Yahoo’s use of the MD5 hash basically means that virtually all of their user passwords were compromised. Considering that Yahoo was also found to be involved in the NSA Prism program, people should have been using better email providers years ago. I’d personally recommend Tutanota, Protonmail, and Mailfence for email services.
Yahoo’s infamous hack — already one of the worst in history — is even worse than previously thought.
All 3 billion user accounts it had in 2013 were affected by the security breach, the company, which Verizon acquired in June, said on Tuesday. Yahoo had previously estimated the hack affected 1 billion accounts.
In its statement, the company said:
“Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft.”
The hacked user information included phone numbers, birth dates, security questions and answers, and “hashed,” or scrambled, passwords, Yahoo said in a list of frequently asked questions on its website. The information did not include “passwords in clear text, payment card data, or bank account information,” the company said.
However, the technique Yahoo used to hash passwords on its site is an outdated one that is widely considered to be easily compromised, so it’s possible that people who had the hashed passwords could unscramble them.
Yahoo said it was sending email notifications to account holders that it didn’t previously determine were affected by the hack.