Web giant Yahoo has suffered an enormous data breach. The breach, which took place in 2014, resulted in the information of 500 million Yahoo users being offered for sale on the dark web.
The scale of the theft dwarfs other recent, major data breaches, and places the security practices in place at Yahoo firmly under the spotlight.
What Has Been Breached?
Yahoo issued a statement confirming and detailing the security breach, making an assertion that the data was stolen by “state-sponsored” hackers. Information, including names, email addresses, phone numbers and security questions were stolen from the company in 2014.
“A recent investigation by Yahoo has confirmed that a copy of certain user account information was stolen from our network in late 2014 by what we believe is a state-sponsored actor. We are working closely with law enforcement authorities and notifying potentially affected users of ways they can further secure their accounts.”
One small positive arrives in the knowledge that the breach did not contain “unprotected passwords, payment card data, or bank account information.” Nonetheless, the statements issued by Yahoo will raise further questions from security researchers concerning the timeline of events, as well as the company’s actions in the days following the breach.
BREAKING: 500 Million #Yahoo Accounts Compromised in 2014 Hack. In other shocking news, 500 million people have Yahoo accounts.
— Jeff Edwards (@InfoSec_Review) September 22, 2016
Raising Important Questions
Firmly atop many security researchers list of questions will simply be “why did it take so long to confirm a hack of this scale?” This easily segues into others questions, as well. Why did Yahoo take so long to inform its users of the breach?
Yahoo is now sending out breach notifications to customers: pic.twitter.com/AjbDJYQCIH
— Troy Hunt (@troyhunt) September 23, 2016
The notion of a state-sponsored attack is also puzzling. As yet, Yahoo has failed to produce any evidence linking the breach to a nation-state actor, although three U.S. intelligence officials – who declined to be identified by name – confirmed to Reuters:
“…they believed the attack was state-sponsored because of its resemblance to previous hacks traced to Russian intelligence agencies or hackers acting at their direction.”
Even if the breach bore resemblance to previous nation-state attacks, those breaches do not typically result in the release of private user data. Rarer still is finding those credentials advertised for sale on the dark web.
Adding further intrigue is the identity of the individual selling part of the data breach. A user named “Peace of Mind,” who had also sold data dumps of the MySpace and LinkedIn breaches, was actively touting the data.
Jeremiah Grossman, head of security strategy at SentinelOne, said “While we know the information was stolen in late 2014, we don’t have any indication as to when Yahoo first learned about this breach. This is an important detail in the story.”
Grossman believes that as Peace of Mind was a “profiteer hacker” they would be highly unlikely to have received state-sponsorship; consequently, “this means it’s possible we’re looking at two different Yahoo breaches with two different hacking groups in their system.”
“The vast number of people affected by this cyber attack is staggering and demonstrates just how severe the consequences of a security hack can be…We don’t yet know all the details of how this hack happened, but there is a sobering and important message here for companies that acquire and handle personal data. People’s personal information must be securely protected under lock and key – and that key must be impossible for hackers to find.” – United Kingdom Information Commissioner Elizabeth Denham
How Serious Is This?
Yahoo’s statement confirmed that the vast majority of stolen passwords were hashed using bcrypt. Hashing is the process of turning a password into a fixed length “fingerprint” that is recalled and checked when a user attempts to login. It is a basic method of protecting user information, yet is still overlooked by some websites.
Bcrypt is considered a secure method of hashing as the hashes are also “salted,” a process where each hash will be different, even if it is protecting the same password.
Passwords are irritating but easy to change; a mother’s maiden name isn’t. Hackers also breached plaintext security questions. Security questions have long come under scrutiny for their role in identifying user accounts in previous breaches, yet they still form a primary feature of most user account login systems.
Accordingly, Yahoo have sent all of their users a password reset message. They encourage their users to:
- Change your password and security questions and answers for any other accounts on which you use the same or similar credentials as the ones used for your Yahoo Account.
- Review your accounts for suspicious activity.
- Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
- Avoid clicking on links or downloading attachments from suspicious emails.
We can not emphasize the first suggestion enough. We also advise our readers to consider other sites they may have used their login credentials with, such as photo-storage service Flickr, or social bookmarking site Del.icio.us.
You may have created a Yahoo account without realizing it was insecure.
A Big Old Breach
Yahoo now takes an unwanted crown: the biggest corporate data breach in history.
- Yahoo – 500 million user credentials
- MySpace – 359m
- LinkedIn – 164m
- Adobe – 152m
- Badoo – 112m
In July 2016, U.S. telecommunications giant Verizon made the $5bn acquisition of Yahoo’s internet business. Though, this breach is not expected to affect the takeover.
— Bob Varettoni (@bvar) September 22, 2016
Our advice remains the same as with any major data breach. Reset your passwords. Also, scrutinize your emails and text messages over the coming weeks and months. Remember to never reuse your account credentials.
Credential reuse; not even once.
Has your account been compromised? Are you surprised at how long it took Yahoo to act? Which major service will be breached next? Let us know your thoughts below!