Talk:Yahoo! data breaches

Yahoo! data breaches is currently a Computing and engineering good article nominee. Nominated by Joe (talk) at 06:34, 2 April 2024 (UTC) An editor has placed this article on hold to allow improvements to be made to satisfy the good article criteria. Recommendations have been left on the review page, and editors have seven days to address these issues. Improvements made in this period will influence the reviewer's decision whether or not to list the article as a good article. Short description: Major data breaches which occurred at Yahoo!

Yahoo! data breaches was nominated as a Engineering and technology good article, but it did not meet the good article criteria at the time (March 31, 2024, reviewed version). There are suggestions on the review page for improving the article. If you can improve it, please do; it may then be renominated.

A news item involving Yahoo! data breaches was featured on Wikipedia's Main Page in the In the news section on 23 September 2016.

This article is rated B-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Computer Security: Computing Mid‑importance This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.Computer SecurityWikipedia:WikiProject Computer SecurityTemplate:WikiProject Computer SecurityComputer Security articles Mid This article has been rated as Mid-importance on the project's importance scale. This article is supported by WikiProject Computing. Things you can help WikiProject Computer Security with: Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information... Answer question about Same-origin_policy Review importance and quality of existing articles Identify categories related to Computer Security Tag related articles Identify articles for creation (see also: Article requests) Identify articles for improvement Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc. Find editors who have shown interest in this subject and ask them to take a look here. Crime and Criminal Biography Low‑importance This article is within the scope of WikiProject Crime and Criminal Biography, a collaborative effort to improve the coverage of Crime and Criminal Biography articles on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.Crime and Criminal BiographyWikipedia:WikiProject Crime and Criminal BiographyTemplate:WikiProject Crime and Criminal BiographyCrime-related articles Low This article has been rated as Low-importance on the project's importance scale. Databases (inactive) This article is within the scope of WikiProject Databases, a project which is currently considered to be inactive.DatabasesWikipedia:WikiProject DatabasesTemplate:WikiProject DatabasesDatabases articles Internet Mid‑importance This article is within the scope of WikiProject Internet, a collaborative effort to improve the coverage of the Internet on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.InternetWikipedia:WikiProject InternetTemplate:WikiProject InternetInternet articles Mid This article has been rated as Mid-importance on the project's importance scale. Russia Low‑importance This article is within the scope of WikiProject Russia, a WikiProject dedicated to coverage of Russia on Wikipedia. To participate: Feel free to edit the article attached to this page, join up at the project page, or contribute to the project discussion.RussiaWikipedia:WikiProject RussiaTemplate:WikiProject RussiaRussia articles Low This article has been rated as Low-importance on the project's importance scale.

I just wanted to post a quick note of appreciation to the many editors who contributed to this article. Thanks to everyone's efforts it was linked on the Main Page (in WP:ITN) barely a day after creation. Well done. -Ad Orientem (talk) 20:10, 24 September 2016 (UTC)[reply]

I think the last paragraph of the Events section, about other actors having access to Yahoo´s data (meaning PRISM and MUSCULAR programs) is quite misleading as these are a different kind of data breachs. Maybe we could move this to the article´s ending in the "See also" section? Javier Jelovcan (talk) 12:56, 28 September 2016 (UTC)[reply]

@Javier Jelovcan: How are these different kinds of data breaches? It seems that the only two differences are that those programs also breached into the content of email-accounts and not just the account-info (not enough to breach into most yahoo accounts and thereby gain access to the content) and that it wasn't self-reported by Yahoo but instead was disclosed by a whistleblower's leaks. However, while I do think that this information needs to be included in the article I too think that the "Events" section might be a bit inappropriate - it's not really part of the events of this breach. So either the section needs to be renamed (e.g. to "Background" or alike) or a new section needs to be set up.

