Forgot Password
Pentax Camera Forums Home
 

Reply
Show Printable Version Search this Thread
09-22-2016, 07:25 PM   #16
Pentaxian
aleonx3's Avatar

Join Date: Jul 2007
Location: Brampton, Ontario
Photos: Gallery | Albums
Posts: 3,945
QuoteOriginally posted by jpzk Quote
Is this only for a Yahoo account or for ANY email account?
Just yahoo and its affiliate (flickr) accounts.

09-22-2016, 07:38 PM   #17
Loyal Site Supporter
Loyal Site Supporter
UncleVanya's Avatar

Join Date: Jul 2014
Photos: Gallery | Albums
Posts: 12,242
QuoteOriginally posted by aleonx3 Quote
Just yahoo and its affiliate (flickr) accounts.
Are you sure? Because the breech info for various emails I typed (most fake) were from many other past breeches including some old ones.

See also:
https://haveibeenpwned.com/About

---------- Post added 09-22-16 at 10:40 PM ----------

QuoteOriginally posted by jpzk Quote
Thanks !
I actually checked a few things and one email address returned "positive" for some breaching ... I was pissed off!
I returned moments later and retyped the very same email address ...no breach! Go figure ???
I would suspect a typo. Nothing I typed changed on rechecking. Try the back button and verify if the two names are identical.

Last edited by UncleVanya; 09-22-2016 at 08:30 PM.
09-22-2016, 08:09 PM   #18
Loyal Site Supporter
Loyal Site Supporter




Join Date: Jun 2009
Location: Tumbleweed, Arizona
Photos: Gallery | Albums
Posts: 5,259
Original Poster
QuoteOriginally posted by jpzk Quote
Is this only for a Yahoo account or for ANY email account?
Any email account. From what I understand, the site keeps a running database of breaches, so it is somewhat of a central location you can check - kind of one stop shopping.

09-22-2016, 08:16 PM   #19
Loyal Site Supporter
Loyal Site Supporter
BigDave's Avatar

Join Date: Sep 2010
Location: Hudson Valley, NY
Photos: Gallery | Albums
Posts: 1,727
Unfortunately, the more we put to the cloud the more we are going to get rained on! 500 MILLION! How'd they miss that?!?

09-22-2016, 08:33 PM   #20
Pentaxian
ChatMechant's Avatar

Join Date: Jun 2010
Location: Santa Cruz Mountains
Photos: Gallery
Posts: 879
Luckily just the email i use for flickr was compromised, so i changed the password. thanks for the heads up.
09-22-2016, 10:15 PM   #21
Pentaxian
Jonathan Mac's Avatar

Join Date: Apr 2009
Location: Madrid, Spain
Posts: 5,044
QuoteOriginally posted by interested_observer Quote
I changed my Flickr password yesterday just in case.

I used that link and it said I'd been "pwned" once, in a breach from last.fm. I have no account at last.fm (I hadn't even heard of it until yesterday) so not sure if someone used my mail to create one (unlikely as I'd get at least some mails) or that link is full of sh*t.
09-23-2016, 03:10 AM   #22
Pentaxian
AussieTrev's Avatar

Join Date: Jul 2010
Location: Queensland
Photos: Gallery | Albums
Posts: 3,437
Deleted my Yahoo account, but found this doesn't delete the Flickr account. Now deleted that but it does delete for 90 days. Don't use either anyway.
09-23-2016, 03:32 AM   #23
Junior Member




Join Date: Mar 2016
Location: Ticino, Switzerland
Posts: 34
QuoteOriginally posted by Jonathan Mac Quote

I used that link and it said I'd been "pwned" once, in a breach from last.fm. I have no account at last.fm (I hadn't even heard of it until yesterday) so not sure if someone used my mail to create one (unlikely as I'd get at least some mails) or that link is full of sh*t.
Until yesterday I could have sworn I didn't have a last.fm account, yet the site said I'd been pwned in a breach from last.fm. I went to last.fm, asked for a new password and there it was, the account I didn't know about. Based on the username, I guess I made the account 10 or so years ago, never used it and then forgot it ever existed.
The account is now closed.

