FBI probes possible hacks targeting phones of Democratic Party staff
info security solution

The FBI has approached a handful of Democratic Party officials over concerns that their mobile phones may have been hacked as recently as the past month, unnamed sources have told Reuters.

The news comes a day after Department of Homeland Security (DHS) Secretary Jeh Johnson told lawmakers that 18 states have asked for advice on how to protect voting technology from cyber tampering, including from foreign actors.

In response to the threat of foreign interference in US elections, 18 states have asked the DHS for advice on how to protect voting technology from cybertampering, Johnson said.

The investigation into mobile phone hacking is just the latest sign of the widening scope of criminal inquiries into cyberattacks on both major US political parties.

One such incident was the breach of the Democratic National Committee (DNC): an attack that led to a political firestorm.

In July, just days before the Democratic Convention in Philadelphia, WikiLeaks released nearly 20,000 emails that it said came from the accounts of top DNC officials.

It’s not clear how many mobile phones the FBI thinks have been compromised, nor whether the targets include members of Congress.

Two people with knowledge of the investigation told Reuters that US officials suspect the attacks are coming from intruders backed by the Russian government.

Officials also suspect Russia of backing the earlier attacks on the DNC.

Russian President Vladimir Putin has denied knowing anything about the attacks.

Last week, California Senator Dianne Feinstein and California Representative Adam B. Schiff – the ranking Democrats on the Senate and House intelligence committees, respectively – issued a statement accusing Russia of a campaign to disrupt the election.

From the statement:

At the least, this effort is intended to sow doubt about the security of our election and may well be intended to influence the outcomes. We believe that orders for the Russian intelligence agencies to conduct such actions could come only from very senior levels of the Russian government.

CNN reports that law enforcement officials have reached out to Democratic staffers about “imaging” their phones as they search for evidence – such as malware – of the hacking.

CNN quoted interim DNC Chairwoman Donna Brazile, who said that the organization is still fighting the attacks that it announced in June:

Our struggle with the Russian hackers that we announced in June is ongoing – as we knew it would be -and we are choosing not to provide general updates unless personal data or other sensitive information has been accessed or stolen.

–News collected and synced by Info Security Solution Kolkata,

Read more
Why a massive DDoS attack on a blogger has internet experts worried

Someone on the internet seems very angry with cybersecurity blogger Brian Krebs.

On 20 September, Krebs’ website was hit with what experts say is the biggest Distributed Denial of Service (DDoS) attack in public internet history, knocking it offline for days with a furious 600 to 700 Gbps (Gigabits per second) traffic surge.

DDoS attacks are a simple way of overloading a network router or server with so much traffic that it stops responding to legitimate requests.

According to Akamai (which had the unenviable job of attempting to protect his site last week), the attack was twice the size of any DDoS event the firm had ever seen before, easily big enough to disrupt thousands of websites let alone one.

So why did someone expend time and money to attack a lone blogger in such a dramatic way? Krebs has his own theories, and the attack follows Krebs breaking a story about the hacking and subsequent takedown of kingpin DDoS site vDOS, but in truth nobody knows for certain and probably never will.

DDoS attacks, large and small, have become a routine fact of internet life.

Many attacks are quietly damped down by specialist firms who protect websites and internet services.

But the latest attack has experts worried all the same.

Stop what you’re doing

DDoS attacks first emerged as an issue on the public internet in the late 1990s, and since then have been getting larger, more complex and more targeted.

Early motivations tended towards spiteful mischief. A good example is the year 2000 attacks on websites including Yahoo, CNN and Amazon by ‘MafiaBoy’, who later turned out to be 15-year old Canadian youth Michael Calce. Within weeks, he was arrested.

Things stepped up a level in 2008 when hacktivist group Anonymous started an infamous series of DDoS attacks with one aimed at websites belonging to the Church of Scientology.

By then, professional cybercriminals were offering DDoS-for-hire ‘booter’ and ‘stresser’ services that could be rented out to unscrupulous organizations to attack rivals. Built from armies of ordinary PCs and servers that had quietly been turned into botnet ‘zombies’ using malware, attacks suddenly got larger.