--Fixuture (talk) 17:09, 30 September 2016 (UTC)[reply]

Just want to agree with Javier that these breaches seem quite separate. As a casual reader, it felt like the article was trying to make a political point. The government breaches probably don't belong in this article. People reading this article are interested in the specific breaches cited in the news recently, not in "every time that Yahoo user data has been compromised". — Preceding unsigned comment added by 2600:1017:B425:8ED4:5D1E:F33C:6EC9:9CCF (talk) 16:44, 2 October 2016 (UTC)[reply]

Well, I happen to agree with the inclusion of the mentions. If a government actor is mentioned, it should be made clear to what extent various such actors are already involved, as part of general context. Samsara 01:40, 4 October 2016 (UTC)[reply]

While the article is named Yahoo! data breach it seems that 2 separate breaches were publicized more or less at the same time:

• one occurred in 2014, encompasses the account info of ~500.000.000 user accounts, with no data being public or sold, is said to be state-sponsored, and is the main subject of most news reports and this article
• the other occurred in 2012, encompasses the account info of ~200.000.000 user accounts, with the data being sold on the TheRealDeal for bitcoins worth less than $2000, could possibly state-sponsored as well with the sale of the data being done with a profit/criminal motive by an individual hacker according to said vendor, and is only mentioned in most news reports and this article

Not sure if those 2 breaches are in any way related (e.g. by motivation, by attacker, by method used in the breach etc.). I'm also not sure whether or not Yahoo has confirmed this breach to date. Maybe they try to damage control by only confirming the larger breach and trying to only imply that the previous breach occurred as well without explicitly confirming it?

So what should be done here?
Should the article be renamed to sth like "Yahoo! data breaches" or "2014 and 2012 Yahoo! data breaches" or "Yahoo! data breaches revealed in 2016"...?
Or should there be a new article for the 2012 breach? (And if so: what about the other social media accounts "Peace_of_mind" is selling? It looks like those sites were breached as well.)
Or nothing at all?

--Fixuture (talk) 17:26, 30 September 2016 (UTC)[reply]

For now, the two breaches should have clearly delineated and headlined sections. Once that's been achieved, it'll be easier to decide whether a split of the article is appropriate or not. Samsara 22:37, 1 October 2016 (UTC)[reply]

The 2012 breach apparently refers to the 2012 LinkedIn hack. ^Falling_Gravity 21:06, 16 December 2016 (UTC)[reply]

There are a number of open questions I'd like to know the answers to if anybody has them (or can help find the answers to; Yahoo should have provided them already or clearer):

• Were the passwords properly salted with a proper (long enough etc) salt per every user?
• What do they mean with "encrypted or unencrypted security questions and answers"? Were they properly encrypted or not? If some weren't: which and how many users are affected?
• How were the minority of passwords hashed that weren't hashed with bcrypt?
• Is the country suspected by Yahoo Russia? Or is it another country (which?)? Or do they have no clue which country it is but only that it was state-sponsored?
• Except of the professionality of the breach are there any other clues that point to a state-sponsored actor?
• Did Yahoo notice any unusual activity such as what one would expect once the data reached criminal hands? (e.g. anything related to mass attempts of gaining access to accounts by answers to security-questions).
• Why didn't Yahoo notify its users of the breaches? Weren't they knowledgable of the hack in 2014 already as "at the time of the 2014 attack, Yahoo executives were said to have concluded that it was linked to Russia, because it was launched from computers in Russia" ( http://www.wsj.com/articles/yahoo-executives-detected-a-hack-tied-to-russia-in-2014-1474666865 )?
• How was the data encrypted? Was it encrypted? If not why?

Note that these open questions may also be included in the article if they were/are not answered.

--Fixuture (talk) 18:06, 30 September 2016 (UTC)[reply]

Strictly speaking, we can't raise questions that aren't raised in reliable sources. If you can't find these questions raised elsewhere, maybe get in touch with Ars Technica, Wired or any similar publication to see if they'll accept an editorial contribution from you. Once that's published, there should be no question that we can cite it. I know it's silly, but that's how the current model works. If you want some help writing such a piece, let me know. HTH, Samsara 22:56, 1 October 2016 (UTC)[reply]

