vege - Fotolia

Yahoo breach investigation adds more questions than answers

An SEC filing updated what was learned in the investigation into the Yahoo breach in late 2014, but the language in the filing has created more confusion about the incident.

The ongoing investigation into the 2014 Yahoo breach uncovered more activity from the threat actor but has led to more questions about what employees and executives at the company knew and when they knew it.

In its Form 10-Q Quarterly Report submitted to the Securities and Exchange Commission (SEC), Yahoo added new information unearthed while investigating the data breach that ended with 500 million user accounts compromised. Yahoo disclosed in September that the breach occurred in 2014, but the company had only confirmed the attack during a "recent investigation." However, the SEC filing indicates someone at Yahoo may have known about the attack when it originally occurred.

The SEC filing said Yahoo "is investigating, among other things, the scope of knowledge within the company in 2014 and thereafter regarding this access, the security incident, the extent to which certain users' account information had been accessed, the company's security measures, and related incidents and issues."

The Yahoo board established an independent committee in late 2016 to investigate the Yahoo breach. In the SEC filing, Yahoo states that it began its initial investigation in July after a hacker claimed to have obtained Yahoo customer data. The investigation grew to include "an ongoing broader review of the company's network and data security, including a review of prior access to the company's network by a state-sponsored actor that the company had identified in late 2014."

A source familiar with the matter said the committee found that "somebody at the company knew something in 2014 relevant to a state-sponsored actor having accessed the system," but the extent of what was known, by whom and whether that information was shared with anyone else is unclear.

The source said Yahoo was trying to be as transparent as possible, but it was that the investigation only recently uncovered that someone at the company may have known something. The source also stressed that the investigation is still ongoing.

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said despite the investigation only just turning up this information, it was "an utter failure that a breach was known and never reported throughout the organization."

"Not only was a further breach possible, prioritization of remediation was clearly not made as we can see from Yahoo's control over encryption and chaos of using weak, deprecated digital certificates involving MD5," Bocek said. "The extent of the breach, because of the chaos of encryption and ability of cybercriminals to hide, will likely never really be known but certainly could have been mitigated if notification was made throughout Yahoo."

Bocek said this "lack of controls over encryption" was displayed further in the SEC filing with the reveal that the threat actor was performing cookie creation and forgery. According to the filing, "forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the security incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users' accounts or account information."

John Bambenek, manager of threat systems at Fidelis Cybersecurity, said most web-based services use cookies to permanently authenticate systems to an account.

"I can log into my Gmail account once, travel all over the world, and every time I open my laptop, Gmail will just come up. This is accomplished by storing a cookie on the browser that never expires. Typically, once cookies are issued, they can be used to simply access accounts and, in some cases, even after the user changes their password, the authenticated cookies remain valid," Bambenek told SearchSecurity. "While more details are required, this seems to imply that malicious actors collected a large amount of valid cookies and were able to remain authenticated to Yahoo."

Stephen Coty, chief security evangelist at Alert Logic, said the damage from cookie creation and forgery could include "forgery, stalking, profiling, skimming, et cetera."

The SEC filing stated the cookie creation was found to be the work of the same state-sponsored threat actor during the same time period as the Yahoo breach to access certain users' accounts or account information. This was a different attack vector than what was found originally, according to a source familiar with the matter, but it is unclear if that was part of a separate attack or not.  The source said Yahoo believes it is no longer possible for attackers to forge valid Yahoo Mail cookies.

Next Steps

Learn more about Yahoo being sued over the breach.

Find out about Yahoo being implicated in a secret surveillance program.

Get info on why Verizon's Yahoo acquisition is a risky bid for digital content.

Dig Deeper on Information security laws, investigations and ethics