21 comments

[ 2.8 ms ] story [ 58.4 ms ] thread
Wow.... i can't imagine what if something like this will happen to Google or Facebook. If it happened to Yahoo, why not to them?
Yahoo! Japan is an entity separate from Yahoo!. It is a joint venture between Yahoo! and SoftBank (a Japanese telecom).

And to put this in context, IT in Japan is about a decade behind the West.

Hopefully the newer generation of companies (GREE, DeNA, Line, etc) will change the way things are, acting as a catalyst.
This is a gross generalization.

Sure, plenty of companies are behind. But quite a few are too in the US... http://www.pcworld.com/article/249951/if_it_aint_broke_dont_...

I'm also not sure that "new" means more secure in this kind of context either. LinkedIn ain't exactly ancient and had a similar breach last year.

I would characterize the comment as more like "Attitudes towards development practices are a decade behind" (rather that the tech itself necessarily) which sounds pretty accurate[1] for most Japanese companies that are not part of the newer "Gree" wave.

[1] Anecdotal data etc etc.

What you're stating is a gross generalization and untrue in a literal sense (probably easy to realize if you remember how things were a decade ago).

While Y!J and Y!Inc are separate entities, the former does borrow/use technology from the former and some of the Y!J services use Y!Inc servers and/or services maintained by Y!Inc.

Y!J user ids are completely separate from Y!Inc though (Y!Inc ids are shared through out the Y! locales).

It's been almost a decade since I was at Y!J, but from what I understand Y!J does continue to leverage the Y!Inc relationship for services and servers.

Additionally, simply stating that old technology is the reason for a security breach could be a red herring, it isn't always the age of the technology but how it is implemented.

I was under the impression that Yahoo Japan and Yahoo are distinct entities. Do the two services actually share common infrastructure?
Yes, they share some common infrastructure.
It's happened to both. Normally this doesn't get out and is the result of a phishing scam.
(comment deleted)
This sort of thing happens pretty regularly though nothing of this scale. While I was at Yahoo! we dealt with 3M compromised accounts.

I feel for all the engineers involved in resolving this issue. We had a team of 3 or 4 working on the resolution for a few weeks.

It's normally the result of a successful phishing attack. The affected users probably have no idea their accounts were compromised.

out of curiosity, how do you go about "resolving" such a situation?
At Yahoo! there's a dedicated security team that handled identifying the exact cause and worked with us to resolve it.

To identify compromised accounts we looked for profile photos matching a certain md5. The attackers were using the accounts for viagra links and updated compromised account profile photos with one of about 50 photos.

Once we identified the accounts they were "quarantined". But the attackers got smart and started shifting a pixel so that the md5 wouldn't match our set of known bad photos.

There were other patterns we identified to isolate the compromised accounts but it was ongoing which meant as we cleaned up accounts the attackers adapted.

For the 3M accounts a bit was flipped in their account. The membership team which handles logins handled the first step of the compromised user signing in. They redirected the user to a specific page that took them through a password reset flow. It wasn't the standard password reset flow. After all, we couldn't know if it was the attacker or the user logging in.

This was all a while back but it was more or less something along those lines. It was not fun.

Claiming that this affects "10% of all Yahoo accounts" or that the breach in June 2012 is related is disingenuous---Yahoo and Yahoo Japan connected in brandname only ("Yahoo" accounts are not valid "Yahoo Japan" accounts, and vice versa).
I agree -- in the headline, I took the number directly from the article as they stated "[t]he potential data breach affects 10% of Yahoo's user base."

Another article clarifies that the total number of Yahoo Japan accounts as 200 million, so it was actually 10% of all Yahoo Japan accounts. My apologies for contributing to that impression.

It had never occurred to me that "User IDs" were all that confidential. At the very least, the MTA pool will usually let you know (Just checked, Yahoo's MTA does), so, if you are patient, and don't trigger its anti-DOS mechanisms (usually by using a botnet to slowly, ever so slowly query them) - you can brute force quite a few account names.
Japan's IPA (Information-technology Promotion Agency) include in their general application development guidelines that user ID's should not be email addresses for the exact reason that they "are easy to guess".

I spent some time arguing that this was a silly requirement but in the end I had to change my program to use non-email address user IDs (which no one can remember as they are specific to this application... )

The article has a few things that aren't correct, as posted by other users.

If you are using Yahoo! Japan, check out the feature I was in charge of... alerting you when you have a login event on your account from a new device, and possibly locking your account: http://login.yahoo.co.jp/alert/intro

I have a Yahoo Japan ID. The day after this was announced I got an email from Yahoo japan with a subject that translates "Requesting regular password changes." I expected some kind of explanation or apology but the email didn't even mention that there was a breach. It just went on about how I should change my password from time to time and keep my passwords safe by not using on other sites etc. Given the news I found it kind of rude for them to act like nothing happened, yet ask me to be more careful with my password.

パスワードを定期的に変更しましょう! Let's be sure to change passwords from time to time!

パスワードの管理には気をつけて! Be careful with your password management!

etc....

It reads like a direct translation of an English communication, and feels culturally out of place.

The same thing happened to me a couple of weeks ago. Got a patronising mail from dinos.co.jp (ディノス) saying they were increasing their security measures and that I should change my password. I went and checked a few news sites and sure enough, they'd just had a massive breach. Disgraceful to not disclose it in their mail, IMO.

Ironically, they also preached how important security is - パスワードは、お客様の財産を守る重要な情報です (passwords are important information that protect your assets).