"At Least 500 Million Yahoo Accounts Hacked in Late 2014" via Macrumors.

Yahoo today confirmed that "at least" 500 million Yahoo accounts were compromised in an attack in late 2014, leaking customer information like names, email addresses, telephone numbers, birthdates, hashed passwords, and both encrypted and unencrypted security questions and answers.

Does this surprise anyone at this point?

You know, I think if I had a huge cloud company with hundreds of millions of users, I'd consider having at least three sets of teams writing at least the fascade of the software -- the server-side controller methods -- so I could rotate from one to another every sprint or so to throw off would-be hackers. As soon as they made progress hacking one, it'd be replaced by Team 2. By the time we got back around to Team 1, they'd have iterated once or twice, and the hackers would have to, if not start over, pivot. Or maybe any user would have an X% chance of bringing up Team 1, Y% 2, Z% 3 each time they started a session.

I'd likely do the same for the users' data, splitting them into into several different databases, and maybe rotating users back and forth. Several different architectures using several different databases, all pitching to a consistent UI and user experience. If you interface well, it's no problem.

I realize there are obvious downsides. Maybe Team 2 has a horrible design, and it's easily cracked. That is, I'm in some sense three times as likely to get hacked as before, even if it's a much smaller set of users that's compromised.

But even more importantly would seem to be to sniff your network traffic like heck to see when 500 million sets of birthdays had left the network. Bizarre.

Ultimately, though, RMS (hrm, apparently not Stallman) is on point: If it's on a computer, in a network, given enough time, it'll eventually be free to anyone else on that network. Networked zeroes and ones want to be free.

Labels: , , , ,