Yahoo's Record-Setting Breach Disclosure
Photo by the CyberWire

Yahoo's Record-Setting Breach Disclosure

Yesterday Yahoo disclosed that more than a billion customer accounts were compromised in August 2013. This incident is distinct from the breach of 500 million accounts the company disclosed on September 22, 2016. Yahoo said in its announcement that how the breach was accomplished is not yet known, and that the company is working with law enforcement to investigate. This incident is regarded as being the largest breach on record, in terms of the number of individuals affected. Security industry experts have weighed in with their views on what happened and how such attacks might be prevented or mitigated.

What seems to have happened?

Yahoo confirmed that apparent Yahoo user data were indeed genuine. The company's investigation concluded that "an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts." The company has "not been able to identify the intrusion associated with the theft," but it believes this incident is distinct from the one the company disclosed on September 22 of this year. Yahoo also reports that "an unauthorized third party" accessed Yahoo proprietary code to forge cookies, and that this third party seems to be connected to the unnamed "state-sponsored actor" Yahoo believes is responsible for the breach the company reported in September. Excerpts from Yahoo's statement follow.

From Yahoo's statement:

"For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected."

"Separately, we previously disclosed that our outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. We are notifying the affected account holders, and have invalidated the forged cookies. We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016."

InoArmor, which has investigated Yahoo's earlier breach, told the CyberWire that it did not report that incident as a state-sponsored hack, and that this conclusion represents Yahoo's own theory.

Andrew Komarov, Chief Intelligence Officer with InfoArmor:

"InfoArmor has never reported it as a state-sponsored hack; this is theory of Yahoo in one of the first statements. Our company has no evidence and indicators about it, and we have enough evidence to characterize hackers as professional cybercriminals, working for profit. Our report from September has detailed information about their clients (spammers, mostly, and one of them—we believe—[is a] state-sponsored party), along with the structure of the leaked 1B records data with passwords, hashed in easily crackable MD5, [as] it was reported by us before 2 months from official Yahoo data breach disclosure today." 

InfoArmor's Komarov told the CyberWire in response to follow-up questions that InfoArmor has identified the hackers as "Group E"—"professional black hats from Eastern Europe," that is, criminals as opposed to state actors, although they may well have nation-states among their customers. "We believe that of the clients of the identified hacking group might be [a] state-sponsored party from Eastern Europe, but NOT the actual hackers." 

Why the hackers would be interested in the material they stole is fairly clear—the credentials are likely to appear in many different accounts, opening up a wider field for further criminal or espionage activity. It's worth noting a Bloomberg report that some 150,000 of the individuals affected by the breach are US Government and military personnel.

Brad Bussie, CISSP, Director of Product Management, STEALTHbits Technologies, Inc.:

"What started as a report of 500 million user accounts with one breach has again grown to 1 billion user accounts in an unprecedented breach report. What is even more disturbing is that the 1 billion user breach happened in 2013, predating the 500 million we previous learned about. We know that accounts that have been breached have value. 

"The reason they have value is that people use the same password for multiple sites. The industry has been warning users for years that they need different complex passwords for each account they use online. The problem is that many consumers have dozens of accounts and remembering multiple passwords is hard. So again, what is the value of the breached accounts to the dark web and hacker community? The true value comes from the ability for attackers to socially engineer techniques specifically targeting breached victims. They have personal identifiable information like name, address, phone number, and email address. 

"This breach also includes question and answer profiles for “I forgot my password” which can quickly allow an attacker to compromise victims email accounts and know very personal information like mother’s maiden name and favorite pet. We may not realize it, but when an attacker gains control of your email they in essence own your identity. The attacker that buys the breached credentials will dictate what level of mischief or flat out criminal activity that will ensue. Keep in mind, some attackers will design spoofing attacks to try and get at higher profile information within an organization, while others will directly attack multiple websites looking for the same username/password combination they obtained from both breaches. If you were not a victim in the last breach, chances are you will be effected by this one. 

"The bottom line here is if you have a current Yahoo account or have ever had a Yahoo account; change all of your passwords and question/answer profiles; pronto."

John Bambenek, Threat Systems Manager of Fidelis Cybersecurity:

“It’s concerning that another breach was discovered but the cause was unable to be determined.  It will make it difficult to fully remediate it as it remains unknown.

“The good news is that if enterprises already mitigated their exposure after the first announcement, this second breach notice shouldn’t create additional exposure.  An assumption should be every Yahoo! account prior to the breaches were exposed unless the password AND security questions were changed.

