Yahoo just revealed that in August 2013, someone stole data linked to more than one billion accounts. Back in September, the company announced a 2014 security breach affecting some 500 million users, however, it believes these two incidents are “likely distinct.” Additionally, the company says that it believes the same hackers from the 2014 breach dug into its code and figured out how to forge cookies to target specific accounts. It has invalidated the forged cookies and notified holders of the accounts they were used to access in 2015 or 2016. Need a spreadsheet or a chart to keep track of all the ways your Yahoo account info is probably floating around right now? There is an FAQ to try and help users figure out what has been stolen, when and how they might be affected. Still, the massive size of this breach means that for Yahoo users information including “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers” is potentially out there. The company is reaching out to potentially affected users, so there should be a message coming your way soon, while the security questions and answers have been invalidated. Of course, if you’ve used the same information for a security answer somewhere else, then whoever has it could use those answers against you — change them. Yahoo’s ongoing security investigation and users left scrambling to reset passwords and security questions (again) is just one part of the puzzle. It’s unclear how these new revelations affect its $4.83 billion acquisition by (Engadget and AOL parent company) Verizon . Previous reports indicated the carrier could be looking for a discount or way out of the deal altogether , and this bad news probably won’t help. Source: Yahoo , FAQ
Read the article:
Yahoo confirms new security breach affecting over one billion accounts
An anonymous reader writes: To protect Tor users from FBI hacking tools that include all sorts of Firefox zero-days, the Tor Project started working on a sandboxed version of the Tor Browser in September. Over the weekend, the Tor Project released the first alpha version of the sandboxed Tor Browser. “Currently, this version is in an early alpha stage, and only available for Linux, ” reports BleepingComputer. “There are also no binaries available, and users must compile it themselves from the source code, which they can grab from here.” The report notes: “Sandboxing is a security mechanism employed to separate running processes. In computer security, sandboxing an application means separating its process from the OS, so vulnerabilities in that app can’t be leveraged to extend access to the underlying operating system. This is because the sandboxed application works with its own separate portion of disk and memory that isn’t linked with the OS.” Read more of this story at Slashdot. 
A new white paper from Microsoft claims that “devices running Windows 10 are 58% less likely to encounter ransomware than when running Windows 7”. But an anonymous reader brings more news from Windows-watcher Paul Thurrott: in a separate blog post, it also makes its case for why Windows 10 version 1607 — that is, Windows 10 with the Anniversary Update installed — is the most secure Windows version yet. Improvements in this release include: Microsoft Edge runs Adobe Flash Player in an isolated container, and Edge exploits cannot execute other applications… [And] the Windows Defender signature delivery channel works faster than before so that the in-box anti-virus and anti-malware solution can help block ransomware, both in the cloud and on the client. Additionally, Windows Defender responds to new threats faster using improved cloud protection and automatic sample submission features, plus improved behavioral heuristics aimed at detecting ransomware-related activities. Interestingly, the paper also touts Microsoft’s “Advancing machine-learning systems in our email services to help stop the spread of ransomware via email delivery.” Read more of this story at Slashdot.