Yahoo Breached Again! 1 Billion Accounts Affected

Following the news of yet another Yahoo hack, which, this time, has leaked around one billion user accounts,  cybersecurity experts from ESET, NSFOCUS, Comparitech.com, AlienVault, Veracode, Barracuda Networks, Bitglass, Digital Guardian, Intercede, Alert Logic, Delphix, Post-Quantum, CFC Underwriting, Varonis and eSentire commented below.

Mark James, IT Security Specialist at ESET:

“Yahoo has announced overnight that yet another breach has happened involving more than 1 billion of their user accounts. As breaches seem to be happening more and more these days we can be forgiven for allowing data breach news to fall on deaf ears, but we need to get this in perspective here, this breach supposedly happened in 2013. According to the source “internetlivestats”, in 2013 the internet users worldwide amounted to just over 2.7 billion. Yahoo states over 1 billion user accounts were compromised, that’s over one third of the total internet users at the time. For perspective just imagine as you’re walking down the street every third person you see has had their details stolen and are now accessible on the internet.

So what can you do about the breach? NOTHING. There is nothing you can do about that particular breach but you can try and limit any further damage as a result of your data going missing. Whenever headlines like this make the news normally the first thing you read is “change your passwords”, it’s becoming the “go to” statement but it’s a very valid point and one that should be default for any account that’s involved in a breach. When your data is stolen, purchased, hacked or traded your details may be used to gain access to other accounts or logins, changing those compromised passwords and any other account that may be using the same passwords could limit access for the criminals. You also need to think about any secret questions and answers that were used. If you’re not already, be over cautious about emails or communications arriving out of the blue, especially any that require you to validate details or hand over further information and always take a few minutes to make separate enquiries before giving up more private data.

If you have not already, now might be a good time to get a password manager, many versions exist both free and paid for that allow you to generate unique passwords for every site you visit as well as store all your existing ones and evaluate your current passwords to see how they good they are. Lastly, consider two factor or two step verification for your accounts that allow it. A really good site to see if your service uses or allows 2FA is https://twofactorauth.org/ this allows you an extra level of protection above your username and password that is very easy to use and will stop others accessing your details without your permission.”

Alez Cruz-Farmer, VP at NSFOCUS:

“This is another huge blow for Yahoo!, and an example of where adoption of the latest security methods have not been implemented. We all can learn from Yahoo!’s misfortune, teaching us how to preempt and react to [potential] breaches, because the tools are out there on the market to help. With Yahoo! being such a behemoth organisation, the question here is – did they invest in security and, if so, how did it go so wrong?”

Lee Munson, Security Researcher at Comparitech.com:

“When Yahoo admitted earlier this year that it had been attacked in 2013, there were suggestions that the number of compromised accounts could place the company somewhere near the top of the pile in terms of the biggest ever data breaches.

“Now, there is no doubt, after it emerged that more than one billion accounts were compromised in the same year, possibly in an entirely separate attack.

“The worrying part of this news is the fact that the communications company does not appear to have noticed this second breach until November of this year, giving the attackers plenty of time to make merry with the stolen credentials.

“Thus, it is imperative that everyone with a Yahoo account should change their password immediately. Not only that, they should also change passwords elsewhere on the web too, if they have reused the same one across several accounts.

“New passwords should be unique to every site and account used and should be strong – lengthy, using letters, numbers and symbols, but not including words or dates of birth.

“Given the fact that Yahoo has said security questions and answers may also have fallen into unfriendly hands, its customers should, in fact, review every aspect of their personal security across the internet, especially for the most sensitive of accounts, such as online banking and credit card accounts.

“Additionally, the leaking of email addresses also makes it likely that Yahoo customers could be targeted by phishing attacks, prompting them into changing their login credentials on fake sites that are designed to look like banks, etc. – so the advice here is to never click on links found in emails, unless absolutely certain that they have come from a legitimate source.”

Javvad Malik, Security Advocate at AlienVault:

“Companies will always be targeted and breaches will occur. The larger the company, the more likely it will be targeted and breached. This statement should not come as a surprise to anyone.

“However, it is vitally important to be able to detect a breach in a timely manner so as to either prevent the breach, to minimise the impact, or to forewarn users, customers, and shareholders so that steps can be taken to prevent being caught off guard.

“However, when a breach is disclosed after three years, it has almost zero value. The damage has been long done and people could have ended up victims without realising the source.

“The lack of breach detection is extremely worrying, and should serve as a reminder to all organisations of all sizes that if you hold user data, you have a responsibility to secure it.”