“This is a reminder of why security questions remain a poor idea.  Once someone’s digital identity (their primary email), is connected to security questions, those questions will likely be carried forward to other accounts including bank accounts and credit card online accounts.”

Bret Lowry, CEO of WinPatrol:

"Yahoo has now proven more than once that their security is lacking with an announcement earlier this year that 500 million accounts got hacked in 2014 and now this announcement that one billion accounts were hacked as long ago as 2013.

"Especially disturbing is the time it has taken Yahoo to realize and announce the attacks. Three years is forever in terms of computers and the Internet. Yet that is how long it has taken Yahoo to make this information public, thus putting at risk every single account all of their users have on any site on the Internet, their users' personal computers and at every business where people access their Yahoo accounts.

"The investigation into the attack is still ongoing. The latest news states that the attack was not a typical phishing attack, but rather via proprietary Yahoo code becoming compromised allowing hackers access to internal systems. If this was indeed an 'inside job,' then the hackers probably had the ability to decrypt all 'secure' data which means none of your information on file at Yahoo is safe.

"Be vigilant and practice safe computing by avoiding password re-use, never reusing the same answer to 'Security Questions' and use software that specializes in blocking Phishing and Ransomware attacks".

Chenxi Wang, Twistlock's Chief Strategy Officer:

"This latest breach Yahoo just disclosed, dated back to 2013 and affecting over one billion users, is yet another proof point that Yahoo's priorities clearly did not include proactive protection of user information. Yahoo was late in implementing encryption, late to adopt bug bounty programs, and also failed to implement automatic password refreshes for its users after the first large-scale breach. It is not surprising that more breaches are discovered given such a lackluster attitude towards user security. The critical question is, how many more breaches are waiting in the wings, not just for Yahoo but for other companies that also fail to embrace proactive security measures such as multi-factor authentication and end-to-end encryption, all in the name of more pressing business priorities? And what other surprises are in store for consumers?"

[Updated 12.16.16 with comments from eSentire.]

Eldon Sprickerhoff, founder and chief security strategist of eSentire:

“The magnitude of this breach doesn’t just impact Yahoo account holders; it extends to anyone using web mail services, and drives home how critical two factor-authentication is when it comes to account security. We all have a role to play in the security of our own data. The same fate could be a reality for anyone not using two-factor authentication to secure their accounts.

"In Yahoo’s case, account passwords were hashed. Think of it as a one-way encryption that can’t be decrypted. But, if you take every possible alphanumeric and punctuation combination, mix it with every possible seed, and feed it through the hash function, you end up with all possible hashed passwords. You can then do a reverse lookup and find the actual password. What this means, is that with standard password technology in place (like the kind used by Yahoo), hackers can easily identify user passwords. Two-factor authentication takes security one step further, eliminating the need for hashes, and the risks associated with hashes. It’s a feature that’s enabled by adding another form of identity verification to the account sign in process, like a phone number. It’s a simple step that provides significantly more protection to account holders. This breach reinforces the need for two-factor authentication on all user accounts, whether business or personal."

J.Paul Haynes, CEO of eSentire:

“Any breach that involves personally identifiable (PII) information - like names, addresses, and user credentials - can haunt its victims for months or years. This information usually ends up on the dark web, where it’s cycled through buyers who can use that information to commit various forms of fraud. Hackers can also use PII to access other systems, particularly if the victim used similar username and password combinations for other accounts.”

[Updated 12.16.16 with comments from Nuix.]

Chris Pogue, CISO at Nuix:

"If it was you forcing someone else to execute something on your behalf, then it would be CSRF (Cross-Site Request Forgery).  This is a bit different.  The fact they said "forge" and "authentication cookies", to me means that they were keeping account state in cookie data, allowing someone to change the cookie from “user=bobama” to “user=dtrump” and then Obama would be Trump. My guess is it’s not that simple, but there must be a method to the madness. Whether it’s encrypted or not, looks like they figured out the key.  Ideally session data is stored on the server, the fact that the client was able to forge session data, means that their session management was not in alignment with best practices. This would bring all of the authentication code logic into question; and if they are doing this, what else are they doing that is inadvisable."

[Addressing statements about the breach being connected to a "state-sponsored" actor.]

"Of course it is...only, here's the problem.  In a previous statement, Lord said, “We have not been able to identify the intrusion associated with this theft.”  So, logically (pesky logic), if they have not been able to identify the intrusion associated with this second attack, how can they possibly attribute it to a state-sponsored actor?  They can't - it just sounds cooler to say that is was a "state-sponsored" actor...all Jason Bourne and whatnot."

