500m Yahoo users' details stolen

Yahoo caused a stir in the security world yesterday by revealing it fell victim to a major data breach in 2014, believed to have been perpetrated by a state-sponsored attacker, which resulted in the theft of the personal information of at least 500 million users.

The company announced that an internal investigation has shown that account information was stolen from its network two years earlier.

Compromised information may have included names, email addresses, phone numbers, dates of birth, encrypted passwords and — in some cases — encrypted and unencrypted security questions and answers.

No evidence of stolen unprotected passwords, payment card data or bank information has been found, and there is no indication that the alleged state-sponsored attacker is still in Yahoo’s network.

Flashpoint cybercrime intelligence senior analyst Vitali Kremez said the company uncovered an indication of the breach in early August, when it became aware of an advertisement on the dark net for the sale of around 200 million Yahoo account credentials.       

AppRiver manager of security research Troy Gill said the delay between the sale becoming known and Yahoo disclosing the breach raises serious questions.

“I would be interested to know the findings by Yahoo when they allegedly investigated the 200 million records that were for sale on the dark web,” he said. “Were those able to be confirmed as valid? If so, why did it take this long to inform users of the breach and why were no forced password resets issued prior?”

Alert Logic UK cybersecurity evangelist Richard Cassidy likewise noted that the delay “raises serious concerns for consumers of Yahoo products or services, and questions need to be answered on why external communication has been withheld for so long”.

News of the breach has meanwhile led to speculation that it could threaten the company’s US$4.83 billion ($6.37 billion) sale to Verizon, which was announced in July.

“Yahoo may very well be facing an existential crisis. Already besieged by business execution issues and enduring a fire sale to Verizon, this may be the straw that breaks the camel’s back. Since this breach occurred in 2014 [and] wasn’t properly communicated or handled, it may very well give Verizon an ‘out’ or a reason to renegotiate,” Centrify senior director of products and marketing Corey Williams commented.

“This is less of a story about 500 million user accounts being stolen and more about how lax security and poor handling of incidents can impact the very existence of a company.”

Tenable Network Security EMEA technical director Gavin Millard said one of the most concerning aspects of the breach is the fact that at least some security questions and answers were unencrypted.

“Most users would have used valid responses to questions like mother’s maiden name, first car and first pet, which could lead to further exploitation and account misuse,” he said.

Cryptzone chief security officer Leo Taddeo added that the loss of these unencrypted security questions “creates a risk for enterprises that rely on this technique to enhance security for traditional credentials”. He said the best defence against this threat is to establish digital identity access controls that examine multiple user attributes before granting access.

The experts all recommended that Yahoo users with accounts registered before 2014 change their passwords immediately. But Positive Technologies EMEA technical manager Alex Mathews said this is too little, too late.

“Given the fact that the breach occurred two years ago, it is a bit like closing the stable door after the horse has not only bolted but long since died of old age,” he said.

“Yahoo does offer additional protection in the form of Account Key, and it would be prudent for any users that decide to continue using its service employ this as a matter of urgency.”

Image courtesy of Josh Hallett under CC