Attacks/Breaches
12/15/2016
01:28 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

1 Billion Users Exposed In Another Record Breach From Yahoo

Security experts slam Yahoo for the newly disclosed August 2013 intrusion, and fresh questions arise about Verizon's plans to acquire the company.

Security professionals this week slammed Yahoo for being careless with user information after the company disclosed it was the victim of a malicious intrusion in which data associated with more than one billion user accounts was compromised.

The disclosure comes less than three months after Yahoo reported another intrusion in September involving 500 million accounts and has already raised more questions about Verizon Communication Inc.’s pending $4.8 billion acquisition of the company.

After the September disclosure, some legal experts believed Verizon would try to negotiate that price down, citing a material adverse change clause in its pending agreement with Yahoo.  Bloomberg News this morning reported talk has now begun about Verizon seeking to drive the price down even further or exit from the deal altogether.

“I am pretty sure that this news has the potential to negatively impact the deal with Verizon,” said Ilia Kolochenko, CEO of web security firm High-Tech Bridge.

“Such disclosure, taking into consideration the unclear and even suspicious disclosure timeline - just before the buyout, may provide a valid reason for Yahoo's shareholders to sue Yahoo's top management if the deal fails or brings less money than expected.”

Yahoo's newly disclosed breach happened in August 2013 and exposed names, email addresses, hashed passwords, dates of birth, phone numbers, and in some cases the security questions that people use to verify their identity.

In addition, a separate and ongoing investigation has shown that unknown intruders gained access to Yahoo’s proprietary code and used it to forge cookies that were then used to access user accounts, Yahoo said in a statement Wednesday. Yahoo has invalidated the forged cookies and affected account holders are being notified, the company said.

The August 2013 intrusion appears to be completely separate from the one Yahoo disclosed in September. Yahoo has said that breach happened sometime in late 2014 and likely involved state-sponsored actors. Those behind the 2014 intrusion also appear to be involved in the theft of proprietary code and the creation of the forged cookies, Yahoo said Wednesday.

Yahoo’s apparent failure to discover a data theft of this magnitude for over three years has inspired the wrath of some security professionals. The 1 billion user accounts exposed in the intrusion makes the breach by far the biggest ever. In terms of compromised records at least, it is double the size of the intrusion that Yahoo disclosed in September, which at that time had made it the largest ever.

“The revelation that simultaneous with the prior intrusion and exfiltration of data there was another attacker in Yahoo’s systems is quite concerning,” says Chris Pierson, chief security officer and general counsel at Viewpost, an online invoice and electronic payment processing company.

“Yahoo breach part two must serve as a wakeup call to all boards of directors that cybersecurity is not an operational or technical issue.” Rather it is an issue of goodwill, reputation, differentiation, and customer loyalty,” Pierson says.

The breach disclosure has raised multiple questions about the quality of Yahoo’s security controls and processes for detecting and responding to intrusions on its network. As with the breach disclosed in September, Yahoo did not know about the August 2013 intrusion until this November when law enforcement provided the company with data apparently stolen from its servers. It was Yahoo’s subsequent analysis of the data that unearthed evidence of the 2013 breach.

Until now, the company has not been able to identify the exact intrusion point associated with theft and appears somewhat unsure about whether it is connected to the previously disclosed breach or not.

Philip Lieberman, president of Lieberman Software, described the breach as a result of Yahoo’s apparently cavalier attitude to security. “In our interactions with Yahoo over the years, there has been a consistent lack of interest in security as well as a palpable arrogance in their ability to manage their security without any help from the outside,” he said.

The takeaway from this incident is that organizations need to be looking for intrusions, expect they will not always be discoverable and operate in a manner as to minimize losses in the event of an intrusion. “If you are not constantly looking for intrusions and running your shop to minimize losses, you will always find yourself in a total loss of security as Yahoo now finds themselves,” Lieberman said.

The theft of proprietary code from Yahoo and the subsequent use of that code to forge cookies points to other problems as well. “If the code had embedded secrets that allowed this forging [of] cookies then that is a code implementation error,” said Chris Wysopal, chief technology officer at Veracode. “If there were no secrets then it would likely be a design flaw if access to the code alone could allow forging cookies.”

The fact that intruders even had access to the proprietary code in the first place raises questions, Wysopal said. “Companies typically consider this the Crown Jewels and guard it well. How did that access happen?” he asked.

Several security experts said the best recourse for users is to delete their Yahoo accounts if possible given the length of the exposure and to immediately change passwords on all accounts where they might have used the same password.

In breaches involving password and username compromise, companies can typically disable access to user accounts and send password reset links to their registered email accounts. In this case, Yahoo will likely find it harder to do the same because the password to be reset is the password to the email account itself, said Suman Ghosemajumder, chief technology officer at Shape Security.

“Unless you have a secondary email account registered with that account, which most Yahoo users likely do not, there is no good mechanism to force a password reset without effectively locking many users out of their accounts permanently,” he said.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.