Yahoo is emailing at least some of the 1 billion users whose account information was hacked in 2013. Thursday’s email seems to imply that hackers didn’t acquire users’ passwords. That’s misleading.
Here’s a portion of the email Yahoo sent users (emphasis ours):
The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. [...] The stolen information did not include passwords in clear text, payment card data, or bank account information.
Let’s break it down. First, hackers accessed at least a billion “hashed” passwords (which look like “286755fad04869ca523320acce0dc6a4”); second, hackers did not access “clear-text” passwords (which look like “password”).
Yahoo’s email refers to its web page, which says that “passwords that have been hashed can’t be reversed into the original plain text password.”
This statement is misleading. There are plenty of tools online that quickly convert a hashed password into a plain text password.
“I have to assume any guessable password was guessed quickly,” says Jeffrey Goldberg, who works for the password-management company 1Password.
Goldberg estimates the hackers could have calculated 800 million to 900 million Yahoo usernames and passwords within weeks of the breach.
So why does Yahoo claim hashed passwords can’t be reversed? Because it’s going with a very specific definition of “reverse.” For readers without math degrees, “you’re getting these two mixed messages,” says Goldberg. For password-security experts, you “know exactly what this means.”
It means the attackers probably guessed most passwords very quickly.
If Yahoo had “salted” users’ passwords ― a technical process that prevents passwords from being discovered on certain websites ― then reversing them would take far longer. Goldberg assumes Yahoo didn’t “salt” its passwords, because the company’s email doesn’t mention it.
When asked Thursday, Yahoo refused to say whether it “salted” passwords in 2013. The company says it “salts” its passwords now, and it did when hackers stole 500 million users’ account information in 2014.
The company is now disabling affected users’ accounts until they change their passwords.
Goldberg suggests users go one step further: “If the password you used on Yahoo is used on any other service, you should assume it’s compromised there as well.”
So ignore the top half of Yahoo’s email. Follow the instructions near the bottom:
Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.