Attacks/Breaches

9/22/2016
04:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Yahoo Reveals Nation State-Borne Data Breach Affecting A Half-Billion Users

But still unconfirmed is whether the newly revealed attack is related to recently dumped Yahoo user credentials in an online cybercrime forum.

The other shoe has dropped - maybe. Nearly two months after signs of a Yahoo data breach surfaced with leaked user credentials in the cybercrime underground, Yahoo today confirmed that it had suffered a cyberattack in late 2014 by what the company says was likely a nation-state actor.

Some 500 million Yahoo user accounts were stolen and Yahoo is working with law enforcement in an investigation of the attack. The announcement comes as Yahoo begins the process of selling its operating business to Verizon for some $4.83 billion in cash, a deal that was first announced late July. Security experts say this could be a record-breaking breach in terms of size.

Bob Lord, CISO at Yahoo, in a blog post today said the attackers stole "a copy of certain" Yahoo user account information, possibly including names, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers. Most of the passwords were hashed with Bcrypt, while some security Q&As were encrypted, and some were not, he said.

Payment card and bank account information was not associated with the breached system, he said, so that information was not exposed. 

"The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected," he said.

Yahoo's revelation today came after many Yahoo users reported receiving password-change emails over the past 24 hours, some with the subject line "secure your Yahoo account," with no explanation. Others received email notices of "suspicious activity" on their accounts and steps for resetting their passwords. ReCode this morning reported that Yahoo would be announcing a breach affecting "millions" of its users.

But the drama officially began unfolding publicly back in August when a hacker known as "Peace" or "Peace_of_Mind" began selling online what he advertised as some 200 million Yahoo user credentials. "Peace," who is known to be the co-founder of underground TheRealDeal Marketplace, had done the same with stolen LinkedIn and MySpace credentials in May of this year. At the time, Yahoo told Motherboard it was investigating the report.

Today's announcement is its first official confirmation of a cyberattack involving user credentials. Still unclear is whether the Peace incident is related to the newly revealed nation-state breach. And if so, whether that very same nation-state actor is responsible for the LinkedIn and MySpace attacks as well.

It's possible the two Yahoo credential breach incidents are separate attacks, notes Jeremiah Grossman, chief of security officer for SentinelOne and a former infosec officer at Yahoo. If the attackers were out of China, for example, he says, they wouldn't likely share or sell stolen information. "For all we know, these are separate breaches," he says, noting that the details of the two don't quite match up.

Nation-state cyber espionage typically is all about gathering intel about geopolitical information, intellectual property, or even inside information on a merger or other business deal. The attackers who hit Yahoo likely were fishing for access to Yahoo accounts that could get them either inside the company for its secrets, or access to some Yahoo user accounts for similar purposes.

Yahoo's dealings with Alibaba, for instance, would be of interest to a Chinese nation-state actor, Grossman notes. The attackers would "hack the system to figure out what Yahoo was negotiating and share with guys on their side, like a Chinese organization," for example, he explains.

If the attacks are related, however, Yahoo's response has confounded some experts. Why it took Yahoo nearly two months to confirm there was a breach, meanwhile potentially leaving Yahoo mail users' accounts dumped and vulnerable, is a question many are mulling today. "I would err on the side of caution and force a password change. It's better to be out in front of it than behind it," says Rick Holland, vice president of strategy at Digital Shadows.

"Let's be honest. If [Peace] was selling this in August, these credentials were already used in other [attack] campaigns long before that," he says.

Yahoo gave no details of how the nation-state hackers infiltrated the company's network, but experts say the most likely vector was the old reliable phishing attack fooling a Yahoo employee with either a malicious attachment or link that then downloaded malware that got the attackers a foothold into its network.

Grossman says that, like any large tech firm, Yahoo is a juicy target with its massive network presence. "It's a big attack surface," he says of Yahoo's massive infrastructure. "There's so much to defend … It's a hot target," so attacks are no surprise, he says.

Fallout
Phishing attacks likely will be the number one possible fallout, with Yahoo user accounts being used as phish. Credential-stuffing, a brute-force attack where attackers inject stolen usernames and passwords into a website until they find a match, is another big risk.

