Yahoo!'s disclosure Thursday that more than 500 million customers' account information—including "names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers"—draws much comment. The breach, dating to 2014, was discovered during investigation of rumors that stolen credentials were being offered on the black market. The company blamed an unnamed "state-sponsored actor" for the compromise.
Yahoo! has been seeking a soft landing for a much-challenged business by selling its core assets to Verizon for $4.8 billion. That soft-landing is now in doubt: The New York Times notes that Yahoo! stated in the merger agreement that “there have not been any incidents of, or third-party claims alleging” security incidents that could affect Yahoo!'s value. The acquisition could be cancelled, but observers think renegotiation of the price downward likelier.
KrebsOnSecurity is back, now hosted by Google, after sustaining a very large DDoS attack. The site's host, Akamai (who hosted KrebsOnSecurity pro bono; the two parted without rancor) severed services when the volume of attack traffic began to affect its other customers. The attack is a troubling bellwether for two trends: use of IoT botnets in high-volume DDoS, and the privatization of censorship (Krebs is thought to have been attacked in retaliation for reporting on a DDoS-as-a-service enterprise).
The US FBI late Friday released more documents from its investigation of former Secretary of State Clinton's email practices.
Switzerland yesterday voted for more extensive government surveillance powers.