Pinterest Stumbleupon Whatsapp
Ads by Google

Web giant Yahoo has suffered an enormous data breach. The breach, which took place in 2014, resulted in the information of 500 million Yahoo users being offered for sale on the dark web 6 Little-Known Corners Of The Deep Web You Might Actually Like 6 Little-Known Corners Of The Deep Web You Might Actually Like The deep web has a bad reputation—just about every bad thing you can think of is available there. But there are also some really great things you might want to check out. Read More .

Image Credit: Ken Wolter via Shutterstock.com
Image Credit: Ken Wolter via Shutterstock.com

The scale of the theft dwarfs other recent, major data breaches, and places the security practices in place at Yahoo firmly under the spotlight.

What Has Been Breached?

Yahoo issued a statement confirming and detailing the security breach, making an assertion that the data was stolen by “state-sponsored” hackers. Information, including names, email addresses, phone numbers and security questions were stolen from the company in 2014.

“A recent investigation by Yahoo has confirmed that a copy of certain user account information was stolen from our network in late 2014 by what we believe is a state-sponsored actor. We are working closely with law enforcement authorities and notifying potentially affected users of ways they can further secure their accounts.”

One small positive arrives in the knowledge that the breach did not contain “unprotected passwords, payment card data, or bank account information.” Nonetheless, the statements issued by Yahoo will raise further questions from security researchers concerning the timeline of events, as well as the company’s actions in the days following the breach.

Raising Important Questions

Firmly atop many security researchers list of questions will simply be “why did it take so long to confirm a hack Why Companies Keeping Breaches a Secret Could be a Good Thing Why Companies Keeping Breaches a Secret Could be a Good Thing With so much information online, we all worry about potential security breaches. But these breaches could be kept secret in the USA in order to protect you. It sounds crazy, so what's going on? Read More of this scale?” This easily segues into others questions, as well. Why did Yahoo take so long to inform its users of the breach?

Ads by Google

The notion of a state-sponsored attack is also puzzling. As yet, Yahoo has failed to produce any evidence linking the breach to a nation-state actor, although three U.S. intelligence officials – who declined to be identified by name – confirmed to Reuters:

“…they believed the attack was state-sponsored because of its resemblance to previous hacks traced to Russian intelligence agencies or hackers acting at their direction.”

Even if the breach bore resemblance to previous nation-state attacks When Governments Attack: Nation-State Malware Exposed When Governments Attack: Nation-State Malware Exposed A cyberwar is taking place right now, hidden by the internet, its results rarely observed. But who are the players in this theater of war, and what are their weapons? Read More , those breaches do not typically result in the release of private user data. Rarer still is finding those credentials advertised for sale on the dark web Here's How Much Your Identity Could Be Worth on the Dark Web Here's How Much Your Identity Could Be Worth on the Dark Web It's uncomfortable to think of yourself as a commodity, but all of your personal details, from name and address to bank account details, are worth something to online criminals. How much are you worth? Read More .

Adding further intrigue is the identity of the individual selling part of the data breach. A user named “Peace of Mind,” who had also sold data dumps of the MySpace and LinkedIn breaches, was actively touting the data.

hacker
Image Credit: adike via Shutterstock

Jeremiah Grossman, head of security strategy at SentinelOne, said “While we know the information was stolen in late 2014, we don’t have any indication as to when Yahoo first learned about this breach. This is an important detail in the story.”

Grossman believes that as Peace of Mind was a “profiteer hacker” they would be highly unlikely to have received state-sponsorship; consequently, “this means it’s possible we’re looking at two different Yahoo breaches with two different hacking groups in their system.”

“The vast number of people affected by this cyber attack is staggering and demonstrates just how severe the consequences of a security hack can be…We don’t yet know all the details of how this hack happened, but there is a sobering and important message here for companies that acquire and handle personal data. People’s personal information must be securely protected under lock and key – and that key must be impossible for hackers to find.” – United Kingdom Information Commissioner Elizabeth Denham

How Serious Is This?

