for a while to make sure nothing was being sent to it that you might have missed or forgotten? Otherwise you risk having the new owner of that address getting YOUR e-mails that slip thru the cracks.
That’s why I stopped using my Yahoo e-mail last year. I check it from time to time to see if anything happens to be there that I missed moving to my Gmail address, but I don’t use if for anything, not even as a throw away account. I just don’t want anyone else getting that account and getting an e-mail meant for me.
Don’s comment is why I have held on to my Yahoo account all these years, ever since they autogenerated one for me based on a company they acquired. That said, my security questions are treated as password prompts, and I rely solely on two factor authentication to protect my account (which contains nothing of value). Otherwise, someone else will get the email address, which is more valuable at this point than the contents of my account.
I admit I’m not the sharpest tool in the shed. In September 2016 Yahoo admitted to a security breach affecting 500 million accounts. Now they say an even earlier breach affected 1 billion accounts. If people changed their passwords in September how would old password info be of any use? To try to draw an analogy, let’s say a national store like Home Depot or Target gets hacked (which actually happened.) The bad guys now know a lot about me. The store sends me a new card. Should I completely close out my account instead and never use a credit card from that company again? Seems that’s what the article suggests I do with Yahoo. Not trying to be argumentative, just very confused and trying to figure things out.
If you changed your password in September then an account password stolen three years ago is no longer of any use for logging in to your Yahoo account (or since September when you changed it). The hack has come to light now but obviously the people who did it have had three years to crack and exploit your password.
The chances of them being able to crack your password in that three year window were greatly enhanced by Yahoo’s choice of MD5 over, say, bcrypt.
It’s quite possible that if you change your password and enable two-factor authentication that you’ll enjoy a hack-free future with Yahoo. Personally I’m not going to put my trust in technology company that should know better using a technology that isn’t up to the job.
How do I close my account to Naked Security, I’ve searched to do so but I cannot find how to do close my account. Can you teach this techno logically challenged person how to close my account? Thank you!!
There isn’t really any such thing as a “Naked Security account”, so there’s nothing to worry about “closing”. We do have a mailing list; if you’re signed up for that and you want to stop receiving it, just go to the very bottom of the next Naked Security email you receive and click on the word “Unsubscribe from this list.” You will then receive one final email to tell you what happened (that’s to stop someone else unsubscribing you by mistake without you realising) and then you’re done.
(We hope you’ll still come back to read articles from time to time anyway. Because there are no accounts on Naked Security, all articles are always accessible to anyone at any time without a subscription.)
A credit card is a terrible analogy, because not many people have the same number with different providers. So thief A could never access card B, when they stole card A. With passwords however, the real damage in most cases is password reuse. So Yahoo suggested you change your password in September (you shouldn’t have the same passwords 3 years later anyway, but that’s another story), you change your password, but did you change you bank password which uses the same password and email? Did you log in to every account that uses the same security question and change those answers?
The problem is far larger than, “Oh I changed my password.”
And giant companies like Yahoo should know this, and act like they know it.
I think you are making the wrong comparison. After the Target breach, it would have been reasonable to ask whether you were willing to shop at Target any more because of how it handled your data.
I thought about not shopping at Target after the breech but could not find cheap goods with out violating my have to have it now attitude.
I think not using yahoo will be much easier then not shopping at Target because I have a few different email accounts that can easily replace yahoo (not that it was my primary account to begin with.)
I think Jay Miller has it right, password reuse is the real problem here, Once upon a time I reused password thinking it was fine (today not so much), I think many non-tech savvy people think it is still ok as well which is where the problem is.
The article just says that Yahoo really doesn’t care about security, and has been always not interested in securing peoples yahoo mail accounts from the very start until at least recently… and who knows if they have now take it seriously or are just saying they care just to make the brand recover the money value.
There are other mail providers that really take security seriously and do make everything they can to make users of e-mail more safe, I’m thinking for example on posteo.
