Attacks/Breaches

9/22/2016
04:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Yahoo Reveals Nation State-Borne Data Breach Affecting A Half-Billion Users

But still unconfirmed is whether the newly revealed attack is related to recently dumped Yahoo user credentials in an online cybercrime forum.

The other shoe has dropped - maybe. Nearly two months after signs of a Yahoo data breach surfaced with leaked user credentials in the cybercrime underground, Yahoo today confirmed that it had suffered a cyberattack in late 2014 by what the company says was likely a nation-state actor.

Some 500 million Yahoo user accounts were stolen and Yahoo is working with law enforcement in an investigation of the attack. The announcement comes as Yahoo begins the process of selling its operating business to Verizon for some $4.83 billion in cash, a deal that was first announced late July. Security experts say this could be a record-breaking breach in terms of size.

Bob Lord, CISO at Yahoo, in a blog post today said the attackers stole "a copy of certain" Yahoo user account information, possibly including names, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers. Most of the passwords were hashed with Bcrypt, while some security Q&As were encrypted, and some were not, he said.

Payment card and bank account information was not associated with the breached system, he said, so that information was not exposed. 

"The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected," he said.

Yahoo's revelation today came after many Yahoo users reported receiving password-change emails over the past 24 hours, some with the subject line "secure your Yahoo account," with no explanation. Others received email notices of "suspicious activity" on their accounts and steps for resetting their passwords. ReCode this morning reported that Yahoo would be announcing a breach affecting "millions" of its users.

But the drama officially began unfolding publicly back in August when a hacker known as "Peace" or "Peace_of_Mind" began selling online what he advertised as some 200 million Yahoo user credentials. "Peace," who is known to be the co-founder of underground TheRealDeal Marketplace, had done the same with stolen LinkedIn and MySpace credentials in May of this year. At the time, Yahoo told Motherboard it was investigating the report.

Today's announcement is its first official confirmation of a cyberattack involving user credentials. Still unclear is whether the Peace incident is related to the newly revealed nation-state breach. And if so, whether that very same nation-state actor is responsible for the LinkedIn and MySpace attacks as well.

It's possible the two Yahoo credential breach incidents are separate attacks, notes Jeremiah Grossman, chief of security officer for SentinelOne and a former infosec officer at Yahoo. If the attackers were out of China, for example, he says, they wouldn't likely share or sell stolen information. "For all we know, these are separate breaches," he says, noting that the details of the two don't quite match up.

Nation-state cyber espionage typically is all about gathering intel about geopolitical information, intellectual property, or even inside information on a merger or other business deal. The attackers who hit Yahoo likely were fishing for access to Yahoo accounts that could get them either inside the company for its secrets, or access to some Yahoo user accounts for similar purposes.

Yahoo's dealings with Alibaba, for instance, would be of interest to a Chinese nation-state actor, Grossman notes. The attackers would "hack the system to figure out what Yahoo was negotiating and share with guys on their side, like a Chinese organization," for example, he explains.

If the attacks are related, however, Yahoo's response has confounded some experts. Why it took Yahoo nearly two months to confirm there was a breach, meanwhile potentially leaving Yahoo mail users' accounts dumped and vulnerable, is a question many are mulling today. "I would err on the side of caution and force a password change. It's better to be out in front of it than behind it," says Rick Holland, vice president of strategy at Digital Shadows.

"Let's be honest. If [Peace] was selling this in August, these credentials were already used in other [attack] campaigns long before that," he says.

Yahoo gave no details of how the nation-state hackers infiltrated the company's network, but experts say the most likely vector was the old reliable phishing attack fooling a Yahoo employee with either a malicious attachment or link that then downloaded malware that got the attackers a foothold into its network.

Grossman says that, like any large tech firm, Yahoo is a juicy target with its massive network presence. "It's a big attack surface," he says of Yahoo's massive infrastructure. "There's so much to defend … It's a hot target," so attacks are no surprise, he says.

Fallout
Phishing attacks likely will be the number one possible fallout, with Yahoo user accounts being used as phish. Credential-stuffing, a brute-force attack where attackers inject stolen usernames and passwords into a website until they find a match, is another big risk.

But perhaps the biggest risk is to Yahoo users who reuse passwords among different accounts. According to a recent study by TeleSign, some 73% of online accounts use passwords that are duplicated among other accounts. Bottom line: Yahoo users whose stolen password is used on other sites need to change those accounts ASAP, too.

Yahoo doesn't require two-factor authentication, but the breach again demonstrates the time has come for this to become a standard for user authentication – for internal users and customers, experts say. The catch with this breach, however, is that the attackers have enough personal information on Yahoo users that they could still have hijacked an account with 2FA, Grossman says. "If you've got birthdays and addresses, you can log into an account," he says.

The good news: some of the stolen Yahoo account data was encrypted, assuming Yahoo has strong encryption practices. 

"The good news is that the sensitive data that is now for sale, such as user names, email addresses and dates of birth, is encrypted, but these records could be easily decrypted if the company did not implement properly managed encryption keys," says Jason Hart, vice president and CTO of data protection at Gemalto.

Yahoo's Lord says there's "no evidence" the nation-state hackers are still resident in its network.

What Now
Yahoo recommends users change their passwords and security questions and answers for both Yahoo and any other accounts where they used the same passwords or similar security information. In addition, Yahoo says users should:

  • "Review your accounts for suspicious activity. 
  • Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
  • Avoid clicking on links or downloading attachments from suspicious emails.
  • Additionally, please consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether."

 

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/26/2016 | 9:03:24 AM
Re: Most passwords hashed?
It will be interesting to see what if anything Verizon does security-wise for Yahoo customer accounts.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
9/26/2016 | 7:37:34 AM
Re: Most passwords hashed?
Agreed, such negligence should be criminal in the age of information security we are currently in. For a company like Yahoo which has been in the game for several decades at this point, to not employ basic security for its user's information is a complete travesty. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2016 | 9:35:47 AM
Re: Yahoo Hack
Also , maybe Verizon will start having additional bargaining power from this point forward, there is a prestige issue now.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2016 | 9:34:53 AM
2 years?
I would thinks there may be a possibility that they have not known until hackers started selling information, 2 years would make sense if that is the case.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2016 | 9:34:04 AM
Re: Yahoo Hack
Agrees. Identifying attacks really takes time, so I would see how it would happen.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2016 | 9:33:08 AM
Re: Yahoo Hack
I would think revealing it at this time is the worst time for them.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2016 | 9:32:17 AM
Most passwords hashed?
I hope he is kidding, what world are they living in? They should have told us that some of our passwords may not be hashed in the first place before we sign up with an account.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/23/2016 | 4:16:52 PM
Re: Yahoo Hack
The timing is suspect, for sure. But as we know, most companies don't find out about nation-state attacks until long after they first get in. And even if they detect & eradicate, they may not completely eradicate them.
JaredA449
100%
0%
JaredA449,
User Rank: Apprentice
9/22/2016 | 9:13:54 PM
Yahoo Hack
I find it wild that Yahoo did not know about or reveal information about the hack until just proir to selling the comapny to verizon for $4.8 billion dollars.  Im not sure how likly it was that they knew nothing for 2 years. 
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What did you expect from this SOC? A unicorn....
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.