Attacks/Breaches
9/22/2016
04:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Yahoo Reveals Nation State-Borne Data Breach Affecting A Half-Billion Users

But still unconfirmed is whether the newly revealed attack is related to recently dumped Yahoo user credentials in an online cybercrime forum.

The other shoe has dropped - maybe. Nearly two months after signs of a Yahoo data breach surfaced with leaked user credentials in the cybercrime underground, Yahoo today confirmed that it had suffered a cyberattack in late 2014 by what the company says was likely a nation-state actor.

Some 500 million Yahoo user accounts were stolen and Yahoo is working with law enforcement in an investigation of the attack. The announcement comes as Yahoo begins the process of selling its operating business to Verizon for some $4.83 billion in cash, a deal that was first announced late July. Security experts say this could be a record-breaking breach in terms of size.

Bob Lord, CISO at Yahoo, in a blog post today said the attackers stole "a copy of certain" Yahoo user account information, possibly including names, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers. Most of the passwords were hashed with Bcrypt, while some security Q&As were encrypted, and some were not, he said.

Payment card and bank account information was not associated with the breached system, he said, so that information was not exposed. 

"The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected," he said.

Yahoo's revelation today came after many Yahoo users reported receiving password-change emails over the past 24 hours, some with the subject line "secure your Yahoo account," with no explanation. Others received email notices of "suspicious activity" on their accounts and steps for resetting their passwords. ReCode this morning reported that Yahoo would be announcing a breach affecting "millions" of its users.

But the drama officially began unfolding publicly back in August when a hacker known as "Peace" or "Peace_of_Mind" began selling online what he advertised as some 200 million Yahoo user credentials. "Peace," who is known to be the co-founder of underground TheRealDeal Marketplace, had done the same with stolen LinkedIn and MySpace credentials in May of this year. At the time, Yahoo told Motherboard it was investigating the report.

Today's announcement is its first official confirmation of a cyberattack involving user credentials. Still unclear is whether the Peace incident is related to the newly revealed nation-state breach. And if so, whether that very same nation-state actor is responsible for the LinkedIn and MySpace attacks as well.

It's possible the two Yahoo credential breach incidents are separate attacks, notes Jeremiah Grossman, chief of security officer for SentinelOne and a former infosec officer at Yahoo. If the attackers were out of China, for example, he says, they wouldn't likely share or sell stolen information. "For all we know, these are separate breaches," he says, noting that the details of the two don't quite match up.

Nation-state cyber espionage typically is all about gathering intel about geopolitical information, intellectual property, or even inside information on a merger or other business deal. The attackers who hit Yahoo likely were fishing for access to Yahoo accounts that could get them either inside the company for its secrets, or access to some Yahoo user accounts for similar purposes.

Yahoo's dealings with Alibaba, for instance, would be of interest to a Chinese nation-state actor, Grossman notes. The attackers would "hack the system to figure out what Yahoo was negotiating and share with guys on their side, like a Chinese organization," for example, he explains.

If the attacks are related, however, Yahoo's response has confounded some experts. Why it took Yahoo nearly two months to confirm there was a breach, meanwhile potentially leaving Yahoo mail users' accounts dumped and vulnerable, is a question many are mulling today. "I would err on the side of caution and force a password change. It's better to be out in front of it than behind it," says Rick Holland, vice president of strategy at Digital Shadows.

"Let's be honest. If [Peace] was selling this in August, these credentials were already used in other [attack] campaigns long before that," he says.

Yahoo gave no details of how the nation-state hackers infiltrated the company's network, but experts say the most likely vector was the old reliable phishing attack fooling a Yahoo employee with either a malicious attachment or link that then downloaded malware that got the attackers a foothold into its network.

Grossman says that, like any large tech firm, Yahoo is a juicy target with its massive network presence. "It's a big attack surface," he says of Yahoo's massive infrastructure. "There's so much to defend … It's a hot target," so attacks are no surprise, he says.

Fallout
Phishing attacks likely will be the number one possible fallout, with Yahoo user accounts being used as phish. Credential-stuffing, a brute-force attack where attackers inject stolen usernames and passwords into a website until they find a match, is another big risk.

But perhaps the biggest risk is to Yahoo users who reuse passwords among different accounts. According to a recent study by TeleSign, some 73% of online accounts use passwords that are duplicated among other accounts. Bottom line: Yahoo users whose stolen password is used on other sites need to change those accounts ASAP, too.

Yahoo doesn't require two-factor authentication, but the breach again demonstrates the time has come for this to become a standard for user authentication – for internal users and customers, experts say. The catch with this breach, however, is that the attackers have enough personal information on Yahoo users that they could still have hijacked an account with 2FA, Grossman says. "If you've got birthdays and addresses, you can log into an account," he says.

The good news: some of the stolen Yahoo account data was encrypted, assuming Yahoo has strong encryption practices. 

"The good news is that the sensitive data that is now for sale, such as user names, email addresses and dates of birth, is encrypted, but these records could be easily decrypted if the company did not implement properly managed encryption keys," says Jason Hart, vice president and CTO of data protection at Gemalto.

Yahoo's Lord says there's "no evidence" the nation-state hackers are still resident in its network.

What Now
Yahoo recommends users change their passwords and security questions and answers for both Yahoo and any other accounts where they used the same passwords or similar security information. In addition, Yahoo says users should:

  • "Review your accounts for suspicious activity. 
  • Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
  • Avoid clicking on links or downloading attachments from suspicious emails.
  • Additionally, please consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether."

 

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/26/2016 | 9:03:24 AM
Re: Most passwords hashed?
It will be interesting to see what if anything Verizon does security-wise for Yahoo customer accounts.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
9/26/2016 | 7:37:34 AM
Re: Most passwords hashed?
Agreed, such negligence should be criminal in the age of information security we are currently in. For a company like Yahoo which has been in the game for several decades at this point, to not employ basic security for its user's information is a complete travesty. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2016 | 9:35:47 AM
Re: Yahoo Hack
Also , maybe Verizon will start having additional bargaining power from this point forward, there is a prestige issue now.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2016 | 9:34:53 AM
2 years?
I would thinks there may be a possibility that they have not known until hackers started selling information, 2 years would make sense if that is the case.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2016 | 9:34:04 AM
Re: Yahoo Hack
Agrees. Identifying attacks really takes time, so I would see how it would happen.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2016 | 9:33:08 AM
Re: Yahoo Hack
I would think revealing it at this time is the worst time for them.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2016 | 9:32:17 AM
Most passwords hashed?
I hope he is kidding, what world are they living in? They should have told us that some of our passwords may not be hashed in the first place before we sign up with an account.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/23/2016 | 4:16:52 PM
Re: Yahoo Hack
The timing is suspect, for sure. But as we know, most companies don't find out about nation-state attacks until long after they first get in. And even if they detect & eradicate, they may not completely eradicate them.
JaredA449
100%
0%
JaredA449,
User Rank: Apprentice
9/22/2016 | 9:13:54 PM
Yahoo Hack
I find it wild that Yahoo did not know about or reveal information about the hack until just proir to selling the comapny to verizon for $4.8 billion dollars.  Im not sure how likly it was that they knew nothing for 2 years. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.