The hack might explain why my Yahoo account was a complete mess and I could not get properly into it to untangle it, so I ended up creating a new account. Not that I trust it for anything important – I use it as a sacrificial account for things that don’t matter.
Yahoo foisted email on me. In the early days email was not required to establish and use a Yahoo account. I only provided the minimum data required and never provided any real info. Nonetheless, as cyber security threats grew out of proportion I changed my password to a strong pass phrase and provided a real alias email address for use with 2F if needed.
Personally, I think email services should be optional. This would allow customers to shrink the attack surface. I only use Yahoo to obtain stock prices – nothing else.
I’ve always used a unique password for Yahoo! and I change it around once a year. I never even blinked when informed about either of these breaches.
But I have a different question that’s never been addressed. There are many of us who became Yahoo! mail users when our “Bell” providers decided they didn’t want to spend money being email providers.Email from Bellsouth, Ameritech, Pacific Bell, SNET, Prodigy, Southwestern Bell, and AT&T Worldnet domains is really Yahoo! mail.
Except that (at least for former Bellsouth customers), the Yahoo! password is also the password to access your AT&T account for cellular, VoIP, DSL, Dish, and U-verse offerings. If I change either password, the other changes with it. Clearly there’s a RADIUS server (or equivalent) in there somewhere.
Now, here’s the question: Was data associated with these “special” accounts also disclosed in the breaches? It seems like they might not have been exposed simply because they would have been stored separately.
I have to admit, I meant to look into this back when Yahoo took over management of these accounts, but I never got a definitive answer for what sort of security was being used. Either way, I’d recommend changing your password and enabling two factor authentication. The downside of course is that the two factor authentication likely involves two factors controlled by the same account. Make sure to treat your password reset questions as if they were password challenge/response questions.
It seems unlikely, because you’d imagine that data specific to your relationship with your ISPs wouldn’t be shared with Yahoo on commercial grounds, let alone for reasons of privacy.
As a somewhat related issue, a reader here in the UK reported to us that his UK-based ISP, which also provides its email service via a branded Yahoo offering, doesn’t support 2FA, so he couldn’t turn it on even if he wanted to (which he did). Seems that was a “feature” they didn’t adopt.
How is the 2FA situation with Yahoo-partnered ISP email in North America?
I am in this same position Paul, maybe the person you refer to but yes my ISP in the UK provides its email service via Yahoo but does not offer MFA so while I have changed my password to something ludicrously long and strong via my password manager then I have to change it regularly just in case my non 2FA poorly hashed password could be compromised. In fact it has been previously according to Have I been pwned. Secret questions are another big issue for my ISP as these are set over the phone when you set up your account and not done by a website form, they are typically used when you speak to a customer service operator on the phone who asks the secret question answers in their entirety or if you use a life chat system if making a complaint then this automated system asks for random characters from your secret question answer, so while it would be straightforward for the live chat system to utilise a gobbledygook secret question answer I fear that if you had to provide this to a human operator it just wouldn’t work, in any case I dont have the option to change them on line, not sure about asking over the phone. In any case as I have a TV/Broadband package with them I am in the process of cancelling my 14 year subscription as I have had a better offer from someone else although ironically with the same ISP for a lot cheaper, they reckon I cant do this as its against policy, they would refuse me a new contract unless I had been away from them for 12 months, guess what I have done it and saved myself £40 a month and got better equipment to boot, however I shall not be setting up an email account.
The person I referred to was someone else and and as far as I can tell is using a different ISP.
Why use a password at all with Yahoo?
Because you can’t save stock lists or get download features among other things.
I detected major problems with yahoo as far back as 2006. I use that account as my garbage email – as in the email to use when I don’t necessarily want a company to get access to an email that I actually care about. In that case, its actually useful.
