Yahoo has announced on Thursday that they have suffered a breach and that account information of at least half a billion users has been exfiltrated from the company’s network in late 2014.
The stolen data “may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” but not “unprotected passwords, payment card data, or bank account information,” nor Tumblr user data.
Yahoo attributed the hack to a state-sponsored actor, and says that there is no indication that they are still present in Yahoo’s network. As the investigation continues, users are getting notified of the breach through their Yahoo and alternate email accounts, and advised to change their passwords and adopt alternate means of account verification, change the password and security questions for any other accounts on which they used the same information, and to be on the lookout for phishing attempts.
The company has provided a page with more details, including instructions on how to spot phishing emails impersonating the company and how to surely tell that an email comes from Yahoo.
How did the Yahoo breach happen?
“Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry. Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account. Since the inception of Yahoo’s program in December 2015, independent of the recent investigation, approximately 10,000 users have received such a notice,” Yahoo has noted in the announcement.
The company has not offered any explanation on how they have managed to miss the intrusion for so long. It’s also possible that they did known about it but chose to remain silent until they no longer couldn’t. Last month’s public offer for sale of account details of some 200 million Yahoo users was apparently the result of a previous breach, but forced the company into starting a new investigation.
“Yahoo, like many other large companies, has huge and sprawling networks with hundreds of thousands of hosts. That’s a lot of attack surface for anyone to effectively protect all the time. So, it’s unsurprising when breaches, even of this magnitude, take place,” noted Jeremiah Grossman, Chief of Security Strategy at SentinelOne, and former infosec officer at Yahoo (late 1999-mid-2001).
“Due to Yahoo’s size, they often have to rely on homegrown technology solutions because historically there has been limited products on the market that can scale to meet the demands of their system. It could be that this issue created gaps in their security program because they’re unable to use cutting-edge security products designed to thwart modern threats that most everyone else can,” he added.
Who’s behind it?
“There are a lot of unanswered questions here—the biggest one being that while we know the information was stolen in late 2014, we don’t have any indication as to when Yahoo first learned about this breach. This is an important detail in the story,” says Grossman.
Why would a nation-state target Yahoo in the first place (if indeed it has)?
“There are some parallels between this and the Google Aurora attacks in 2010,” he noted. “I’d argue that nation-state sparring is playing out on networks like Yahoo because they’re a valuable source of information on your opponent’s strategy. If you are a nation state and want to determine if any of your domestic spies have been discovered, you put taps on Google, Yahoo, Microsoft, etc. rather than government networks. Of course, there is always the motivation to deanonymize political dissidents.”
“The fact that the Yahoo breach is being tied to state-sponsored actors is extremely alarming. With the potential to be the largest breach in history (at 500 million users were affected), the fallout from this attack could be devastating, says Vishal Gupta, CEO of Seclore.
“For example, this nation now has access to 500 million phone numbers. With talk of Russian attempts to influence the election, it isn’t difficult to imagine how access to the contact information, and personal details, of that many potential votes could be used maliciously. Imagine getting a call from a presidential campaign, except the information being shared by the caller isn’t factual, and is actually intended to sway you towards a different candidate. We haven’t seen this sort of activity yet, but it’s within the realm of possibility. Unless organizations take stricter security measures and apply data-centric security solutions, hackers will always come up with inventive ways to leverage sensitive information for malicious purposes.”
Repercussions for users
If you’re an affected user, you might want to do all the things Yahoo has advised you to do to protect yourself and your other accounts.
I argue that the advice might have been good if it came right after the breach, but it’s now just an illusion that you can control the situation. If this information was stolen in 2014, who knows how many time it has been sold and misused since then?
“One of the more egregious errors in this disclosure was the fact that date of birth (DOB) information was exposed,” notes Todd Feinman, founder of Spirion.
“Companies like Yahoo have an obligation to their customers to protect their privacy and classify personally identifiable information. DOBs are a perfect example of data that should be classified and protected so that, in the event of a data breach, personally identifiable information (PII) is not exposed,” he explained.
“DOB can be used in conjunction with other data to steal an identity or compromise the victim in other ways. They’re sometimes used as secondary validation and should be classified as confidential and kept encrypted just like social security numbers and health record numbers.”
“Data breaches are now a common occurrence but should not be taken for granted. When we see 200 million DOBs, password hashes, and usernames floating around, it is critical those users become aware and cognizant of any identity theft alerts and change their passwords that were the same as those on Yahoo. Hashes will slow criminals down but not stop them,” he concluded. I would add: especially if they are a well-resourced nation-state actor, and they’ve has two years to work on breaking them.
Repercussions for Yahoo
The timing of the revelation of the breach could scarcely be worse, as Yahoo has recently announced that Verizon is going to acquire the company for $4.8 billion.
“Mergers are complicated endeavors, and the scrutiny under which both companies will reside during the course of the transaction only increases the stress to keep what should be sensitive information protected. Verizon certainly took on a calculated level of risk in acquiring Yahoo!, particularly because of its massive user base,” says Kevin Cunningham, president and founder at SailPoint.
“The question of whether this breach will affect the sale price depends on how extensively it performed due diligence on Yahoo’s security controls. It’s a perfect illustration of the fact that this due diligence should include not just network security controls, but also identity governance controls, because as we’ve seen with LinkedIn, Dropbox and countless others, breaches very often result from compromised employee credentials.”
“What I want to know is when Yahoo discovered this attack. If it happened in 2014, and the company has known about it for the past two years, then why has it taken so long to reveal the extent of the breach?” notes Keatron Evans, Senior Security Researcher and Principle of Blink Digital Security.
“This slow response could become a PR nightmare that damages the company’s reputation. As this story continues to unfold, it is likely that even more damaging news is revealed. The one thing that is clear at this point is that all enterprises need to learn from Yahoo’s mistakes by putting in place a robust post-breach remediation plan that has the tools to investigate breaches faster. There are already appliances in the market that help to automate and speed up the forensics process, so no company of Yahoo’s size has the luxury of leaving customers hanging for months without adequate information or a plan for corrective action.”