Talk:Yahoo! data breaches

Thank You
I just wanted to post a quick note of appreciation to the many editors who contributed to this article. Thanks to everyone's efforts it was linked on the Main Page (in WP:ITN) barely a day after creation. Well done. -Ad Orientem (talk) 20:10, 24 September 2016 (UTC)

Mention of PRISM and MUSCULAR on "Events" Section
I think the last paragraph of the Events section, about other actors having access to Yahoo´s data (meaning PRISM and MUSCULAR programs) is quite misleading as these are a different kind of data breachs. Maybe we could move this to the article´s ending in the "See also" section? Javier Jelovcan (talk) 12:56, 28 September 2016 (UTC)


 * How are these different kinds of data breaches? It seems that the only two differences are that those programs also breached into the content of email-accounts and not just the account-info (not enough to breach into most yahoo accounts and thereby gain access to the content) and that it wasn't self-reported by Yahoo but instead was disclosed by a whistleblower's leaks. However, while I do think that this information needs to be included in the article I too think that the "Events" section might be a bit inappropriate - it's not really part of the events of this breach. So either the section needs to be renamed (e.g. to "Background" or alike) or a new section needs to be set up.
 * --Fixuture (talk) 17:09, 30 September 2016 (UTC)

Just want to agree with Javier that these breaches seem quite separate. As a casual reader, it felt like the article was trying to make a political point. The government breaches probably don't belong in this article. People reading this article are interested in the specific breaches cited in the news recently, not in "every time that Yahoo user data has been compromised". — Preceding unsigned comment added by 2600:1017:B425:8ED4:5D1E:F33C:6EC9:9CCF (talk) 16:44, 2 October 2016 (UTC)


 * Well, I happen to agree with the inclusion of the mentions. If a government actor is mentioned, it should be made clear to what extent various such actors are already involved, as part of general context. Samsara 01:40, 4 October 2016 (UTC)

It's actually 2 breaches that have been disclosed: 2012 and 2014
While the article is named ''Yahoo! data breach'' it seems that 2 separate breaches were publicized more or less at the same time:
 * one occurred in 2014, encompasses the account info of ~500.000.000 user accounts, with no data being public or sold, is said to be state-sponsored, and is the main subject of most news reports and this article
 * the other occurred in 2012, encompasses the account info of ~200.000.000 user accounts, with the data being sold on the TheRealDeal for bitcoins worth less than $2000, could possibly state-sponsored as well with the sale of the data being done with a profit/criminal motive by an individual hacker according to said vendor, and is only mentioned in most news reports and this article

Not sure if those 2 breaches are in any way related (e.g. by motivation, by attacker, by method used in the breach etc.). I'm also not sure whether or not Yahoo has confirmed this breach to date. Maybe they try to damage control by only confirming the larger breach and trying to only imply that the previous breach occurred as well without explicitly confirming it?

So what should be done here? Should the article be renamed to sth like "Yahoo! data breaches" or "2014 and 2012 Yahoo! data breaches" or "Yahoo! data breaches revealed in 2016"...? Or should there be a new article for the 2012 breach? (And if so: what about the other social media accounts "Peace_of_mind" is selling? It looks like those sites were breached as well.) Or nothing at all?

--Fixuture (talk) 17:26, 30 September 2016 (UTC)
 * For now, the two breaches should have clearly delineated and headlined sections. Once that's been achieved, it'll be easier to decide whether a split of the article is appropriate or not. Samsara 22:37, 1 October 2016 (UTC)
 * The 2012 breach apparently refers to the 2012 LinkedIn hack. FallingGravity 21:06, 16 December 2016 (UTC)

Open questions
There are a number of open questions I'd like to know the answers to if anybody has them (or can help find the answers to; Yahoo should have provided them already or clearer):