There are reports of some 1 billion odd accounts (New York Times, Wall Street Journal, TechnoBuffalo, and more). This appears to be a different breach than the one the article currently covers. We could either incorporate this into the current article and rename it "Yahoo! data breaches" or move the current article to "2014 Yahoo! data breach" and create a new article 2013 Yahoo! data breach. However, as mentioned above, the current article also covers a 2012 data breach. I guess if this keeps up we'll see a data breach from Yahoo! every year. ^Falling_Gravity 02:41, 15 December 2016 (UTC)[reply]

Given the extent to which reliable sources are reporting on the separate incidents together (focusing on the underlying vulnerabilities and combined impact on the company and on the public), I favor expanding this article and renaming it Yahoo! data breaches. —David Levy 03:34, 15 December 2016 (UTC)[reply]

Since it's believed to be the same "state actors", I'm going ahead and moving it to "Yahoo! data breaches". There still isn't that much info about the new hack in the article yet. ^Falling_Gravity 09:39, 15 December 2016 (UTC)[reply]

A few days ago User:FallingGravity removed the "2012 breach" section, saying that it's about the 2012 LinkedIn hack.

While that's correct the section also contained information on the breach that apparently occurred in 2012. As of right now the "July 2016 discovery" section contains parts of that now-removed section. However there is no section "2012 breach" despite there apparently being a third breach and it's missing much info that was previously found in the removed section such as the motivation of the hackers and the use of the data.

Should parts of it be restored? If so how (should the section be renamed, left as it is or a new section get added)?

--Fixuture (talk) 18:15, 2 January 2017 (UTC)[reply]

No, it should be kept out. The only connection to the 2012 LinkedIn hack is that there is the same black market seller involved in both. It's necessary to name this seller (and his connection to the 2012 hack) because awareness of this data led to the discovery of these larger breaches. The 2016 discovery section properly alludes to the seller's roll in the 2012 hack, but that's all that's needed. --MASEM (t) 18:19, 2 January 2017 (UTC)[reply]

There does not appear to be even the most basic information posted related to this. Breach could mean anything, obviously it's implied credentials to the accounts were gained, but then what was done?

I assume passwords and contact information was downloaded for every account. What about individual emails, did the hackers download every email?

Did they download location information?

Contact Lists?

Calendar Appointments?

Where is the information — Preceding unsigned comment added by 108.29.37.45 (talk) 18:27, 8 February 2020 (UTC)[reply]

This review is transcluded from Talk:Yahoo! data breaches/GA2. The edit link for this section can be used to add comments to the review.

Nominator: Joereddington (talk · contribs) 06:34, 2 April 2024 (UTC)[reply]

Reviewer: Schierbecker (talk · contribs) 18:17, 22 April 2024 (UTC)[reply]

This article appears to still be a little ways off from GA.

• The lede name-drops Karim Baratov in the lede, but doesn't identify his profession or nationality.
  • Fixed.
• When did Yahoo contact law enforcement?
  • It's actually not clear they did - their own press release (and their SEC filing) suggests that law enforcement came to them: https://help.yahoo.com/kb/account/SLN27925.html?impressions=true but in general there is a very little information in reliable sources.
• How did Yahoo come to learn about the breaches?
  • Per the above, there's a suggestion that they were informed by law enforcement, there's a suggestion that they found out about it from press asking about account data being available on the dark web, and there's a suggestion in a press release that they were doing their own investigation. I've not been able to find reliable sources that cover it. Their filing at https://web.archive.org/web/20170110014942/https://investor.yahoo.net/secfiling.cfm?filingID=1193125-16-764376&CIK=1011006 says "In late July 2016, a hacker claimed to have obtained certain Yahoo user data. After investigating this claim with the assistance of an outside forensic expert, the Company could not substantiate the hacker’s claim. Following this investigation, the Company intensified an ongoing broader review of the Company’s network and data security, including a review of prior access to the Company’s network by a state-sponsored actor that the Company had identified in late 2014. Based on further investigation with an outside forensic expert, the Company disclosed the Security Incident on September 22, 2016, and began notifying potentially affected users, regulators, and other stakeholders."

• What effects did the 2013 breach have on users/Yahoo? When was this discovered? This breach affected six times as many accounts but there is hardly any information about it. Was it less sensitive in nature?
  • You are right. It's massive and it was broadly ignored (I mean, there was a congressional hearing but it found nothing of substance) I was extremely pleased I was able to find a source positively saying the negative: i.e. that Yahoo had released no information.