This culminated in 2013 with a massive DDoS attack on a British spam-fighting organization called Spamhaus that was measured at a then eye-popping 300Gbps.

These days, DDoS is now often used in extortion attacks where cybercriminals threaten organizations with crippling attacks on their websites unless a ransom is paid. Many are inclined to pay up.

The Krebs effect

The discouraging aspect of the Krebs attack is that internet firms may have thought they were finally getting on top of DDoS at last using techniques that identify rogue traffic and more quickly cut off the botnets that fuel their packet storms.

The apparent ease with which the latest massive attack was summoned suggests otherwise.

In 2015, Naked Security alumnus and blogger Graham Cluley suffered a smaller DDoS attack on his site so Krebs is not alone. Weeks earlier, community site Mumsnet experienced a DDoS attack designed to distract security engineers as part of a cyberattack on the firm’s user database.

At the weekend, Google stepped in and opened its Project Shield umbrella over Krebs’ beleaguered site. Project Shield is a free service launched earlier in 2016 by Google, specifically to protect small websites such as Krebs’ from being silenced by DDoS attackers.

For now it looks like Google’s vast resources were enough to ward off the unprecedented attack, but it’s little comfort to know that nothing short of the internet’s biggest player was the shield that one simple news site needed.

With criminals apparently able to call up so much horsepower, the wizards of DDoS defence might yet have to rethink their plans – and fast.

–News collected and synced by Info Security Solution Kolkata,

Read more
SMS spammer cops big fine for close to 8 million text message spams
Insec Ethical Hacking Hub Phishing + Ransomware = A Modern Day Threat

The UK’s electronic communications watchdog has just clamped down on a company accused of mass spamming.

Intelligent Lending Limited has been fined £130,000 (about $170,000) over the matter of close to 8 million unsolicited SMSes that it sent over a six month period in 2015.

The messages looked like this:

Ocean now offers a credit card powered by XXXXXX. www.oceanXXXXXX.co.uk/XXXX To opt out txt STOP to 81818.

According to the Information Commissioner’s Office (ICO), the spammers claimed that they’d complied with the letter and the spirit of the rules by buying in a list of mobile phone numbers for consumers who had already consented to receive SMS ads.

The ICO disagreed, arguing that consent couldn’t be that vague:

Consent within the meaning of [the relevant regulation] requires that the recipient has notified the sender that he consents to messages being sent by […] the sender.

Indirect, or third-party, consent can be valid but only if it is clear and specific enough.

The onus, said the ICO, is on the sender who buys in a mailing list to determine that the consent given by the people who are on that list is “sufficiently clear and specific” for the purpose at hand.

Just how specific this consent needs to be isn’t explicitly stated, but we’re assuming that if you’ve agreed to receive ads about hiking boots, then a sender who subsequently targets you with special offers for rucksacks or tents would probably be be in acceptable territory.

On the other hand, we’re guessing that a sender who tried to sell you credit – or plumbing services, or property investment opportunities – on the back of your interest in hiking would be overstepping the mark.

At any rate, in this case, the ICO judged that the sender didn’t have consent, and therefore knowingly contravened the UK’s rules about electronic messaging.

What you can do to help

There’s a popular, and understandable, perception that it’s just too hard, and not worthwhile, to try to report spam messages to the authorities, especially SPASMS (which is what we jocularly call spam that arrives via SMS).

However, there’s an easy way to make your voice heard in the UK: you can report SPASMS by simply forwarding them to the phone number 7726. (That short-code number is easy to remember: it spells out SPAM.)

In this case, reports to 7726 made a big difference.

The ICO treated this as a serious contravention because close to 2000 people actively flagged the messages as spam. (1896 used the 7726 short-code; 25 reported the messages directly to the ICO.)

If you’re a business, you can help at the other end of the messaging chain by taking your electronic marketing responsibilities seriously.

When it comes to the concept of “consent,” make as certain as you can that your recipients really have agreed to hear from people like you about the products and services that you’re trying to sell.