With such a stupid company name, why would anyone take then seriously in the first place? I mean…
However, this MD5 collision thing can be over-blown. I matters a lot for security certificates, and for a validation hash, but not when brute-forcing to find a password. Although a slight chances of finding a collision due to the MD5 compression function does exist – but with a time complexity of 2^128 it’s going to take some time.
You say attackers have all the time in the world, which is lucky because they’re going to need a lot of it. Unless your password was short and likely to exist in tables. I don’t know about you, but mine are long and random.
If you reckon it’s quick and easy to reverse an MD5, try this one (no salt added): 846636f98431a5a7e200f6e234e91141
There are plenty of reasons why I’d never use any of the freemail services, but this isn’t really one of them.
Indeed, MD5 collision isn’t why I closed my account (as it says in the article).
Good for you having a long and random password. It’s certainly much more likely to remain a secret than a short one. Sadly many people don’t have long and random passwords and Yahoo are negligent to pass up something they can do to make those users much, much safer (hash, salt, stretch) in favour of hoping their users behave like no other group of users in history and make a habit of choosing long and random passwords.
As far as revealing a birthdate – why would anyone give Yahoo or any similar service their real birthdate? Just create a fake one and go with it.
I couldn’t close my account because it is linked to Verizon and it is impossible to unlink it (and contacting either gets you into an endless finger-pointing customer “service” loop). If you click on “unlink” it just goes into a loop. And, each time, I had to reset my password for Verizon.net only to have it dump me back into Yahoo! again as if nothing happened (because, of course, nothing did).
A couple infuriating hours to land back at where I started. So… I guess my only option is to just stop using it and let it die slowly. I have been changing my passwords on a regular basis, but I am concerned that other providers actually use Yahoo! for their various email platforms and related account info.
You are, of course, quite correct that their actions cause problems. Epic problems.
But, there’s one huge hole in Yahoo’s defenses that I haven’t seen anyone address yet:
They were breached. They were breached again. Both times, it’s very likely that their own internal staff’s emails were compromised (most email companies do use their own products, right?) With the knowledge gained from those emails, it’s very likely hackers could go beyond emails; they probably breached the company’s perimeter as well.
Now, a nice, enterprising hacker who does this has the keys to the kingdom.
Worse, since they have both access inside the perimeter AND access to emails, they’re probably in-the-know about what IT staff did to correct the problem. If they’re good, the hackers even installed keyloggers in appropriate places. So …
Most importantly: they’re probably still at work inside Yahoo’s “secure” perimeter.
Getting the hackers out will be mind-blowingly difficult, as they have to secure EVERY breach location AT THE SAME TIME. And, they probably don’t even know where those are.
This collection of errors could lead to the downfall of the company, unless they CLEARLY state what they’ve done to fix things. And, frankly, I’m not sure they even KNOW what to do, let alone stating the same.
I don’t know about Yahoo, but google employs have been using FIDO keys to authenticate into their services. While I don’t think FIDO use of NIST P-256 and NIST P-384 was a good idea, at least is a lot harder to use those credentials from the outside from the normal “hackers”.
Google is probably more secure in security terms, at least from the “free provider” standpoint… and I did left Yahoo mail account years ago because I did saw since about 2006 that Yahoo didn’t care about security… I think they didn’t even protect the login page with SSL because they said in that time they used some sort of secure hashing or something like that would make ssl not necessary… I never understand that secure hashing thing and looked to me more excuses than real security.
Just to have an idea about in 1998/2001 their was a free e-mail provider called Visto that did offer everything over SSL 3.0/ TLS 1.0 not just logins but also the e-mail content…. from that time until Yahoo finally decide to offer the same how many years that take? Well it was in ~2014 so about 14 years later? And only after Google Mail has start doing it!
Well these places sometimes get caught like this knowing well in advance they could have done more on their security side for prevention. Like, Yahoo was hoping that the hackers would just leave them alone amid so many other companies because well they’re just a search engine?
(cmon Yahoo…*fart noise*)