1000words - Fotolia
In this Risk & Repeat podcast, SearchSecurity editors discuss new information on the Yahoo data breach, including how counterfeit cookies may have been used by attackers.
Yahoo's recent 10-Q filing with the U.S. Securities and Exchange Commission included new information about the company's massive data breach, including connections to a 2014 network intrusion by a presumed nation-state attacker.
The Yahoo data breach, which was officially disclosed in September, exposed private information of at least 500 million user accounts, including names, email addresses, telephone numbers, dates of birth, and hashed passwords, as well as encrypted or unencrypted security questions and answers. In its initial statement about the breach, Yahoo claimed a network intrusion in late 2014, by what the company believed to be a state-sponsored actor, was what led to the breach.
Yahoo's 10-Q filing provided additional details about the 2014 network intrusion. Specifically, the filing states that Yahoo broadened the scope of its initial security investigation to determine "the scope of knowledge within the Company in 2014 and thereafter regarding this access." Yahoo acknowledged that at least some employees knew about the 2014 attack when it occurred two years ago, but the company hasn't yet disclosed who those individuals are, what they knew and when they knew it.
The SEC filing also included information about how a threat actor, believed to be the same nation-state attacker responsible for the 2014 incident, created counterfeit browser cookies that bypassed Yahoo's authentication systems. The revelations led security experts to further criticize Yahoo's security practices and response to the data breach.
What does the SEC filing say about the Yahoo data breach? How serious are the revelations about cookie abuse by a state-sponsored attacker? How could the incident affect Verizon's proposed acquisition of Yahoo? In this episode of SearchSecurity's Risk & Repeat podcast, editors Rob Wright and Peter Loshin discuss those questions and more on the topic of the Yahoo breach.
Risk & Repeat: The debate over a Windows zero-day disclosure
Risk & Repeat: IoT malware threats loom large for enterprises
Risk & Repeat: DNS DDoS attacks raise concerns over IoT devices