Yahoo’s statement confirmed that the vast majority of stolen passwords were hashed using bcrypt. Hashing is the process of turning a password into a fixed length “fingerprint” that is recalled and checked when a user attempts to login. It is a basic method of protecting user information Every Secure Website Does This With Your Password Every Secure Website Does This With Your Password Have you ever wondered how websites keep your password safe from data breaches? Read More , yet is still overlooked by some websites The 5 Most Common Tactics Used To Hack Passwords The 5 Most Common Tactics Used To Hack Passwords When you think of a serious security threat, you may think of some clever malicious program that steals your data or takes over computer. In reality, you’re just as (if not more) likely to be... Read More .

Bcrypt is considered a secure method of hashing as the hashes are also “salted,” How Do Websites Keep Your Passwords Secure? How Do Websites Keep Your Passwords Secure? With regular online security breaches reported, you're doubtless concerned about how websites look after your password. In fact, for peace of mind, this is something everyone needs to know… Read More a process where each hash will be different, even if it is protecting the same password.

Passwords are irritating but easy to change; a mother’s maiden name isn’t. Hackers also breached plaintext security questions. Security questions have long come under scrutiny How To Create A Security Question That No One Else Can Guess How To Create A Security Question That No One Else Can Guess In recent weeks I have written a lot about how to make online accounts recoverable. A typical security option is setting up a security question. While this potentially provides a quick and easy way to... Read More for their role in identifying user accounts in previous breaches, yet they still form a primary feature of most user account login systems.

Accordingly, Yahoo have sent all of their users a password reset message. They encourage their users to:

  • Change your password and security questions and answers for any other accounts on which you use the same or similar credentials as the ones used for your Yahoo Account.
  • Review your accounts for suspicious activity.
  • Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
  • Avoid clicking on links or downloading attachments from suspicious emails.

We can not emphasize the first suggestion enough. We also advise our readers to consider other sites they may have used their login credentials with, such as photo-storage service Flickr, or social bookmarking site Del.icio.us.

You may have created a Yahoo account without realizing it was insecure.

A Big Old Breach

Yahoo now takes an unwanted crown What You Need To Know About the Massive LinkedIn Accounts Leak What You Need To Know About the Massive LinkedIn Accounts Leak A hacker is selling 117 million hacked LinkedIn credentials on the Dark web for around $2,200 in Bitcoin. Kevin Shabazi, CEO and founder of LogMeOnce, helps us to understand just what is at risk. Read More : the biggest corporate data breach in history.

  • Yahoo – 500 million user credentials
  • MySpace – 359m
  • LinkedIn – 164m
  • Adobe – 152m
  • Badoo – 112m

In July 2016, U.S. telecommunications giant Verizon made the $5bn acquisition of Yahoo’s internet business. Though, this breach is not expected to affect the takeover.

Our advice remains the same as with any major data breach. Reset your passwords. Also, scrutinize your emails and text messages over the coming weeks and months. Remember to never reuse your account credentials.

Credential reuse; not even once.

Has your account been compromised? Are you surprised at how long it took Yahoo to act? Which major service will be breached next? Let us know your thoughts below!

  1. Maryon Jeane
    September 30, 2016 at 11:11 am

    "Passwords are irritating but easy to change; a mother’s maiden name isn’t."

    I've never understood why 'mother's maiden name' is used for security purposes. Your mother's original (I seriously hate this 'maiden' business...) name is a matter of record and is hardly difficult to find out. When asked to use my mother's maiden name I always use a random and different-each-time name; to do anything other seems daft to me.

    • Gavin Phillips
      September 30, 2016 at 11:35 am

      Completely agree. I'm currently writing an article explaining how you should really answer security questions and why, as you point out, they're a massive potential vulnerability.

Leave a Reply

Your email address will not be published. Required fields are marked *