As fellow Naked Security writer Mark Stockley wryly put it, “Don’t ask if you can borrow someone’s bicycle and then take their car instead.”

–News collected and synced by Info Security Solution Kolkata,

Read more
Major bank attacks thwarted by SWIFT thinking

Remember last March’s online $81 million Bangladesh Bank heist? The one where everyone was pointing fingers at everyone else?

A few of those fingers were pointed at SWIFT, the global messaging system used by over 11,000 financial institutions in over 200 countries to securely communicate financial payment instructions. Turns out there have been several more attacks since then – and SWIFT’s responding by significantly toughening the rules its member institutions must follow.

At SWIFT’s annual conference this week, SWIFT CEO Gottfried Leibbrandt briefly described recent breaches that hadn’t been publicized before:

A few months ago… one of our banks had been alerted by their clearing correspondent that there was something fishy with their transactions. And we worked in real-time with [them] to retrieve messages, compare them, and indeed we found that the bank had been compromised… payment reports had been altered, as per the modus operandi.

Next day… the clearing correspondent had found that the ultimate beneficiary of these fraud transactions, the mule account, featured in transactions of yet another bank. We contacted that bank, and [it] too had been compromised.

A few weeks later, another case. This bank had the latest anti-virus and had the latest security patches on our software, and alerts on both [AV and Swift software] prevented further fraud from happening as well.

Leibbrandt’s concluded that since SWIFT and the banks involved were alert and cooperated closely, nobody lost any money. However he also addressed that this does not signify the problem could be swept under the carpet and forgotten about: there have been other successful attacks and will continue to be in the future, as they get more sophisticated.

What to do? Leibbrandt compared the current plague of cyberattacks with the spread of dangerous physical diseases throughout history, in which human beings “turned this existential threat into a manageable nuisance, by innovation.”

He compared the financial industry with modern medicine, noting that doctors don’t always wash their hands sufficiently before surgery, even though they know it could prevent many infections:

So we also need basic hygiene – multifactor authentication, securing your credentials, updating your operating system software – [but] we’ll need a little pressure for that compliance.

Banks will soon have to “self-attest” their compliance with SWIFT’s forthcoming set of “objectives, principles, and controls.”

Leibbrant continues…

We’ll make that transparent, and back it up with internal and external audits, and the results will be made available to local regulators and counterparties [you] do business with, so you can check whether your counterparty has ‘washed his hands for dinner so to speak.’

ComputerWorld reports that these rules aren’t quite locked down yet but after two months of consultations, due to begin at the end of October, the final details will be published next March.

In a press release, SWIFT said self-attestations would start soon afterwards. Then:

…inspections and enforcement will begin on 1 January 2018, when customers’ compliance status will be made available to their counterparts, ensuring transparency and allowing firms to assess risk of counterparts with whom they are doing business.

From January 2018, SWIFT will report the status of any non-compliant customers to their regulators, and randomly select customers who will be required to provide additional [audit] assurance.

In addition, customers will also be able to choose to disclose their compliance with a further 11 advisory controls.

Along with these mandates, Leibbrandt encouraged financial institutions to “share and prepare.” He added that, in the intensely global financial ecosystem…

What happens to one institution in one geography may well happen to another on the other side of the globe.

Share the details if you’ve been breached so we can make the indications of compromise and modus operandi available to others on an anonymous basis… so [they] can prepare for similar attacks.

United we stand: amen to that.

–News collected and synced by Info Security Solution Kolkata,

Read more
Pippa Middleton’s hacked iCloud photos banned from publication
Insec Ethical Hacking Hub BadOnions : Bad TOR exit nodes attempts to login with sniffed password

Last week, some e-creep emailed The Sun with an offer: for “a minimum of £50,000”, handed over within 48 hours, he’d sell the publication intimate photos that he claimed to have weaseled out of Pippa Middleton’s iCloud account.

In fact, the man alleged he was in possession of 3,000 images of the Duchess of Cambridge’s sister, plus personal information, including:

  • Pippa in fitting appointments for her wedding dress, along with secret details of the wedding venue, guest list and thoughts.
  • Pictures of Kate and the Royal Family with the royal children.
  • Private pictures of Pippa with her fiancé, James Matthews, plus nude pictures of James.

