Security Industry Reactions to the Yahoo! Breach

Last week's disclosure by Yahoo! that somewhat more than 500 million customers' credentials had been compromised in a breach dating back to 2014 has prompted widespread reaction from industry experts. The incident has implications for Yahoo!'s consumer trust; it also is seen as likely to affect, adversely, the soft landing the company anticipated in Verizon's proposed acquisition of Yahoo!'s core assets.

We summarize below some of the commentary we've received from security industry veterans.

(Update, 9.28.16) InfoArmor has released its report on the breach. They've concluded that the number of accounts affected are much higher than the announced 500+ million, and could amount to more than a billion. That large figure understandably includes both bot and dormant accounts.

InfoArmor also thinks the threat actors were neither state-sponsored, at least in the sense of belonging to a hostile foreign intelligence service, nor were they the cybercriminal calling himself (herself?) "Peace_of_Mind." Yahoo!'s initial disclosure called the breach a "state-sponsored" attack, and "Peace" had been named in connection with the incident as well. "Peace" claimed to have some 200 million Yahoo! credentials for sale, but InfoArmor has concluded that none of those data were in fact related to the Yahoo! breach.

Instead, InfoArmor identifies the perpetrators as criminals. They divide them into two distinct threat actors and a third criminal reseller:

  • English-speaking members of the "Hell Forum." A member of this group previously hacked Ashley Madison, AdultFriendFInder, and the Turkish National Police database.
  • Members of "Group E," which InfoArmor describes as "professional balckhat hackers from Eastern Europe." InfoArmor believes this group has the actual Yahoo! data, and that they were behind the company's 2014 breach.
  • "tessa88," who has a record of reselling compromised databases, including data from the LinkedIn breach.

InfoArmor says that as of Tuesday, September 27, 2016, the actual data taken from Yahoo! were not available in any underground fora or black market. They think the Group E hackers have instead distributed the stolen data "to one of their proxies for further monetization based on the sale of particular records from the dump."

The hackers, InfoArmor believes, exfiltrated the data in segments. The database is divided into more than a hundred "equal parts, delivered in different files that are organized alphabetically by the names of user accounts."

Although the threat actors may not in the end turn out to be state-sponsored, their activities appear to have affected the US Government. InfoArmor believes the customer database compromised in the Yahoo! breach may be implicated in the October, 2015, cyber attacks on senior officials in the US Intelligence Community.

Breach detection, disclosure and mitigation.

Shuman Ghosemajumder, CTO of Shape Security:

"Credential spills are one of the most widespread, yet misunderstood, security breaches. Most stories will focus on Yahoo users, but the damage there appears to have been done months ago, and Yahoo will simply reset all their passwords so no further damage can be done.

"The real issue now is that these passwords will be used to breach thousands of other websites unrelated to Yahoo, as cybercriminals use advanced automated tools (like Sentry MBA) to discover where users have used those same passwords on other sites, through credential stuffing attacks, the most common attacks on web applications and APIs today.

"We typically see a 0.1% to 2% login success rate from credential stuffing attacks, meaning that a cybercriminal using 500M passwords to attempt to take over accounts on another website would be able to take over tens of thousands of accounts on most websites.

"Unfortunately we see credential stuffing attacks on every major website in the world now. Shape's technology was specifically designed to stop these and other automated attacks, but so far we have focused on the largest banks, retailers, airlines, and government agencies, where the potential damage from accounts being taken over is the greatest. We hope to expand coverage to every major web service in the next few years."

Usman Choudhary, Chief Product Officer at ThreatTrack Security:

“Aside from the sheer scale of this breach which impacts half a billion users, what consumers need to be most concerned about is how long it took Yahoo to either discover or disclose this breach. For nearly two years their data has been exposed, and it has been putting them at risk. Hackers use the exact type of data stolen from Yahoo to attack consumers every day. For example, this data can be used to power phishing emails designed to look like they are coming from a trusted source and contain accurate personal data that trick users into clicking malicious links or opening infected attachments. This is a common tactic for gaining access to PCs to spread Trojans, ransomware and other threats. Moreover, our friends and family on social networks are also at risk if cybercriminals use our information and identity to compromise others. With a breach of this scale, all consumers need to be wary of what they click and ensure their PCs are secure.”

Christopher Pierson, EVP & General Counsel and Chief Security Officer for Viewpost:

“The breach of a major email and communications provider is incredibly concerning as access to a treasure trove of emails, calendar appointment, and contacts this large could give a nation state the ability to watch sensitive conversations or other interaction the person has through email they receive.  From their banks, doctors, bills, loved ones, and business partners – everything flows through email and to have access to this much information all tied together would give an adversary a tremendous strategic advantage.  Or a greater ability for blackmail as well.  It is disturbing to know that security question answers may not have been properly secured as they could allow an attacker a longer term access to an account even after a password was changed."

“If I were to give one piece of simple advice to better secure access to email or other sensitive websites it would be this – use dual factor authentication on every site and email account you have as your chances of being compromised at that location are infinitesimally small.  One of the most helpful websites to assist users in this process is called Two Factor Auth."