But perhaps the biggest risk is to Yahoo users who reuse passwords among different accounts. According to a recent study by TeleSign, some 73% of online accounts use passwords that are duplicated among other accounts. Bottom line: Yahoo users whose stolen password is used on other sites need to change those accounts ASAP, too.

Yahoo doesn't require two-factor authentication, but the breach again demonstrates the time has come for this to become a standard for user authentication – for internal users and customers, experts say. The catch with this breach, however, is that the attackers have enough personal information on Yahoo users that they could still have hijacked an account with 2FA, Grossman says. "If you've got birthdays and addresses, you can log into an account," he says.

The good news: some of the stolen Yahoo account data was encrypted, assuming Yahoo has strong encryption practices. 

"The good news is that the sensitive data that is now for sale, such as user names, email addresses and dates of birth, is encrypted, but these records could be easily decrypted if the company did not implement properly managed encryption keys," says Jason Hart, vice president and CTO of data protection at Gemalto.

Yahoo's Lord says there's "no evidence" the nation-state hackers are still resident in its network.

What Now
Yahoo recommends users change their passwords and security questions and answers for both Yahoo and any other accounts where they used the same passwords or similar security information. In addition, Yahoo says users should:

  • "Review your accounts for suspicious activity. 
  • Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
  • Avoid clicking on links or downloading attachments from suspicious emails.
  • Additionally, please consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether."

 

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/26/2016 | 9:03:24 AM
Re: Most passwords hashed?
It will be interesting to see what if anything Verizon does security-wise for Yahoo customer accounts.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
9/26/2016 | 7:37:34 AM
Re: Most passwords hashed?
Agreed, such negligence should be criminal in the age of information security we are currently in. For a company like Yahoo which has been in the game for several decades at this point, to not employ basic security for its user's information is a complete travesty. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2016 | 9:35:47 AM
Re: Yahoo Hack
Also , maybe Verizon will start having additional bargaining power from this point forward, there is a prestige issue now.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2016 | 9:34:53 AM
2 years?
I would thinks there may be a possibility that they have not known until hackers started selling information, 2 years would make sense if that is the case.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2016 | 9:34:04 AM
Re: Yahoo Hack
Agrees. Identifying attacks really takes time, so I would see how it would happen.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2016 | 9:33:08 AM
Re: Yahoo Hack
I would think revealing it at this time is the worst time for them.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2016 | 9:32:17 AM
Most passwords hashed?
I hope he is kidding, what world are they living in? They should have told us that some of our passwords may not be hashed in the first place before we sign up with an account.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/23/2016 | 4:16:52 PM
Re: Yahoo Hack
The timing is suspect, for sure. But as we know, most companies don't find out about nation-state attacks until long after they first get in. And even if they detect & eradicate, they may not completely eradicate them.
JaredA449
100%
0%
JaredA449,
User Rank: Apprentice
9/22/2016 | 9:13:54 PM
Yahoo Hack
I find it wild that Yahoo did not know about or reveal information about the hack until just proir to selling the comapny to verizon for $4.8 billion dollars.  Im not sure how likly it was that they knew nothing for 2 years. 
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
To Click or Not to Click: The Answer Is Easy
Kowsik Guruswamy, Chief Technology Officer at Menlo Security,  11/14/2018
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19279
PUBLISHED: 2018-11-14
PRIMX ZoneCentral before 6.1.2236 on Windows sometimes leaks the plaintext of NTFS files. On non-SSD devices, this is limited to a 5-second window and file sizes less than 600 bytes. The effect on SSD devices may be greater.
CVE-2018-19280
PUBLISHED: 2018-11-14
Centreon 3.4.x has XSS via the resource name or macro expression of a poller macro.
CVE-2018-19281
PUBLISHED: 2018-11-14
Centreon 3.4.x allows SNMP trap SQL Injection.
CVE-2018-17960
PUBLISHED: 2018-11-14
CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.
CVE-2018-19278
PUBLISHED: 2018-11-14
Buffer overflow in DNS SRV and NAPTR lookups in Digium Asterisk 15.x before 15.6.2 and 16.x before 16.0.1 allows remote attackers to crash Asterisk via a specially crafted DNS SRV or NAPTR response, because a buffer size is supposed to match an expanded length but actually matches a compressed lengt...