So, Yahoo got hacked again. It’s a new, bigger breach than the one Yahoo most recently admitted to, and over a billion user accounts have been compromised. Yahoo’s complete lack of adequate security — and the company’s habit of keeping these things quiet for literally years after they’ve happened — is a bit of a running joke in the tech community. For a Yahoo user, though, it’s really no laughing matter.
I have a confession: I knew Yahoo had been hacked, again. In fact, I knew of Yahoo’s re-hacking back in September. For those of us that still use Yahoo services for any reason — I use it strictly for account sign-ups that I don’t give a damn about — knowing that Yahoo suffered another massive breach didn’t take any detective work; we simply had to look at our email.
If you have two-factor authentication on your email account (and you really, really should), Yahoo sends you a neat little automated message every time it thinks you mistakenly locked yourself out of your account. It tells you where “you” tried to sign-in from, using your password, and suggests that you create an app password to verify your identity.
Here’s all of the people who have attempted to break into my Yahoo account, as well as their locations:
If I had to guess, I’d say the attempts back in 2014 and 2015 were likely related to the hack that Yahoo disclosed back in September. That user data seemed to have been floating around for some time, and it was clear that something was amiss for many months. Those who had access to the data were combing through and trying each account one by one, and a new would-be attacker hit my two-factor authentication wall almost monthly.
Then, in early 2016, those attacks tapered off. Stories that Yahoo had been hacked began to pop up later in the year and Yahoo finally admitted it in September. But before Yahoo even came out and told users about that attack, a new wave of unauthorized sign-ins started to hit my account. One in August, and then several more in September, October, and December.
Then, this week, Yahoo comes out and says that an all-new batch of user data is floating around out there, unrelated to the attack it disclosed in September and somehow even bigger. You can imagine how unsurprised I was when I heard the news.
The new breach is thought to be from an attack that occurred before the previously disclosed breach, but since law enforcement just identified in November, it’s reasonable to assume the information was just recently spread, leading to the rush of “Unexpected Sign-In Attempts” I began seeing in August and September.
As for the location of the attackers, there’s also an interesting trend. The initial batch of attackers comes largely from the United States and India, while the most recent would-be hackers arrived at my account from China and Russia. Yahoo says that this newly disclosed, billion-account hack was “state sponsored,” so maybe that’s not all that surprising.
At this point, all I can do is laugh. Whenever Yahoo announces its next data breach — and, let’s be honest, it’s going to happen again — you can bet it won’t be news to Yahoo users. We apparently know about Yahoo’s bad news before Yahoo even does.