Hack Brief: Hackers Breach a Billion Yahoo Accounts. A Billion

15 December 2016

IN SEPTEMBER, YAHOO had the unfortunate distinction of disclosing an enormous 500 million-account breach. Tough stuff. Somehow, though, the company seems to have topped even that staggering figure. Yahoo announced on Wednesday that hackers, in what’s likely a separate attack, compromised one billion of the company’s user accounts in August 2013. One billion. That makes this the biggest known hack of user data ever, and it’s not really close.

The Hack
The most important thing we know so far is that Yahoo says “this incident is likely distinct from the incident we disclosed on September 22, 2016.” That other breach happened in late 2014, so this new (even bigger) one took place about a year earlier. Yahoo has been working with law enforcement and a third-party cybersecurity firm to to verify the hack and trace its origin, but the company says that so far it doesn’t know who the perpetrator was.

Yahoo says that the breached data includes names, email addresses, phone numbers, birthdays, hashed passwords, and a mix of encrypted and unencrypted security questions and answers. If you’re looking for a silver lining, Yahoo says the breach does not include unencrypted passwords, credit card numbers, or bank account information. Specifically, the company says that financial data is stored in a separate system that it doesn’t believe was compromised.

Another component of the company’s disclosure is a separate attack that took place in 2015 and 2016 in which hackers used forged cookies (small files that track web users) to bypass security protections and access users’ accounts without a password. Yahoo says that it believes this situation is connected at least in part to the allegedly state-sponsored hackers that committed the 2014 breach it disclosed in September.

“I would have thought it could happen to anyone two or three years ago, you know everybody can have a major breach, it happens,” says Jeremiah Grossman, who was an information security officer at Yahoo for two years in the early 2000s and is now the chief of security strategy at SentinelOne. “But some of the details [about Yahoo] that have come to light since have signaled that there’s confusion, there’s frustration, and there’s not a lot of support for the security team.”

Who’s Affected
There may be overlap (even significant overlap!) between the accounts that were compromised in this hack and the ones that were disclosed in the previous breach in September, but even in the best case scenario a billion Yahoo accounts are involved. At an unlikely worst-case scenario, it’s 1.5 billion. For some context, in fall of 2013 Yahoo announced that it had 800 million monthly active users total, though it’s not clear how many inactive users it had. Either way, if you had a Yahoo in 2013 or 2014, this is cause to reset passwords and security questions on any account that used the same info immediately. Unfortunately, you won’t be able to undo whatever damage this data trove has already done, though. “Given that this was three years ago I’m wondering how many of the breaches in the last three years originated from data stolen from Yahoo,” Grossman says.

How Serious Is This?
I mean. It’s really serious. Considering there are about three billion internet users total, a billion accounts is sobering, as is the fact that it took this long to discover and disclose. Broadly, the prevalence of large-scale corporate and government hacks over the past few years has shown that many institutions do not invest enough resources in securing their networks and digital infrastructure, either because they don’t know they need to, they don’t think they can prioritize it in their budget, or they don’t think a hack will happen to them. Yahoo in particular appears to have made some or all of these mistakes.

While the passwords were hashed with MD5, that particular method is known to have several vulnerabilities, meaning users can’t consider them safe. Yahoo says it is in the process of notifying users impacted by this breach, and will require all of them to change their passwords. The company is also voiding unencrypted security questions, and has been encouraging users to move away from security questions altogether since the last disclosure in September.

Not that it’s paramount to Yahoo users past and present, but the disclosure may also impact Verizon’s proposed acquisition of the company’s core internet business. The NY Post previously reported that Verizon had requested a billion-dollar discount on the $4.8 billion deal after September’s revelation. The telecom giant has not yet responded to an inquiry about Wednesday’s twice-as-large hack.

Hopefully this is the last breach Yahoo will need to come clean about, but it will be difficult for the company to salvage consumer or corporate trust, especially since the full repercussions of these incidents are still not known. “How do we know, how can we be sure, that Yahoo actually kicked the bad guys out when they had three years to bury themselves in that system,” Grossman says. “I think [Yahoo] could do it if they had the mandate to be very transparent, but it’s going to be hard to get any assurance.”

- Wired