To prove he was legit, the crook, who called himself “Crafty Cockney,” used the encrypted WhatsApp messaging service to send two photos showing the socialite at what appeared to be her wedding dress fitting session.

A third picture showed Pippa’s mother in the aisle of what The Sun presumed to be the church where the wedding may take place.

The Sun didn’t bite. Instead, it alerted Pippa.

She and James responded with horror, the publication said, and called in lawyers and the police.

Now, the High Court has got involved, issuing a ban on publication of the stolen photos.

According to the BBC, Pippa Middleton took civil court action against a “person or persons unknown” after her account was believed to have been broken into.

Late on Saturday, police arrested a 35-year-old man in Northamptonshire on suspicion of an offense under the Computer Misuse Act.

He was then released on bail, pending further inquiries.

Attorney Adam Wolanski, who’s heading up Middleton’s legal team, said she thought there had been a “genuine hack”.

He called it a “flagrant” and “criminal” act that has caused Middleton “considerable distress.”

Amazing that the e-thieves are still jumping celebrities.

Following the 2014 mass-mugging known as Celebgate, two men have pleaded guilty to stealing nude photos from the likes of Jennifer Lawrence, Kate Upton, Kirsten Dunst, Selena Gomez, Kim Kardashian, Vanessa Hudgens, Lea Michele and Hillary Duff.

This week, Illinois resident Edward Majerczyk pled guilty to a felony violation of the Computer Fraud and Abuse Act, admitting to “unauthorized access to a protected computer to obtain information.” The statutory maximum for the crime is 5 years.

His guilty plea followed on the heels of another similar but unconnected plea: Pennsylvanian Ryan Collins. Though the charges against both men are very similar, Collins and Majerczyk were apparently operating independently.

In another celebrity nude investigation, the US government seized a Chicago man’s computers.

None of those cases, apparently, are related to yet another celebrity hacking prosecution: that of Alonzo Knowles’ guilty plea in New York for stealing new screenplays and sex videos from celebrities …nor of the felony hacking conviction of Andrew Helton in Oregon for similar hacking of celebrity-owned Apple and Google accounts.

Persistent devils, aren’t they? In spite of all of these busts, the crooks keep breaking into people’s phones.

Be that as it may, the cops are just as persistent.

Enjoy the photos while you can, e-creeps. In fact, enjoy your mobile phones while you can: in prison, they’re contraband!

Image of Pippa Middleton courtesy of Twocoms / Shutterstock.com

–News collected and synced by Info Security Solution Kolkata,

Read more
Mozilla to take action against WoSign’s woeful cryptographic blunders

A month ago, we wrote about a serious cryptographic blunder by a company that really ought to have known better.

That company was WoSign, a Chinese certificate authority, or CA.

As we explained back in August 2016, a CA’s primary job is to vouch for security certificates on your behalf.

Imagine, for example, that you want a digital certificate you can use on your website to assert your identity, or a certificate you can use to sign your software to stop crooks making imposter copies and passing them off as yours.

You can create and sign your own certificates, which is a start, but no one’s browser or operating system will trust them by default, so your users will see security warnings like this one when they visit your website:

But if you create a certificate and a trusted CA signs it for you – a CA that is already on the list of trusted root authorities in your browser or your operating system – then you will automatically be trusted, too.

This chain of trust is a key component of TLS, the system that puts the padlock in your browser.

WoSign, it turned out, wasn’t very careful about how it vouched for its customers’ websites.

A user found this out when he applied for a certificate vouching that he was authorised to run a specific subdomain of the University of Central Florida, namely the medical faculty’s site med.ucf.edu.

To his surprise, he also ended up with a certificate vouching that he owned the University’s main website, at www.ucf.edu, even though that server was outside his bailiwick.

Even more alarmingly, he applied for a certificate for a subdomain he owned on the well-known public code hosting service Github, and ended up with a certificate for all of github.com and github.io, too. (He also got www.github.io, just to make matters worse.)