 * Were the passwords properly salted with a proper (long enough etc) salt per every user?
 * What do they mean with "encrypted or unencrypted security questions and answers"? Were they properly encrypted or not? If some weren't: which and how many users are affected?
 * How were the minority of passwords hashed that weren't hashed with bcrypt?
 * Is the country suspected by Yahoo Russia? Or is it another country (which?)? Or do they have no clue which country it is but only that it was state-sponsored?
 * Except of the professionality of the breach are there any other clues that point to a state-sponsored actor?
 * Did Yahoo notice any unusual activity such as what one would expect once the data reached criminal hands? (e.g. anything related to mass attempts of gaining access to accounts by answers to security-questions).
 * Why didn't Yahoo notify its users of the breaches? Weren't they knowledgable of the hack in 2014 already as "at the time of the 2014 attack, Yahoo executives were said to have concluded that it was linked to Russia, because it was launched from computers in Russia" ( http://www.wsj.com/articles/yahoo-executives-detected-a-hack-tied-to-russia-in-2014-1474666865 )?
 * How was the data encrypted? Was it encrypted? If not why?

Note that these open questions may also be included in the article if they were/are not answered.

--Fixuture (talk) 18:06, 30 September 2016 (UTC)


 * Strictly speaking, we can't raise questions that aren't raised in reliable sources. If you can't find these questions raised elsewhere, maybe get in touch with Ars Technica, Wired or any similar publication to see if they'll accept an editorial contribution from you. Once that's published, there should be no question that we can cite it. I know it's silly, but that's how the current model works. If you want some help writing such a piece, let me know. HTH, Samsara 22:56, 1 October 2016 (UTC)

Another data breach
There are reports of some 1 billion odd accounts (New York Times, Wall Street Journal, TechnoBuffalo, and more). This appears to be a different breach than the one the article currently covers. We could either incorporate this into the current article and rename it "Yahoo! data breaches" or move the current article to "2014 Yahoo! data breach" and create a new article 2013 Yahoo! data breach. However, as mentioned above, the current article also covers a 2012 data breach. I guess if this keeps up we'll see a data breach from Yahoo! every year. FallingGravity 02:41, 15 December 2016 (UTC)


 * Given the extent to which reliable sources are reporting on the separate incidents together (focusing on the underlying vulnerabilities and combined impact on the company and on the public), I favor expanding this article and renaming it Yahoo! data breaches. —David Levy 03:34, 15 December 2016 (UTC)
 * Since it's believed to be the same "state actors", I'm going ahead and moving it to "Yahoo! data breaches". There still isn't that much info about the new hack in the article yet. FallingGravity 09:39, 15 December 2016 (UTC)

Removed info on the 2012 breach
A few days ago User:FallingGravity removed the "2012 breach" section, saying that it's about the 2012 LinkedIn hack.

While that's correct the section also contained information on the breach that apparently occurred in 2012. As of right now the "July 2016 discovery" section contains parts of that now-removed section. However there is no section "2012 breach" despite there apparently being a third breach and it's missing much info that was previously found in the removed section such as the motivation of the hackers and the use of the data.

Should parts of it be restored? If so how (should the section be renamed, left as it is or a new section get added)?

--Fixuture (talk) 18:15, 2 January 2017 (UTC)
 * No, it should be kept out. The only connection to the 2012 LinkedIn hack is that there is the same black market seller involved in both. It's necessary to name this seller (and his connection to the 2012 hack) because awareness of this data led to the discovery of these larger breaches. The 2016 discovery section properly alludes to the seller's roll in the 2012 hack, but that's all that's needed. --M ASEM (t) 18:19, 2 January 2017 (UTC)

Article Frustratingly Lacks Basic Information
There does not appear to be even the most basic information posted related to this. Breach could mean anything, obviously it's implied credentials to the accounts were gained, but then what was done?

I assume passwords and contact information was downloaded for every account. What about individual emails, did the hackers download every email?

Did they download location information?

Contact Lists?

Calendar Appointments?

Where is the information — Preceding unsigned comment added by 108.29.37.45 (talk) 18:27, 8 February 2020 (UTC)