Data breaches and consumer trust.

Ray Rothrock, CEO and chairman of RedSeal:

“Who can you trust with your personal information? With today’s news that Yahoo has suffered a massive data breach, that’s a hard question to answer. There is no good housekeeping seal of approval that consumers can use to learn who does the best job of protecting their data. But there should be. Companies that pay as much attention to protecting their networks from the inside out as they do from the outside in should get the seal. Perimeter defenses designed to keep the bad guys out are no longer enough. Digital resilience, the ability to battle the bad guys when they are inside your network and protect high value assets like customer data, is the new gold standard.”

Ebba Blitz, CEO of encryption provider Alertsec:

"Alertsec's brand value research demonstrates just how difficult it will be for Yahoo!'s brand to recover from this breach. Customers who are affected by data breaches suffer a significant loss of trust, and this is particularly true of men. According to our study, nearly one in three Americans said it would take them several months to begin trusting a company like Yahoo again following a data breach. Twenty-two percent said it would only take them a month to forgive, but 17 percent of men and 11 percent of women said their trust would be permanently lost. Men are also more likely to switch to a competitor following a data breach than are women."

Keatron Evans, Senior Security Researcher and Principle of Blink Digital Security:

"The public want answers about the massive and prolonged attack that took place at Yahoo. The fact that the company was breached is not a surprise, and it’s far from unique - every company large and small faces similar attacks, but this one is different because it is playing out in the public arena. What I want to know is when Yahoo discovered this attack. If it happened in 2014, and the company has known about it for the past two years, then why has it taken so long to reveal the extent of the breach? This slow response could become a PR nightmare that damages the company’s reputation, and it goes to show how difficult it can be to determine the root cause of an attack that happened months or even years in the past without the right training and tools."

"As this story continues to unfold, it is likely that even more damaging news is revealed. The one thing that is clear at this point is that all enterprises need to learn from Yahoo’s mistakes by putting in place a robust post-breach remediation plan that has the tools to investigate breaches faster. There are already appliances in the market that help to automate and speed up the forensics process, so no company of Yahoo’s size has the luxury of leaving customers hanging for months without adequate information or a plan for corrective action."

Business implications of the breach.

Corey Williams, Senior Director of Products and Marketing at Centrify:

“Yahoo may very well be facing an existential crisis. Already besieged by business execution issues and enduring a fire sale to Verizon, this may be the straw that breaks the camel’s back. Since this breach occurred in 2014, wasn’t properly communicated or handled, it may very well give Verizon an 'out' or a reason to renegotiate."

"This is less of a story about 500 million user accounts being stolen and more about how lax security and poor handling of incidents can impact the very existence of a company. The stakes for properly securing access to corporate resources and handling security incidents couldn’t be higher.”

Chris Petersen, chief technology officer, senior vice president of customer care and co-founder of LogRhythm:

“Breaches are damaging and expensive, as Yahoo has discovered. The ramifications of a successful attack are far reaching, and could potentially impact their deal with Verizon. In addition, they’ll suffer from lost productivity, inconvenience to customers, and potentially the permanent loss of data and credibility. An organization’s success in defending against a data breach is largely dependent on its level of preparation to respond to a successful intrusion. Attackers will successfully compromise systems, but a resulting data breach can be avoided if the company detects the intrusion quickly. For companies to do so, and avoid a data breach, they must invest in modern technology that optimally aligns people and process with advanced analytics and workflow automation  Bottom line: Every organization needs to prepare for a successful attack and be able to respond quickly. Every Yahoo should change their password and to be prepared for malicious emails coming their way.”

Observations on pre-breach security.

(Added 9.28.16) Shuman Ghosemajumder, CTO of Shape Security, commented on the New York Times report that Yahoo!'s CEO Marissa Mayer "rejected the most basic security measure of all: an automatic reset of all user passwords":

"This actually isn't as straightforward as it might sound. While it's easy to proactively reset passwords on most types of accounts (e.g., your online banking account), resetting the password on your main email account is trickier."

"The problem is that the password reset mechanism usually involves sending a link to the email address registered with that account. If your bank wants to reset your account password, it can send the password reset link to your email address."

"However, if the password to be reset is the password to your main email account, unless you have a secondary email account registered with that account (which most Yahoo users likely do not), there is no good mechanism to force a password reset without effectively locking many users out of their accounts permanently."

"Of course, this is what challenge questions are often used for: to temporarily lock a user out of the account until they re-confirm their identity by answering those questions. However, in the case of this breach, the plaintext of challenge questions and answers have been stolen, so Yahoo has been forced to invalidate those questions as a means of authentication."

"As a result, even after the public announcement of this breach, Yahoo can still only hope that users will choose to change their passwords, and until users change their passwords, those accounts may continue to be accessible to cybercriminals."

"Sophisticated fraud schemes frequently involve the automated use of stolen account credentials for various purposes, including spam, money laundering, and credential stuffing attacks on other systems. Unfortunately, these automated attacks continue to be possible using any breached Yahoo email addresses so long as the old passwords on Yahoo email accounts remain valid."