09-23-2016, 05:57 AM   #24
Loyal Site Supporter
Loyal Site Supporter
micromacro's Avatar

Join Date: Jan 2014
Location: Florida
Posts: 3,332
Got the message from yahoo today when tried to log in to my account. Here is what in their security FAQs

"We have confirmed, based on a recent investigation, that a copy of certain user account information was stolen from our network in late 2014 by what we believe is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected."

"We are notifying potentially affected users by email and posting additional information to our website. Additionally, we are asking potentially affected users to promptly change their passwords and adopt alternate means of account verification."


"We have taken action to protect our users, including:
  • We are notifying affected users.
  • We are asking affected users to promptly change their passwords and adopt alternate means of account verification.
  • We invalidated unencrypted security questions and answers so that they cannot be used to access an account.
  • We are recommending that all users who haven't changed their passwords since 2014 do so.
  • We continue to enhance our systems that detect and prevent unauthorized access to user accounts.
  • Our investigation into this matter continues."


I wonder why it took them 2 years to realize that they have security breach, and who is that country-sponsored actor? Which country?

It's interesting because a couple of month ago I was pushed to change the yahoo password "for security reasons". So, why only now they came out of closet?
09-23-2016, 07:58 AM - 1 Like   #25
Loyal Site Supporter
Loyal Site Supporter




Join Date: Jun 2009
Location: Tumbleweed, Arizona
Photos: Gallery | Albums
Posts: 5,259
Original Poster
QuoteOriginally posted by micromacro Quote
I wonder why it took them 2 years to realize that they have security breach, and who is that country-sponsored actor? Which country?

It's interesting because a couple of month ago I was pushed to change the yahoo password "for security reasons". So, why only now they came out of closet?
I don't know anything specific, but here are some guesses.....
  • State Sponsored Actor - Here is a link that provides a bit of background. Normally, the usual suspects are China, Russia, Iran, Israel, North Korea, etc. Depending on the target you could probably toss in the US, UK, France, Germany as well.
  • Why always cite a state-sponsored actor? Well, if your attacker is a country with resources, they you tend to be able to sluff off some/alot of the blame as in - We are just a commercial company not able to withstand the attack of a well funded nation. It worked pretty well for Sony and their attack. They were able to at least publicly still have their reputation somewhat intact afterwards. On the other hand there are some pretty sophisticated private groups that are as good as state-sponsored actors - they are in it for the money or information that can be used against other targets that will ultimately result in money in some way. They also sell their services to the highest bidder.
  • Why would a state-sponsored actor go after Yahoo, etc.? Well certainly not for bragging rights. They are usually softer targets. As a commercial concern, are they going to spend money to harden their system? I will not say no, but the more they spend on IA (Information Assurance) and security, the less profit they generate. Also, their cost of continuing maintenance goes up, as the system is more difficult to maintain, more moving pieces to it, etc. Now, just as a side note, if these targets are a bit softer, why would you want to put a lot of your information up in the "cloud". The cloud providers cite better security - well Ok, but how much better? and if you really want better security there will be a price attached to it - especially from the cloud provider.
  • What would a state-sponsored actor hope to gain from Yahoo, etc.? Information - and in this instance tons of it, since it was a very fat target. Well, we are all lazy. The first target would be username and passwords sets. Also, the private questions and answers are valuable. They are valuable because they may also be used on other systems that the attacker is more interested in. Yahoo, and others, may be a softer target to crack, extract the information, that then can be used to hit possibly a tougher target. Slurping up 500 million sets of information is a big haul. Just having this in the back room for "future reference" is a tool all into itself. Also, you really never know what you are going to find. Colin Powell used gmail for some of his communication while secretary of state. He may have used the same password or questions/answer sets else where. Even with a little note of "hope you get well soon" to whom ever is information. Who was he sending it to, etc.? You are able to harvest email names and addresses and tie it to actual names of others that may not be apparent. Which leads to the bulk email contents. Parsing through everything is a lot of garbage, but with a haul this large, there will be a lot of gems in it too. You might be sending your self a list of passwords from one system to another - work to home, for what ever reason - bingo! Or other information - just think about it, there are lots of possibilities. General Petraeus was found to be using a commercial bulletin board to setup "appointments" with his mistress. Lots of potential - 500 million items of interest.
  • Why did it take so long? Excellent question. They probably just stumbled over the hack as they said in late 2014. There are lots of questions here. Extracting 500 million information sets, takes some time and consumes a lot of bandwidth. Their system, even with all the activity should have noticed the activity around the data base, and the stream of data leaking out the bottom of the system. But, let's ignore that for now. Once it was found that their system was breached, they might have done absolutely nothing for a while - days, weeks, months - why, well to watch what was going on and to see where the data was going, and to figure out possibly who, how active, was there a schedule - as in every Sunday night at midnight or whatever. Also, they would have in parallel started going back through their logs to see possibly when it started, in-order to have an idea as to how much was taken and what it consisted of. Then, once they decided there was little more to gain, they shut it down and started the cleanup, but then needed to maintain normal operations. But at least 20 months? - that is a long time - actually a very long time, way too long. Someone at Yahoo, needs to address this directly. Who knows - all speculation on my part. I am just up here in the peanut gallery (the cheap seats) watching the circus.
  • A few questions - "in some cases, encrypted or unencrypted security questions and answers." - why were they keeping anything unencrypted - especially security questions? Someone was fired over this. "The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected." - boy a real twisted sentence. What that means is that someone was working on security and split the system to move the banking/credit card information to another more protected system - but did not finish the job by hardening the Identity Management system. Well, at least they protected the $$$$. That was probably the argument that they used in delaying the public notification - that it did not compromise the credit cards - therefore no notification was necessary.
... I am going to go make my breakfast now....