This all came to light in a series of discussions in Mozilla’s security policy discussion forum last month.

Commenters on Naked Security were almost universally in favour of kicking WoSign out of the privileged club of trusted CA without further delay:

Bryan: A CA should absolutely be excommunicated if they can’t can’t rapidly right their wrongs and document quite publicly that it’s being done.

Blake: If Mozilla maintains WoSign in their default trusted CA list, that’s a statement that Mozilla believes WoSign is trustworthy. Personally, I have doubts about any organization that makes repeated mistakes, and doesn’t own up to them, being included in this small circle.

Bbusschots: How can anyone have any faith in the CA system if breaches of the rule don’t have consequences? This CA literally put the entire internet at risk, and it looks to me like they simply do not understand the mangnitude of their failings.

Tony Cross: The key word here is ‘trust’. WoSign have clearly demonstrated that they can’t be trusted. That’s the bottom line.

Mozilla has now published a lengthy overview of WoSign’s failings, which go beyond just giving a random person the key to impersonate all of Github, and it makes depressing reading.

Amongst other things, it seems that WoSign also:

  • Backdated certificates to beat a deadline banning the use of the now-deprecated SHA1 hashing algorithm.
  • Acquired another CA called StartCom without reporting the change of ownership, as required by Mozilla.
  • Denied the change in ownership when questioned.

Unsurprisingly, Mozilla’s slow-but-steady conclusion mirrors the off-the-cuff opinions stated by Naked Security readers a month ago:

Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA.

What next?

You can probably guess what happens now, at least for users of Mozilla products based on Mozilla’s own list of trusted CAs, such as the Firefox browser and the Thunderbird email client.

WoSign gets kicked out of the trusted CA’s club, right?


Mozilla is still taking the softly-softly approach:

Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by the [WoSign or StartCom] CA brands.

In other words, any certificates already issued will continue to be trusted, and even those that the company issues in the future will still be trusted until a future date to be set at a future date.

What do you think?

Does the CA ecosystem need a softly-softly approach that minimises disruption, or the occasional short, sharp shock that sets the strictest standards?

–News collected and synced by Info Security Solution Kolkata,

Read more
Michelle Obama’s passport – or a scan that looks like it – posted online
Info Security Solution

DCLeaks, the same site that leaked Colin Powell’s embarrassing emails, has published what are purportedly personal emails from a White House staffer, including a scan of, allegedly, Michelle Obama’s passport.

First things first: Is it real?

Twitter users are pointing out that the purported passport is only good for 5 years, whereas most adult passports in the US are good for 10. I’ll update the story once I ascertain that.

That doesn’t make it fake. Government employee passports are reportedly only good for 5 years.

The emails appear to be those of a staffer whose LinkedIn profile lists his job title as Advance Associate at the White House. He’s worked there since April 2015 and also appears to work for the Clinton campaign as an event organizer.

The emails, sent between February 2015 and July 2016, were apparently taken from the staffer’s personal Gmail account.

A Secret Service spokeswoman told Politico that the agency was “aware of the alleged email hacking of a White House employee” but declined to say whether it’s investigating.

Attorney General Loretta Lynch told reporters that the Department of Justice (DOJ) is “aware of those media reports” and is looking into the matter.

White House spokesman Josh Earnest declined to discuss the leak at his daily briefing but said that officials are looking at the information that’s been disclosed.

Obviously we take any reports about a cyber breach seriously, particularly if it may include some sensitive information.

The staffer’s personal email was posted Tuesday by DC Leaks, and the passport image went up on Wednesday.

As well as Colin Powell’s intimate emails, DCLeaks has also previously posted pilfered emails allegedly coming from other Clinton campaign workers and some Republican lawmakers who’ve criticized the Russian regime, including Sens. John McCain, Lindsey Graham and Michele Bachmann.

Read more
YouTube is cleaning up and it wants your help!
Insec Ethical Hacking Hub WPA2 Broken with KRACK - Biggest HIT on IOT ? ?

Google is well aware that the hair-raising comments of YouTube users have turned the service into a fright fest.