What are its possible implications for consumer trust?

In fairness to Yahoo, it's worth noting that the company isn't technologically clueless or a security tyro, but the breaches may be expected to have a significant effect upon their customers.

Ilia Kolochenko, CEO of High-Tech Bridge:

 “I don't think the breach will impact Yahoo's customers in any new manner now, unless someone makes the breached database public and enables the re-use of passwords and secret questions/answers. The attackers who breached Yahoo, must have already leveraged the compromised data for their own purposes. If they haven’t done so already after September’s disclosure, all Yahoo customers should consider changing their passwords, including accounts on all other services on which they registered using their Yahoo email. Migration to a more reliable email provider, such as Gmail, also makes sense."

Alertsec thinks its brand value research suggests that the damage to Yahoo's brand may be significant, and that men are significantly less likely to forgive and forget than are women.

Ebba Blitz, CEO of Alertsec:

"Alertsec's brand value research demonstrates just how difficult it will be for Yahoo's brand to recover from this breach. Customers who are affected by data breaches suffer a significant loss of trust, and this is particularly true of men. According to our study, nearly one in three Americans said it would take them several months to begin trusting a company like Yahoo again following a data breach. Twenty-two percent said it would only take them a month to forgive, but 17 percent of men and 11 percent of women said their trust would be permanently lost. Men are also more likely to switch to a competitor following a data breach than are women."

[Updated 12.16.16 with comments from Nuix.]

Chris Pogue, CISO at Nuix:

"I am not sure how this can be perceived as anything other than being asleep at the wheel.  Even if there was a "good explanation" at this point, their credibility is in the dunny...there is no coming back from this."

What are its possible implications for acquisition due diligence?

Verizon has been in negotiations to acquire Yahoo’s core assets. How is this latest disclosure likely to affect this acquisition?

John Bambenek, Threat Systems Manager of Fidelis Cybersecurity:

 "At this point, we have another new breach (though from 2013) and I have to think there will be an incremental negative influence.  In Yahoo!’s favor is the mitigations and remediations they have already done would like have taken care of the risk of both breaches as much as they could be but it’s another big negative PR hit for Yahoo! at a time when they need good stories to sell."

Ilia Kolochenko, CEO of High-Tech Bridge:

"Announcing such a massive breach three years after it has occurred, is a very serious, and hopefully a well-thought out step taken by Yahoo. As we don't have any clear technical details around what has actually happened, it's difficult to make any conclusions on who or what was at the origins of the breach.

“However, I am pretty sure that this news has the potential to negatively impact the deal with Verizon. Such disclosure, taking into consideration the unclear and even suspicious disclosure timeline - just before the buyout, may provide a valid reason for Yahoo's shareholders to sue Yahoo's top management if the deal fails or brings less money than expected.

[Updated 12.16.16 with comments from Nuix.]

Chris Pogue, CISO at Nuix:

"Wow - how many times have I said that data breaches are almost always worse than initially thought? A lot.  If Verizon was going to purchase Yahoo for its Intellectual Property (IP) and brand reputation, but of which are pretty much shot at this point, my money is on Verizon walking away after this…"

"In my opinion, I think THE takeaway is that our industry has reached another pivotal point in its evolution; one that directly ties the security posture of an organization directly to its valuation.  Just like the Target breach made 'cybersecurity' a household name and vendor management part of an organizations security posture, and the Sony breached showed that there could be a direct nexus between computer system breaches and human activity, the Yahoo breach will forever be seen as the trigger event that intertwined an organization’s security posture and their overall net worth."

What are some ways of preventing or mitigating such breaches?

Security questions are commonly used to supplement or backup passwords. The Yahoo! breach can be taken to exhibit the risks of relying on this approach (and also provides some insight into why criminals and state actors are so interested in information about users).

John Gunn, VP of Communications, VASCO Data Security:

"Static passwords are the only internet technology that people are still trying to use more than 20 years after introduction. The scarier part of this disclosure is the revelation that security questions were also exposed. You can change your password after a breach, but you can’t change the name of your first school, favorite teacher, or first animal.  Multifactor authentication is simple, effective, and easy to implement - so there is simply no reason for passwords to still be in use."

Michael Patterson, CEO of Plixer:

“Whenever forensic experts are brought in, they almost always ask for the logs. Hackers know their every move is being logged on systems and often take steps to delete them.  It is very important that logs be sent by sensitive systems to User Datagram Protocol (UDP) forwarders for replication to multiple systems.  This practice makes it nearly impossible for hackers to erase their movements. Flow records generated by NetFlow and IPFIX should also be archived on collectors.  When forensic investigations need to take place, logs and flows answer the who, what, when, where and how much.  The more security experts can learn about what happened, the more that can protect against future events.”