09-23-2016, 08:11 AM   #26
Loyal Site Supporter
Loyal Site Supporter
micromacro's Avatar

Join Date: Jan 2014
Location: Florida
Posts: 3,332
QuoteOriginally posted by interested_observer Quote
A few questions - "in some cases, encrypted or unencrypted security questions and answers." - why were they keeping anything unencrypted - especially security questions? Someone was fired over this. "The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected." - boy a real twisted sentence. What that means is that someone was working on security and split the system to move the banking/credit card information to another more protected system - but did not finish the job by hardening the Identity Management system. Well, at least they protected the $$$$. That was probably the argument that they used in delaying the public notification - that it did not compromise the credit cards - therefore no notification was necessary. ...

I am going to go make my breakfast now....
Bon appetite

Well, it also can be simple: they are not telling the whole story, and rely on suggestion that the bank security is better than theirs, so they can assure us that part of data is still protected... by banks
09-23-2016, 09:03 AM   #27
Loyal Site Supporter
Loyal Site Supporter




Join Date: Jun 2009
Location: Tumbleweed, Arizona
Photos: Gallery | Albums
Posts: 5,259
Original Poster
QuoteOriginally posted by micromacro Quote
Bon appetite

Well, it also can be simple: they are not telling the whole story, and rely on suggestion that the bank security is better than theirs, so they can assure us that part of data is still protected... by banks
Banks would not be protecting the credit card data at Yahoo. Banks would be on the lookout for the subsequent use of the credit cards. Where credit card data was actually taken - like at Target. Banks started canceling and sending out new credit cards to customers, and they are now suing Target to cover their bill.

I guarantee you that there is a back story, that will start to leak out - if only due to the size. It always leaks out, one way or another. Also, Verizon who is buying Yahoo (for $4+ Billion) has been doing due diligence for several months now - had to be notified and also more than likely saw the drain of funds going to to some "special" project. The SEC will be interested, no doubt, as well as stockholders on both the Yahoo and the Verizion side, along with the stockholders who forced the sale. Then there will be the story about beleaguered Yahoo CEO Marissa Mayer - mainly because she did so well at Google and flopped at Yahoo. I can almost consider that someone might even be going to jail - for the coverup (too long to report?) not the hack...

