And to put this in context, IT in Japan is about a decade behind the West.
While Y!J and Y!Inc are separate entities, the former does borrow/use technology from the former and some of the Y!J services use Y!Inc servers and/or services maintained by Y!Inc.
Y!J user ids are completely separate from Y!Inc though (Y!Inc ids are shared through out the Y! locales).
It's been almost a decade since I was at Y!J, but from what I understand Y!J does continue to leverage the Y!Inc relationship for services and servers.
Additionally, simply stating that old technology is the reason for a security breach could be a red herring, it isn't always the age of the technology but how it is implemented.
Sure, plenty of companies are behind. But quite a few are too in the US... http://www.pcworld.com/article/249951/if_it_aint_broke_dont_...
I'm also not sure that "new" means more secure in this kind of context either. LinkedIn ain't exactly ancient and had a similar breach last year.
I feel for all the engineers involved in resolving this issue. We had a team of 3 or 4 working on the resolution for a few weeks.
It's normally the result of a successful phishing attack. The affected users probably have no idea their accounts were compromised.
To identify compromised accounts we looked for profile photos matching a certain md5. The attackers were using the accounts for viagra links and updated compromised account profile photos with one of about 50 photos.
Once we identified the accounts they were "quarantined". But the attackers got smart and started shifting a pixel so that the md5 wouldn't match our set of known bad photos.
There were other patterns we identified to isolate the compromised accounts but it was ongoing which meant as we cleaned up accounts the attackers adapted.
For the 3M accounts a bit was flipped in their account. The membership team which handles logins handled the first step of the compromised user signing in. They redirected the user to a specific page that took them through a password reset flow. It wasn't the standard password reset flow. After all, we couldn't know if it was the attacker or the user logging in.
This was all a while back but it was more or less something along those lines. It was not fun.
Another article clarifies that the total number of Yahoo Japan accounts as 200 million, so it was actually 10% of all Yahoo Japan accounts. My apologies for contributing to that impression.
パスワードを定期的に変更しましょう! Let's be sure to change passwords from time to time!
パスワードの管理には気をつけて! Be careful with your password management!
etc....
It reads like a direct translation of an English communication, and feels culturally out of place.
Ironically, they also preached how important security is - パスワードは、お客様の財産を守る重要な情報です (passwords are important information that protect your assets).
I spent some time arguing that this was a silly requirement but in the end I had to change my program to use non-email address user IDs (which no one can remember as they are specific to this application... )
If you are using Yahoo! Japan, check out the feature I was in charge of... alerting you when you have a login event on your account from a new device, and possibly locking your account: http://login.yahoo.co.jp/alert/intro
