> If Google, Facebook, Twitter and others can figure out how to secure their sites, Yahoo can.
The other article linked in this thread[1] attributes this attack to a "state-sponsored actor", which is interesting considering that Google was hacked by such an actor [2], but I'm not sure they ever acknowledged it.
I doubt anyone can say for sure that Facebook and/or Twitter haven't been hacked in such a way. If anything, all we can say is that we haven't heard about it.
Schneier reports that it wasn't a state-sponsored actor, but a criminal group called Group E. He says "state-sponsored actor" is often code for "please don't blame us for our shoddy security because it was a really sophisticated attacker and we can't be expected to defend ourselves against that." [1]
Google is definitely more secure and more proactive at security than Yahoo. You can look through their security whitepaper: they take a systematic approach and they meet and exceed the state of the art.[2] In contrast, Yahoo was hashing passwords with MD5. Here's Ptacek saying "there is no redeeming quality to justify using MD5", in 2007.[3] Yahoo doesn't really have any excuse.
Google is definitely more secure and more proactive at security than Yahoo. You can look through their security whitepaper: they take a systematic approach and they meet and exceed the state of the art.[2] In contrast, Yahoo was hashing passwords with MD5. Here's Ptacek saying "there is no redeeming quality to justify using MD5", in 2007.[3] Yahoo doesn't really have any excuse.
[1] https://www.schneier.com/blog/archives/2016/09/the_hacking_o...
[2] https://drive.google.com/file/d/0B5Y-fwYJF2hLOTVmMzQ1MjAtMDF...
[3] https://web.archive.org/web/http://www.matasano.com/log/958/...
(I'm not affiliated with any of these companies.)