Paul Farrington, Manager of EMEA Solution Architects at Veracode:

“This hack is another hammer blow to Yahoo, putting hundreds of millions of users at risk and trashing its reputation as a trusted, secure provider of email services.

This example should service as a wake-up call for companies to get serious about application security and implement rigorous encryption and application vulnerability testing to keep customer data safe from hackers. Some CIOs are still wondering when they will need to start investing in an application security programme. Well, for Yahoo, whatever they had done by August 2013, was already too little, too late.”

Wieland Alge, Europe’s Leading Cybersecurity Experts and General Manager EMEA at Barracuda Networks:

“What is surprising about this attack is that hackers have potentially had access to this data for roughly three years, and yet the full extent of the breach is only coming to light now. This breach leaked enough details to leave users open to sophisticated phishing attacks. With over a billion accounts compromised, at least some users would have thought phishing emails to be genuine, thereby opening the door to attackers.

Typically, phishing emails appear to come from a trustworthy source, so initially those that have been targeted don’t even realise they’ve fallen victim. The most successful phishing attacks are those that impersonate someone the recipient knows, or is expecting to hear from. For example, attackers will make subtle changes to an email address, such as “faceb00k.com” or “tripadvsior.com”. If a user is in a rush, all it takes is a lapse in concentration for a hacker to fool them. If organisations want to get tough on protecting their network and their customers, they need to be working in a zero trust environment. Implemented by firewalls, these environments take away the automatic assumption that an action or actions should be trusted. If an issue is noticed, it needs to be scrutinised and investigated until resolved.”

Eduard Meelhuysen, Vice President Sales EMEA at Security Vendor Bitglass:

“Social media platforms like Yahoo which are rich in user data are amongst the prime targets for organised cybercriminals.  However, these companies often rely on legacy security solutions that struggle to protect data once it gets outside their corporate network.  Many of these data breaches, which are far more common and more costly than companies may realise, can easily be prevented with the appropriate controls in place.  To stay one step ahead as data moves beyond the firewall, firms like Yahoo must encrypt cloud data at rest, control access by contextual risk, and protect data on unmanaged devices.”

Luke Brown, General Manager EMEA at Digital Guardian:

“The big question here is ‘why did it take so long to discover’? For the 1 billion+ Yahoo customers affected, their sensitive personal data has been compromised for three years without their knowledge. Rather than bringing in the experts after the breach has occurred, companies like Yahoo should be focusing on preventing the breach happening in the first place. Only two months ago it fell victim to another hack.

Many of the advanced threat protection tools available today alert businesses to breaches in real time, allowing them to monitor and shut them down before anything sensitive is taken. As such, it’s baffling that companies who hold such personal data do not already have them in place.”

Richard Parris, CEO at Intercede:

“Three years! How has it taken experts three whole years to discover the largest known data breach in history? If I were a Yahoo customer I would be demanding answers. If I were Verizon, I would have serious concerns over the proposed acquisition.

“Yahoo has advised customers to change their passwords, but it’s just too little, too late. How many other accounts have since been breached as a result of this legacy hack? It’s more than likely that cybercriminals have been using credential stuffing methods, with the stolen username and password data, to commit identity theft for the last three years.

“Companies have a responsibility to protect their customers’ data from malicious hackers. How many large scale breaches of this kind will it take before the industry shuns the damned username and password once and for all?

“More secure methods of authentication have long existed – all it takes is a willingness from companies to implement these. And what’s more, some of the most secure methods today are more convenient to the end user than having to remember a long and complicated password.”

Oliver Pinson-Roxburgh, EMEA Director at Alert Logic:

“The most critical part of an incident response process is lessons learnt. Organisations need to question how far the rabbit hole goes in all cases. As things are detected during an incident, work streams should be started to question where else data resides and how can it be accessed from the systems hacked. The lessons learnt is second only to how you respond to an incident in the first place to an incident. How to respond relies on what information you have, getting pertinent information when under extreme pressure is tough when you in this position.

“It seems that in this case the investigators are still uncovering information, which again supports the fact that on average an attacker will be in 205 days or more before detection. It also supports the fact that, in many cases, organisations are unable to self-detect. An over reliance on blocking technologies and the lack of expertise, as well as the lack of  focus on detection coverage across the kill chain, is often the biggest challenge for organisations. In many cases for larger organisations the challenge of getting visibility is compounded by complexity, the fact the investigation is ongoing suggests that complexity is hampering them.”