The Sony hack spawned several large reports on the story - which in an of itself is very interesting, especially with the Hollywood connections, all the salaries disclosed and the embarrassing emails of who is stabbing who in the back. Was it really North Korea? or was it an inside job as a lot of folks suspect. Technically, there is a story about just the equipment - the servers. No one wanted to take a chance on reuse, so they were destroyed to ensure that the hacks did not propagate elsewhere in some other system.There will also be marketing stories to be told. Various companies who are called in will let it be known that they helped clean it up, or that their software was used to trace, contain or whatever. Target comes to mind...
09-23-2016, 09:15 AM   #28
Site Supporter
Site Supporter
jpzk's Avatar

Join Date: Jan 2009
Location: Québec
Photos: Gallery | Albums
Posts: 7,547
So, I clicked again on this link and re-entered the email address ( Not the Yahoo account - this doesn't show breaching) which was "breached" -- note that I checked twice yesterday and the link returned two breaches as followssee attachments below).
I have deleted the Linkedln (no use to me anyway).
I have no idea with this Adobe "account" since I don't have one with them.
I am also contacting technical support at the provider for the breached account to get more info/suggestion(s) as it is the one I use for all of my personal stuff!
Attached Images
   

Last edited by jpzk; 09-23-2016 at 09:19 AM. Reason: added info
09-23-2016, 09:35 AM   #29
Loyal Site Supporter
Loyal Site Supporter




Join Date: Jun 2009
Location: Tumbleweed, Arizona
Photos: Gallery | Albums
Posts: 5,259
Original Poster
QuoteOriginally posted by jpzk Quote
I have no idea with this Adobe "account" since I don't have one with them.
This is somewhat of an interesting problem - that may be an indication of future activities. If you used XXYJJ as a username and it popped up as pawned in 5 different websites, 2 of which were yours, then you know that at least one other person (or up to 3 other folks) used that same username in 3 other websites. Is it dangerous? - not really, unless someone is after either you or one of them, and wants to spend the time and money to go after one of you.

The technique is called Data Mining.

09-23-2016, 09:47 AM   #30
Site Supporter
Site Supporter
jpzk's Avatar

Join Date: Jan 2009
Location: Québec
Photos: Gallery | Albums
Posts: 7,547
QuoteOriginally posted by interested_observer Quote
This is somewhat of an interesting problem - that may be an indication of future activities. If you used XXYJJ as a username and it popped up as pawned in 5 different websites, 2 of which were yours, then you know that at least one other person (or up to 3 other folks) used that same username in 3 other websites. Is it dangerous? - not really, unless someone is after either you or one of them, and wants to spend the time and money to go after one of you.

The technique is called Data Mining.

Interesting indeed.
I have also run a total check on most of my usernames (in different sites used) and none of them returned a breach.
Since I have already closed the Linkedln account, no worries there. As for the Adobe .... well ???
Also, I called the internet provider here for my personal account and had a good chat with tech support: they are/have been well aware of this problem and, in a nutshell, have taken steps for that. No compromising situations this far.
Thanks for the reply!
Reply

Bookmarks
  • Submit Thread to Facebook Facebook
  • Submit Thread to Twitter Twitter
  • Submit Thread to Digg Digg
Tags - Make this thread easier to find by adding keywords to it!
accounts, address, breach, data, email, million, photography, sources, user, yahoo
Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads
Thread Thread Starter Forum Replies Last Post
Yahoo (Flickr) exploring sale of core businesses monochrome General Photography 19 07-27-2016 10:52 PM
Is there a need to store data for 14 billion years? boriscleto General Talk 22 02-22-2016 05:09 PM
How Yahoo Killed Flickr and Lost the Internet interested_observer Photographic Industry and Professionals 7 05-20-2012 07:30 PM
Flickr, from Yahoo! jct us101 General Talk 50 09-25-2009 02:41 PM
Flickr and Yahoo Photo Merger fletcherkane Photographic Technique 3 09-04-2007 01:47 PM



All times are GMT -7. The time now is 12:09 AM. | See also: NikonForums.com, CanonForums.com part of our network of photo forums!
  • Red (Default)
  • Green
  • Gray
  • Dark
  • Dark Yellow
  • Dark Blue
  • Old Red
  • Old Green
  • Old Gray
  • Dial-Up Style
Hello! It's great to see you back on the forum! Have you considered joining the community?
register
Creating a FREE ACCOUNT takes under a minute, removes ads, and lets you post! [Dismiss]
Top