It’s tried to drain the swamp. In February 2015, for example, it created a kid-safe app that would keep things like, oh, say, racist/anti-Semitic/homophobic comments or zombies from scaring the bejeezus out of young YouTubers.

Now, Google’s trying something new: it’s soliciting “YouTube Heroes” to don their mental hazmat suits and dive in to do some cleanup.

You work hard to make YouTube better for everyone… and like all heroes, you deserve a place to call home.

This video explains the program:

As they climb up the ladder, earning points for do-gooderism and advancing to higher levels, the Heroes will get access to a dashboard for online moderation, access to exclusive workshops and “Hero hangouts,” and sneak previews of YouTube product launches and test products before they’re released to the general public.

Other perks they can gain along the way include access to “super tools,” such as the ability to mass-flag videos.

YouTube announced the program in a post on its help channel on Wednesday.

Here’s what it’s asking volunteers to do:

Doing those tasks will earn users points that they can use to get the perks in this new crowdsourcing program.

To participate, you have to agree to and comply with the YouTube Heroes Program Rules.

Google says the program, offered everywhere YouTube is available, is currently in beta and subject to change.

Our goal is to have a positive impact on our users, and we look forward to refining the Program as it continues.

Read more
Twitter says government requests for data still climbing
Info security solution kolkata

The growth in the number of government requests for user information that Twitter received over the past 6 months has slowed dramatically from its rapid increase over the past few years, according to its latest transparency report.

Government requests for account information were up only 2% more – and affected 8% more accounts – during the first half of 2016 than in the previous 6 months.

That’s a modest increase when compared with the past two years. In 2014, governments were practically tripping over themselves to get at Twitter user information, with Twitter seeing a 46% increase in data requests.

Likewise, we saw a double-digit increase in 2015. Last August, Twitter said that requests had surged by 52% over the previous six months.

Twitter says the slowdown may have been brought about by a decrease in the number of requests coming from the US – the most voracious data gobbler out there.

During the most recent reporting period, US requests shrank for the first time: they were down 152 requests compared with the second half of 2015.

There was also a 34% decrease in requests coming from Turkey compared with the last report.

In the past six months, Twitter says it received 5,600 requests for information on 13,152 accounts around the world, mostly in the form of subpoenas.

The company also received 5,195 government requests to remove information from 20,571 accounts, with nearly 80% of those requests coming from Turkey and Russia. Twitter says it withheld or removed content in response to 16% of government requests.

Maybe its appetite has slacked, but the US sure isn’t fasting: it’s still the top data devourer globally. Of all the requests Twitter received over the past 6 months, 44% came from the US.

Japan has risen to the second spot, submitting 13% of requests: a 64% increase over the last reporting period.

The United Kingdom, France, and Turkey are still in the top five of requesting countries.

Twitter said that there was a notable spike in requests coming from Belgium – 67% – and a 61% increase in requests from Germany. The company said that the increase in requests from Belgium were related to the March 2016 terror attacks in Brussels.

Twitter messaging has proved central not just to tracking down extremists but also to unearthing terrorist attacks.

One example of that insight has come from Dataminr – a real-time information discovery service that analyzes the output of Twitter’s firehose of real-time public tweets, geolocation data, traffic data, news wires and other data streams, to turn up breaking news such as natural disasters, political unrest and terror attacks.

The Twitter-fueled service – the only company Twitter authorizes to get at its entire public stream and sell it to clients – managed to alert US intelligence to the Brussels attacks 10 minutes before media were on it.

Twitter announced last month that it had suspended 235,000 accounts that it said were used to promote or threaten such terrorist attacks.

That’s in addition to the 125,000 suspensions announced in February, in which the accounts were primarily related to the so-called Islamic State (IS).

Twitter handed over some information in 82% of the 2,520 requests it received from the US over the past 6 months. It also complied with 98 out of 281 takedown requests from the US.

At a combined state and federal level, Twitter received the most requests from California, New York, and Virginia.

The top US requesters were the Federal Bureau of Investigation (FBI), the Secret Service, and the New York County District Attorney’s Office. Twitter also received 25 information requests, emergency and non-emergency combined, from US embassies abroad.

