grandeduc - Fotolia
Yahoo, already the victim of the largest single data breach in history, has admitted to breaking its own ignominious record with the disclosure of an attack from 2013 that led to data from more than 1 billion accounts being stolen.
In September, Yahoo disclosed a 2014 breach affecting 500 million user accounts. This newly announced breach involved the theft of data from more than 1 billion users, but Yahoo is unsure how the intrusion occurred and said the two breaches are "likely distinct."
According to Bob Lord, CISO at the company, the 2013 Yahoo breach was discovered as part of the ongoing investigation into the 2014 Yahoo breach. Lord said in a blog post that forensic experts analyzed data provided in November by law enforcement "that a third party claimed was Yahoo user data" and confirmed it was authentic data from a breach that occurred in August 2013.
"For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers," Lord wrote. "The investigation indicates that the stolen information did not include passwords in clear text, payment card data or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected."
J. Paul Haynes, CEO at eSentire Inc., a cybersecurity company based in Cambridge, Ont., said any breach involving personally identifiable information (PII) like this "can haunt its victims for months or years."
"This information usually ends up on the dark web, where it's cycled through buyers who can use that information to commit various forms of fraud," Haynes said. "Hackers can also use PII to access other systems, particularly if the victim used similar username and password combinations for other accounts."
The MD5 algorithm was found to be insecure around 2009, and experts previously criticized Yahoo for the use of the MD5 algorithm in hashing passwords. Experts said three years was more than enough for attackers to crack MD5 and decrypt user passwords.
Eldon Sprickerhoff, founder and chief security strategist at eSentire, described the process of breaking the hash.
"In the Yahoo case, account passwords were hashed. Think of it as a one-way encryption that can't be decrypted. But, if you take every possible alphanumeric and punctuation combination, mix it with every possible seed and feed it through the hash function, you end up with all possible hashed passwords," Sprickerhoff told SearchSecurity. "You can then do a reverse lookup and find the actual password. What this means is that with standard password technology in place, hackers can easily identify user passwords."
Risks across the web
Richard Henderson, global security strategist at Absolute Software Corp., an endpoint security company headquartered in Vancouver, B.C., said the risk of these passwords being stolen could extend beyond Yahoo.
"Things get dicey when we look at the longstanding problem of password reuse. If the billion password hashes have been broken, then that provides a ton of ammunition for attackers to attempt to get into other accounts belonging to the same target," Henderson told SearchSecurity via email. "Organizations watching these developments should be taking the time to thoroughly review how they are storing passwords themselves. If they're not storing hashes appended with a long enough random salt -- and it needs to be a unique salt per user -- then they need to get on top of that right away."
However, Kevin Cunningham, president and co-founder of SailPoint Technologies Inc., an identity governance company based in Austin, Texas, said password compromise might not be the only aim of the Yahoo breach.
"What this latest breach disclosure by Yahoo underscores is an interesting trend where hackers are breaching user accounts, not necessarily to infiltrate corporate networks and applications, but to grab highly sensitive data hiding in email and other unstructured file stores," Cunningham told SearchSecurity. "Think about all of the highly sensitive files that could be lurking in these breached Yahoo email accounts: incredibly sensitive tax or financial statements, personal healthcare data, even banking or credit card information."
Lord said Yahoo is "notifying potentially affected users and [has] taken steps to secure their accounts, including requiring users to change their passwords." Additionally, Yahoo has "invalidated unencrypted security questions and answers so that they cannot be used to access an account."
Adam Levin, chairman and founder of IDT911 LLC, an identity protection company based in Scottsdale, Ariz., said the best option for users is to lie when creating new security questions for their accounts.
"It's not about veracity. It's about consistency," Levin told SearchSecurity. "Your mother's real maiden name, along with so many other answers to security questions, is easy to find nowadays through social media accounts or simple social-engineering tactics, and this will be exploited to gain access to even more valuable data. Just make sure you aren't so creative in your answers that you can't remember them and lock yourself out."
Yahoo's slow response
Experts generally reproved Yahoo for not detecting the breach sooner, and Chenxi Wang, CSO at Twistlock, a container security company based in San Francisco, said this was proof "that Yahoo's priorities clearly did not include proactive protection of user information."
"Yahoo was late in implementing encryption, late to adopt bug bounty programs and also failed to implement automatic password refreshes for its users after the first large-scale breach," Wang told SearchSecurity. "It is not surprising that more breaches are discovered, given such a lackluster attitude toward user security. The critical question is: How many more breaches are waiting in the wings -- not just for Yahoo, but for other companies that also fail to embrace proactive security measures, such as multifactor authentication and end-to-end encryption, all in the name of more pressing business priorities? And what other surprises are in store for consumers?"
Kevin Bocek, vice president of security strategy and threat intelligence for Venafi in Salt Lake City, agreed Yahoo's encryption practices were "relatively weak," but said there may be reason the company didn't know about the breach.
"It seems very likely that the data was encrypted during exfiltration, and that's how the attackers managed to move such a massive amount of data while staying under the radar of Yahoo security tools. It's nearly impossible for any organization to detect unauthorized, encrypted traffic coming in or out of their network, unless they have strong cryptography practices," Bocek told SearchSecurity. "We find many large organizations with deep investments in security technology don't have adequate visibility or controls around the encryption they rely on to protect critical data."
Philip Lieberman, president of Lieberman Software Corp., a cybersecurity software company based in Los Angeles, said he has not been surprised at the reports about another Yahoo breach.
"In our interactions with Yahoo over the years, there has been a consistent lack of interest in security, as well as a palpable arrogance in their ability to manage their security without any help from the outside. As we said in our last interaction, 'Thank you for the meeting and the best of luck doing everything yourself,'" Lieberman said. "The truth and lesson to be learned from this situation is that you must always be looking for intrusions, expect them, expect they will not be discoverable and operate your infrastructure to minimize losses. If you are not constantly looking for intrusions and running your shop to minimize losses, you will always find yourself in a total loss of security, as Yahoo now finds themselves."
Learn more about how password reuse and password sharing is still prevalent in enterprise.
Find out how the Yahoo breach may affect the acquisition by Verizon.
Get info on the lawsuit regarding the first Yahoo breach.