Bret Lowry, CEO of WinPatrol:

"The use of 'Security Questions' seemed like a good idea when it was originally invested, but has proven to be quite naïve in nature and even worse in cases like this downright dangerous. When hacks occur, hackers can obtain the answer to the “typical” security questions reused by many sites, thus turning these security questions into weapons that can be used against those who trustingly answered them, thinking the answers would be kept safe."

"We recommend anyone who has a Yahoo account remove it now.

"We also recommend business block their servers so that employees don’t check emails thus putting their employers at risk for phishing attacks."

Bret Lowry, CEO of WinPatrol:

Winpatrol's Lowry offered the following recommendations for anyone with a Yahoo account:

"Before you delete the account, delete all emails and folders, enter invalid information for any security questions, and then delete the account. We recommend the above because when “removing” Yahoo accounts in the past we’ve found they truly do not deactivate them; this may be why they have 1 billion accounts.

"If you have used the same password as used on Yahoo on any other site, change it immediately.

"If security questions on other sites match those on Yahoo, change the answers.

"Never reuse the answer to a security question. If/when the next hack occurs you don’t want your answers to be used against you.

"If you associated your mobile phone number with your Yahoo account, beware. You may become a target of Smishes. (Mobile phishing attacks)

"Ensure your security software is truly capable of blocking phishing and ransomware attacks.

[Updated 12.16.16 with comments from eSentire.]

Eldon Sprickerhoff, founder and chief security strategist of eSentire:

"The greater risk with this particular breach is the countless other email accounts that could be impacted. Many Internet Service Providers (ISPs), like Rogers in Canada or Sky UK in the United Kingdom, chose not to create their own web mail system. Instead, they white-label Yahoo mail for their account holders. So, if you have a Rogers or Sky UK web mail account, it means that you actually have a Yahoo email account. Regardless, the safest route for all users is to update all passwords and ensure two-factor authentication is enabled, immediately.”

[Updated 12.16.16 with comments from Nuix.]

Chris Pogue, CISO at Nuix:

"I think the key issue here is visibility.  Yahoo clearly did not have good visibility into their environment, either from the perspective of the vulnerabilities that were present that allowed the breach, or from their ability to detect the attack after it took place.  I don’t know that I would refer to this as a “mistake” per se, but rather an inadequate prioritization of risks and resources.  Also, it’s important to understand that this entire debacle is not the result of a single, catastrophic event.  It is a culmination of what is either an unrealistic view of the threat landscape, a seriously lack of security preparedness, or both.  Probably both."

What lessons should businesses draw from the incident?

A short lesson—be sure your board and executives understand that cyber risk management is a business issue that merits attention at the highest levels.

Chris Pierson, CSO of Viewpost:

"The Yahoo Breach Part 2 must serve as a wake-up call to all Board of Directors that cybersecurity is not an operational or technical issue. It is an issue of goodwill, reputation, differentiation, customer loyalty, and pride that must be seen as an enabler to business. If the organization does not have the right Board Advisor and Cybersecurity Executive, then it is time to find those people now."

Jeff Hill, Director of Product Management, Prevalent, Inc.:

"By far the most relevant and disquieting element of this story is that it took Yahoo – not exactly a backwater, technophobic organization – over 3 years to discover bad actors on its network exfiltrating billions of records.  The lesson is clear:  no organization is immune to compromise.  What makes this a significant episode is not the breach itself, but the time-to-detection.  Criminal actors can do significant damage in days and weeks; give them years, and all bets are off."

Ray Rothrock, CEO and chairman of RedSeal:

“The Yahoo data breach announced Wednesday underscores the question we raised in September – Who can we trust with personal information? This question is becoming increasingly difficult to answer. The one billion Yahoo users affected by the breach and others now feel vulnerable and skeptical.

"Companies with visibility into their networks are better positioned to address the concerns of consumers, business partners and shareholders in the wake of this attack.

"Digital resilience scores – similar to credit worthiness scores – provide a benchmark and support a cyber strategy for improvement.

"Companies must pay as much attention to protecting their networks from the inside out as they do from the outside in. Perimeter defenses designed to keep the bad guys out continue to prove necessary but insufficient to address today’s threats. Digital resilience – the ability to battle the bad guys when they are inside your network, continue your operations staying in business and protect high value assets like customer data – is the new gold standard."