Yahoo has revealed that it’s been the victim of another hack and massive data breach that resulted in the compromise of information of a billion users!
Outside forensic experts that have been called in to help with the investigation believe that this breach happened in August 2013, and that it’s likely not been performed by the same attackers as the 2014 breach disclosed this September.
In addition to this, the company says that attackers have accessed the company’s proprietary code, which allowed them to learn how to forge cookies and to, therefore, be able to access user accounts without a password.
“The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. Yahoo is notifying the affected account holders, and has invalidated the forged cookies,” the company explained, and noted that this compromise is believed to have been pulled off by the “same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.”
(By the by, InfoArmor researchers previously expressed their doubts about those attackers being defined as “state-sponsored.”)
Yahoo says that they were unable to identify the intrusion associated with this latest data theft, but that it seems that data associated with more than one billion user accounts has been stolen. This includes “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”
The company has moved to notify affected users, force them to change their password, and has invalidated unencrypted security questions and answers so that they cannot be used to access an account.
Reactions from the security community
“This unfolding story about Yahoo’s data breaches serves as a dire warning to every business that depends on robust data privacy and security to earn and keep customer trust,” noted Roy Feintuch, CTO and Co-founder at Dome9 Security.
“The fact that multiple data breaches happened over a protracted time period shows that Yahoo failed in multiple fronts. Yahoo did not put in place adequate protection measures to prevent these breaches, and also failed to detect and report on these breaches in a timely manner so that subsequent breaches could have been averted.”
“The second cyberattack discovered at Yahoo illustrates just how difficult data breach investigations have become. Even while the company was assessing its systems following the discovery of the 2014 breach, this separate and larger breach went completely unnoticed,” commented Tony Gauda, CEO of ThinAir.
“It’s clear that organizations lack adequate visibility of their data. You don’t stand a chance defending digital assets you can’t see. Yahoo isn’t the only company with a breach just waiting to be discovered, and until the industry prioritizes reducing the time spent on investigations, this cycle will continue.”
Shuman Ghosemajumder, CTO of Shape Security, says that this most recent credential spill at one of the world’s largest email providers further exacerbates the risk of millions of accounts being taken over at thousands of other major websites.
“This breach makes the job of cybercriminals that much easier, adding significantly to the more than 2 billion spilled credentials reported available to those attacking online accounts. Here’s why: Credential spills are one of the most widespread, yet misunderstood, security breaches. Most stories will focus on users’ Yahoo accounts, but the damage affecting those appears to have been done over two years ago, and Yahoo will now simply encourage those users to reset their passwords,” he noted.
“The real issue now is that these passwords will be used to breach thousands of other websites unrelated to Yahoo, as cybercriminals use advanced automated tools (like Sentry MBA) to discover where users have used those same passwords on other sites, through credential stuffing attacks, the most common attacks on web applications and APIs today.”
“We see credential stuffing attacks on every major website in the world now,” he explained. “We typically see a 0.1% to 2% login success rate from credential stuffing attacks, meaning that a cybercriminal using 1 billion passwords to attempt to take over accounts on another website would be able to take over millions of accounts on most websites.”