Yahoo! had a data breach – CHANGE PASSWORDS NOW
Why is this insanely bad? Unsalted passwords. Hashed using MD5.
I’d suggest changing your passwords now. Because odds are whoever got them, has plaintext passwords now. Always Salt your passwords and SHA1 – preferably SHA256 or SHA512 – WITH A SALT!
I’m beyond livid.
That’s very common unfortunately.
The linkedin one, released early this year (https://www.troyhunt.com/observations-and-thoughts-on-the-linkedin-data-breach/) was collected about the same period (2012), and had SHA1 without salt.
If what yahoo says is correct, accounts with changed the password after summer 2013 (of northern hemisphere, I’d assume), would be now hashed with bcrypt (it doesn’t mention a salt, but well). But reality is that you cannot re-hash an old password, so even if they improved in their side, it needs a new password.
In 2012/2013 was still pretty common to see big services using pretty silly hashing algorithms. It was already a bad idea, but it was way more common than today.
That’s why it’s so import to use a password manager (1password, lastpass, keepass, anything), to keep randomly-generated passwords, unique per service.