Jes Breslaw, EMEA Director of Strategy at Delphix:

“Time and time again we have seen that even the most basic of personal identifiable information puts consumers at risk. Names, addresses and contact information all hold money-making potential for opportunistic social engineers on the dark web.

“The latest Yahoo data loss reinforces why organisations need to prioritise the development of robust security measures. Not only did it take Yahoo three years to disclose the largest breach in history but it was using one of the least resilient security measures available. Had the EU’s General Data Protection Regulation (GDPR) already been in operation then Yahoo could be facing a fine in the region of $200 million for its failures in due diligence.

“The challenge has always been that more robust security measures, such as masking both production and test data, are an expensive and complex task that organisations have avoided. In order to overcome this barrier and be prepared for a post GDPR world then organisations need to start considering new technologies, such as data masking and data virtualisation, that pseudonymise data once and guarantee that all subsequent copies have the same protective policies applied. This will future proof the business from costly data breaches and ensure compliance while improving agility and time-to-market.”

Andersen Cheng, CEO at Post-Quantum:

“The latest Yahoo breach is catastrophic in numbers – easily the biggest data breach we have seen to date. Even more worrying is why this took so long to be disclosed, with the incident taking place nearly four years ago. It looks like these kinds of deals between companies will disclose even more of these historical incidents as we move forward.

M&A and IPO activities are on the rise, and they will continue to gather pace in 2017, such is the sheer volume of, and the demand to invest in, the next tech ‘unicorn’. With this uptick in activity, there is a good chance that we will see data issues such as breaches or hacks uncovered as companies carry out their due diligence before deals are finalised. I expect there will be a few more unpleasant surprises uncovered next year.”

Graeme Newman, Chief Innovation Officer at CFC Underwriting:

“CFC Underwriting is a specialist provider of cyber insurance with the largest team of specialist cyber underwriters in the world, and insures over 20,000 companies against cyber risk. Graeme himself has been heavily involved in the development of a variety of new insurance products designed to protect companies against the growing number of exposures they face as the use of the internet and technology in business increases.”

.

.

David Gibson, VP of Strategy and Market Development at Varonis:

“The fact that this is the second Yahoo! breach that has been disclosed in the last 3 months just goes to show how deep some of these major data breaches go. Many organisations are breached just as severely as Yahoo!, but may never know as they are not actively investigating.

“Bob Lord, Yahoo!’s CISO, said that steps have been taken to secure the accounts that have been breached. I am always sceptical of statements like this. How do you know? What if the remaining accounts were breached without any evidence left behind? We don’t know what we don’t know. You almost have to concede the worst: the entirety of our data has been compromised. Perhaps more worrying is that, according to a former security engineer, Yahoo! installed a backdoor that allowed the NSA to read ALL user’s emails behind their security teams backs. The thing about backdoors is that bad guys can find them too.

“However, organisations also have a responsibility to their partners, customers and employees to protect sensitive information and disclose breach activity. Quite often breaches are confirmed, not by an organisation’s security teams, but by discovery and confirmation of leaked data on the Dark Web.

“Organisations should be taking steps to, not only safeguard data, but also provide forensic evidence when the worst happens. The first step in a data security strategy should be to instrument your environment to be able to a.) see who is accessing data, when, and how b.) profile normal behaviour, and c.) alert on abuse. Step two should be to identify sensitive data and ensure that only the right people have access (i.e., the principle of least privilege). Step three is to implement automated processes and human checkpoints to verify that controls put in place stay in place so you don’t backslide to an insecure state.

“Interestingly, if Yahoo! hadn’t instrumented their environment to detect evidence of intrusion, they may never have “officially” discovered the recent two data breaches, which have been devastating to their brand and may have ultimately cost them their sale to Verizon.

“The upcoming breach notification requirements will also place a new burden on data controllers like Yahoo!. Under the GDPR, the IT security mantra is “always be monitoring”. You’ll need to spot unusual access patterns against files containing personal information, and promptly report an exposure to the local data authority. Failure to do so can lead to enormous fines, particularly for multinationals with large global revenues just like Yahoo!.

“Passwords leaked were hashed with a VERY weak algorithm (unsalted MD5), however, if users changed their password after the last reported breach, they should be safe since this one happened in 2013. Interestingly, when I attempt to change my Yahoo! account password via 1Password using a random 32 character string, I get a vague error message. Yet it lets me use “thisismypassword”

Mark Crowther, Associate Director at Cyberis:

“The latest reports say that Yahoo lost data for more than one billion users back in August 2013 and that the data is suspected to contain names, email addresses, hashed passwords, security questions and associated answers. In addition, Yahoo has stated that the attackers have accessed Yahoo proprietary code used to generate cookies for user access without credentials.