As always, the transparency report doesn’t include national security requests, given that those letters come with gag orders.

Twitter could report those requests in “large, opaque bands,” but it’s chosen not to. In fact, it’s taken the matter up in a lawsuit against the US government.

The lawsuit, Twitter v. Lynch, is a First Amendment challenge to the government’s refusal to permit Twitter to publish granular information about national security demands.

Twitter’s seeking to include quantitative information about national security demands in its transparency reports. The company says it expects discovery to commence in the coming months as it seeks more information about how the government classifies its data requests.

Read more
Change your password! Yahoo confirms data breach of 500 million accounts
Insec Ethical Hacking Hub India To Overtake Japan, UK, Germany To Become World’s 3rd Biggest Economy By 2050: The Economist Intelligence Unit 1

Yahoo last night confirmed earlier reports that information pertaining to the unprecedented number of “at least” half a billion user accounts was stolen in a 2014 breach.

That may include names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with the password-hashing function bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.

Yahoo says the breach didn’t include unprotected passwords, payment card data, or bank account information. The company says it doesn’t store payment card data or bank account information in its system.

It’s blaming an unspecified “state-sponsored actor.” The FBI has confirmed that it’s investigating the attack.

Three unnamed US intelligence officials told Reuters that they believed the attack was state-sponsored because of its resemblance to previous hacks traced to Russian intelligence agencies or hackers acting under their command.

News of a possible major attack on Yahoo first emerged in August, when Peace – the infamous dark-web purveyor of humongous data sets that date back years – was trying to sell information on 200 million Yahoo accounts.

For some reason, Yahoo didn’t call for a mandatory reset password when news of the attack first broke last month.

Somebody familiar with the matter told Reuters that the August report turned out to be false, though Yahoo’s investigation did in fact uncover the separate 2014 theft.

The company said in a statement at the time that it was “committed to protecting the security of our users’ information and we take any such claim very seriously. Our security team is working to determine the facts.”

Those facts: Peace is the same name – he or she goes by peace_of_mind in the dark markets, or simply “Peace” – of the person who’s gone online recently to sell data sets from years-old breaches at Tumblr, LinkedIn and MySpace.

The Yahoo haul dwarves them all, according to Troy Hunt, who maintains the data breach awareness portal Have I Been Pwned.

What to do?

Change your password.

Yes. If you haven’t changed it since 2014, do it now.

And change that password on any other sites you use. Make sure each online account has a different password, and make them all strong.

Also, it’s a good time to change your security questions. If you’re one of the half a billion users who’s been affected by the breach, you won’t have a choice about that, since Yahoo’s gone and invalidated your security questions for your safety.

From Yahoo’s statement:

Yahoo is notifying potentially affected users and has taken steps to secure their accounts.

These steps include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords.

Why did it take 2 years to uncover?

Huge breached data sets emerging years after attacks have become a bit of a trend recently.

Over the past few months, we’ve seen multiple massive data sets put up for sale online, all dating back to breaches that are pretty ripe.

To wit:

The 500 million accounts affected in the Yahoo breach tops these 10 previous breaches, as listed by haveibeenpwned.com:

  • MySpace: 359 million accounts
  • LinkedIn: 164 million accounts
  • Adobe: 152 million accounts
  • Badoo: 112 million accounts
  • VK: 93 million accounts
  • Dropbox: 68 million accounts
  • Tumblr: 65 million accounts
  • iMesh: 49 million accounts
  • Fling: 40 million accounts
  • Last.fm: 37 million accounts

There are rumblings about why Yahoo waited so long to disclose the attack.

Recode first reported on Tuesday that Yahoo planned to disclose details about a data breach affecting hundreds of millions of users.

Democratic Senator Mark Warner, a former technology executive, on Thursday issued a statement that said the “seriousness of this breach at Yahoo is huge.”

He called for a federal “breach notification standard” to replace data notification laws that vary by state. The senator also said he was “most troubled” that the public was only learning of the incident now, two years after it happened.

Image of Yahoo courtesy of Ken Wolter / Shutterstock.

Read more