Security professionals this week slammed Yahoo for being careless with user information after the company disclosed it was the victim of a malicious intrusion in which data associated with more than one billion user accounts was compromised.
The disclosure comes less than three months after Yahoo reported another intrusion in September involving 500 million accounts and has already raised more questions about Verizon Communication Inc.’s pending $4.8 billion acquisition of the company.
After the September disclosure, some legal experts believed Verizon would try to negotiate that price down, citing a material adverse change clause in its pending agreement with Yahoo. Bloomberg News this morning reported talk has now begun about Verizon seeking to drive the price down even further or exit from the deal altogether.
“I am pretty sure that this news has the potential to negatively impact the deal with Verizon,” said Ilia Kolochenko, CEO of web security firm High-Tech Bridge.
“Such disclosure, taking into consideration the unclear and even suspicious disclosure timeline - just before the buyout, may provide a valid reason for Yahoo's shareholders to sue Yahoo's top management if the deal fails or brings less money than expected.”
Yahoo's newly disclosed breach happened in August 2013 and exposed names, email addresses, hashed passwords, dates of birth, phone numbers, and in some cases the security questions that people use to verify their identity.
In addition, a separate and ongoing investigation has shown that unknown intruders gained access to Yahoo’s proprietary code and used it to forge cookies that were then used to access user accounts, Yahoo said in a statement Wednesday. Yahoo has invalidated the forged cookies and affected account holders are being notified, the company said.
The August 2013 intrusion appears to be completely separate from the one Yahoo disclosed in September. Yahoo has said that breach happened sometime in late 2014 and likely involved state-sponsored actors. Those behind the 2014 intrusion also appear to be involved in the theft of proprietary code and the creation of the forged cookies, Yahoo said Wednesday.
Yahoo’s apparent failure to discover a data theft of this magnitude for over three years has inspired the wrath of some security professionals. The 1 billion user accounts exposed in the intrusion makes the breach by far the biggest ever. In terms of compromised records at least, it is double the size of the intrusion that Yahoo disclosed in September, which at that time had made it the largest ever.
“The revelation that simultaneous with the prior intrusion and exfiltration of data there was another attacker in Yahoo’s systems is quite concerning,” says Chris Pierson, chief security officer and general counsel at Viewpost, an online invoice and electronic payment processing company.
“Yahoo breach part two must serve as a wakeup call to all boards of directors that cybersecurity is not an operational or technical issue.” Rather it is an issue of goodwill, reputation, differentiation, and customer loyalty,” Pierson says.
The breach disclosure has raised multiple questions about the quality of Yahoo’s security controls and processes for detecting and responding to intrusions on its network. As with the breach disclosed in September, Yahoo did not know about the August 2013 intrusion until this November when law enforcement provided the company with data apparently stolen from its servers. It was Yahoo’s subsequent analysis of the data that unearthed evidence of the 2013 breach.
Until now, the company has not been able to identify the exact intrusion point associated with theft and appears somewhat unsure about whether it is connected to the previously disclosed breach or not.
Philip Lieberman, president of Lieberman Software, described the breach as a result of Yahoo’s apparently cavalier attitude to security. “In our interactions with Yahoo over the years, there has been a consistent lack of interest in security as well as a palpable arrogance in their ability to manage their security without any help from the outside,” he said.
The takeaway from this incident is that organizations need to be looking for intrusions, expect they will not always be discoverable and operate in a manner as to minimize losses in the event of an intrusion. “If you are not constantly looking for intrusions and running your shop to minimize losses, you will always find yourself in a total loss of security as Yahoo now finds themselves,” Lieberman said.
The theft of proprietary code from Yahoo and the subsequent use of that code to forge cookies points to other problems as well. “If the code had embedded secrets that allowed this forging [of] cookies then that is a code implementation error,” said Chris Wysopal, chief technology officer at Veracode. “If there were no secrets then it would likely be a design flaw if access to the code alone could allow forging cookies.”
The fact that intruders even had access to the proprietary code in the first place raises questions, Wysopal said. “Companies typically consider this the Crown Jewels and guard it well. How did that access happen?” he asked.
Several security experts said the best recourse for users is to delete their Yahoo accounts if possible given the length of the exposure and to immediately change passwords on all accounts where they might have used the same password.
In breaches involving password and username compromise, companies can typically disable access to user accounts and send password reset links to their registered email accounts. In this case, Yahoo will likely find it harder to do the same because the password to be reset is the password to the email account itself, said Suman Ghosemajumder, chief technology officer at Shape Security.
“Unless you have a secondary email account registered with that account, which most Yahoo users likely do not, there is no good mechanism to force a password reset without effectively locking many users out of their accounts permanently,” he said.
- Yahoo Reveals Nation State-Borne Data Breach Affecting A Half-Billion Users
- Yahoo Breach May Trigger 'Material Adverse Change' Clause