This breach raises a number of questions, including: Why did it take so long to identify and notify authorities about it? What are the implications for Yahoo users? What might this mean for Yahoo going forward?

Yahoo appears to have been informed by law enforcement that the breach may have occurred, indicating that its internal detective controls have been, and may continue to be, inadequate. This is reinforced by a statement from Bob Lord (Yahoo’s CISO) who stated “we have not been able to identify the intrusion associated with this theft.” (https://yahoo.tumblr.com/post/154479236569/important-security-information-for-yahoo-users).

Although Yahoo claims that this notification is distinct from the 2014 breach (reported in September 2016), it raises questions as to why this more significant breach was not identified during earlier investigations. Forensic investigations may have been either too focussed on the 2014 breach, or incomplete, preventing identification of this earlier and more significant breach. To add balance to this argument, it should be stated that it is not clear at this time if the breached systems were related, however following the 2014 breach, Yahoo should certainly have considered further investigations to identify if any wider breaches had occurred.

So what are the implications for Yahoo users? Considering that this breach constitutes approximately one third of Yahoo’s user base, it would be a fair assumption for all Yahoo users that their accounts have been compromised. The data set reported to be compromised includes both username and passwords, and whilst the passwords are reportedly hashed, the weak algorithm in use leaves them wide open to abuse (see our earlier blog post on password hashing – https://www.cyberis.co.uk/2012/06/adding-pinch-of-salt.html)

Cyberis advises Yahoo users, and users of related services such as Flickr and Tumblr, to change their passwords with immediate effect. If you have used your Yahoo password with any other service, you should also change these passwords. If you have registered for a web site using a Yahoo email account, you should also consider resetting your password for these services, especially if you haven’t used them for some time. Password reset services often use email addresses to manage a password change or forgotten password function. Anyone with access to the breached data could have potentially used this information to access any site associated with your Yahoo email account.

Given that Yahoo has announced that proprietary data was accessed, the breach is currently assumed to extend to Yahoo internal systems. This could suggest a highly skilled and motivated adversary, potentially even a state-sponsored hacking group. Access to millions of email accounts would be a clear motivation to many different threat actors of course, including foreign intelligence services and governments. We fully expect that further information about the extent of the breach will be released in the near future, but in the meantime, it’s certainly not looking good for Yahoo.
Eldon Sprickerhoff, Founder and Chief Security Strategist at eSentire:

“The magnitude of this breach doesn’t just impact Yahoo account holders, it extends to anyone using web mail services, and drives home how critical two factor-authentication is when it comes to account security. We all have a role to play in the security of our own data. The same fate could be a reality for anyone not using two-factor authentication to secure their accounts.

In the Yahoo’s case, account passwords were hashed. Think of it as a one-way encryption that can’t be decrypted. But, if you take every possible alphanumeric and punctuation combination, mix it with every possible seed, and feed it through the hash function, you end up with all possible hashed passwords. You can then do a reverse lookup and find the actual password. What this means, is that with standard password technology in place (like the kind used by Yahoo), hackers can easily identify user passwords. Two-factor authentication takes security one step further, eliminating the need for hashes, and the risks associated with hashes. It’s a feature that’s enabled by adding another form of identity verification to the account sign in process, like a phone number. It’s a simple step that provides significantly more protection to account holders. This breach reinforces the need for two-factor authentication on all user accounts, whether business or personal.

The greater risk with this particular breach is the countless other email accounts that could be impacted. Many Internet Service Providers (ISPs), like Rogers in Canada or Sky UK in the United Kingdom, chose not to create their own web mail system. Instead, they white-label Yahoo mail for their account holders. So, if you have a Rogers or Sky UK web mail account, it means that you actually have a Yahoo email account. Regardless, the safest route for all users is to update all passwords and ensure two-factor authentication is enabled, immediately.”

J.Paul Haynes, CEO at eSentire:

“Any breach that involves personally identifiable (PII) information – like names, addresses, and user credentials – can haunt its victims for months or years. This information usually ends up on the dark web, where it’s cycled through buyers who can use that information to commit various forms of fraud. Hackers can also use PII to access other systems, particularly if the victim used similar username and password combinations for other accounts.”

–