• at least two others accessed user account information connected to Belan?
  • Fixed.

• Yahoo also claimed that there was no evidence that the attackers were still in the system Was this proven? Article suggests otherwise.
  • It's a [very specific denial](https://tvtropes.org/pmwiki/pmwiki.php/Main/SuspiciouslySpecificDenial) right? That was Yahoo's claim at the time. The indictment against Belan suggests Belan was operating well past that time, but I opted to show both sources with editorialising.

• From October 2014 to at least November 2016, Belan and at least two others accessed user account information Using the fruits of the 2014 breach?
  • Yes, that is the understanding. I can make this a bit more obvious in the text if you like?

• The filing noted that the company believed the data breach had been conducted through a cookie-based attack The September filing or the November filing?
  • Fixed (The November filing of finances covering the period up to the 30th September) I've also clarified some of the nearby language.

• it was reported that account names and passwords for about 200 million Yahoo accounts were presented for sale on the darknet market site. Which darknet site? Was this related to the 2014 breach? Do we know if anyone purchased them?
  • I'm a little confused by the first bit of the question - the darknet site is 'The Real Deal' but that's already in the text so I might need some clarity. Regarding the other questions: Yahoo hasn't released any information about which breach it might have been related to (or even if it's real), and I don't believe I have any sources covering if it was purchased.

• Did Russia cooperate with the investigation? Was the FSB organization implicated as a whole or was this the work of agents doing unsanctioned work for the FSB on their own initiative (or even moonlighting off the clock for their own personal gain)? Which accounts did the FSB agents target. (edit: Dmitry Dokuchaev was one of those charged. He has a Wikipedia article. He should be mentioned by name. Maybe Igor Anatolyevich Sushchin too.)
  • I've linked both Igor_Sechin and Dmitry Dokuchaev. Sadly I don't have any sources from the FSB about how they feel. We have some light information about the FSB agents targeting 'people of interest to the regime' but nothing that really produces content (and I think it would be a magnet for some fringe contributions)

 On hold pending improvements. Schierbecker (talk) 18:17, 22 April 2024 (UTC)[reply]

Wonderful! Thank you so much for your review. I'll pop back shortly to do proper replies/fixes - I suspect that the answer to some of your questions is "Yahoo refuses to give any information about this and thus there are no relable sources one way or the other", but I can make some changes on the basis of this :) Joe (talk) 12:04, 23 April 2024 (UTC)[reply]

Right, I've fixed an array of things and replied to all comments. Apologies for how many of the answers are "There isn't really a source for that" I did do quite a bit of digging... Joe (talk) 18:49, 24 April 2024 (UTC)[reply]

Hi, can I check in and see what's left to do? I'm aware that the clock is ticking and I don't want to miss out on the GA because I forgot to response to a particular comment :) Joe (talk) 06:42, 27 April 2024 (UTC)[reply]

It appears that Igor Sushchin is linked to the wrong guy. Will take a look tomorrow. Schierbecker (talk) 07:22, 27 April 2024 (UTC)[reply]

Definately the wrong guy (his age is about ten years different on the indictment compared to the wiki article) Joe (talk) 19:10, 30 April 2024 (UTC)[reply]

• Russia denies responsibility

• More details

• p. 1262. Also mention Stamos.

• Alexey Belan linked twice. Also who is he? Give a brief background. How did he escape prosecution? Where is he believed to be? Did the U.S. request his extradition? WP:BLPCRIME applies. Make sure that all unproven allegations are presented as such.

• When was the August 2013 breach disclosed?

• Images should be left at the default size per WP:THUMBSIZE.

• Use MOS:DATECOMMA. This article is specific to the U.S., therefore it is obvious we are dealing with U.S. currency. MOS:$.

• [[tq|Judge Koh rejected the settlement offer,}} Need his first name. In this case I don't think his name is important, so it can just be removed.

Schierbecker (talk) 20:57, 30 April 2024 (UTC)[reply]