Yahoo's disclosure of one of the largest-ever data breaches comes after months of dark web chatter that indicated it may be the next victim following large online services including Twitter, LinkedIn and Dropbox.
See Also: Creating a User-Centric Authentication and Identity Platform for the Healthcare Industry
Yahoo blames the attack on a "state-sponsored actor," but it did not name a suspect country. Still, it's a confident assertion for a cyberattack, which computer security experts contend is notoriously difficult to attribute.
Yahoo says details on at least 500 million accounts were stolen in late 2014. The company is notifying those affected and asking them to change their passwords. Most, but not all, of the exposed passwords were encrypted with a strong algorithm, leaving some users at more risk than others.
Over the two years since the breach, state-sponsored hackers would have had plenty of time to attempt to crack even the strongly encrypted passwords, says Michael Lipinksi, CISO and chief security strategist at Securonix. "I think it's safe to say those accounts were compromised," he says.
The theft of account credentials apparently is the biggest that's ever been discovered, easily overtaking the exposure of 359 million MySpace accounts in 2008, which only came to light earlier this year. Other record-setting breaches included the exposure of 164 million LinkedIn emails and passwords in 2012 - which also came to light this year - as well as the exposure of 152 million Adobe accounts in 2013.
Unlike the breaches at LinkedIn and MySpace, as well as other big breaches involving Dropbox and Tumblr, the Yahoo account details are not circulating or for sale on the underground, a sign that experts say may indicate the company's attribution is accurate. The company says an "investigation has found no evidence that the state-sponsored actor is currently in Yahoo's network."
In addition to passwords, the compromised information includes names, email addresses, phone numbers and birth dates. Also stolen were the security questions and answers users had selected to verify their accounts, only some of which were encrypted. Payment card and bank account information was likely not affected, because that information was not stored in the compromised system, Yahoo says.
Deal With Verizon Pending
The breach disclosure comes at a sensitive time as Yahoo winds through legal processes prior to its pending $4.8 billion sale to Verizon.
Sen. Richard Blumenthal, D-Conn., the ranking member of the Senate subcommittee with consumer protection and data security oversight, calls on law enforcement and regulators to examine whether Yahoo may have concealed knowledge of the breach to artificially bolster its valuation in its pending acquisition by Verizon.
"If Yahoo knew about the hack as early as August, and failed to coordinate with law enforcement, taking this long to confirm the breach is a blatant betrayal of their users' trust," Blumenthal says. "Asking users to reset their passwords when it first learned of the breach would have been a simple and effective step at mitigating any risk to accounts and protecting consumer data."
Meanwhile, the FBI is investigating the breach. "We take these types of breaches very seriously and will determine how this occurred and who is responsible," the agency says.
Experts have been at a loss as to why data breaches that occurred years ago have now become public or who may have been behind the attacks (see 'Historical Mega Breaches' Continue: Tumblr Hacked).
Breach Rumors
The seeds for the password woes of many online web services this year were sown as early as March. That's when someone using the nickname Tessa88 began hawking on underground forums large batches of data (see LinkedIn, MySpace Hacker 'Urgently' Needs Money).
Tessa88 often delivered the goods, either by proxy or directly. The persona passed data stolen from Twitter and VKontakte to LeakedSource.com, which runs a paid-for search service for stolen data. Other batches, such as LinkedIn and MySpace, were sold on a dark Web market called The Real Deal through its co-founder, peace_of_mind, or Peace.
But some of Tessa88's data batches turned out to be amalgamations of other leaked credentials bundled together and intentionally mislabeled. Cybercriminals seeking to buy stolen data became so frustrated that Tessa88 was banned from underground forums, says Vitali Kremez, a senior cybercrime intelligence analyst at Flashpoint.
"[Tessa88] was lying to other criminals," Kremez says.
On Aug. 2, Peace advertised 200 million Yahoo account credentials on The Real Deal for $1,800 in bitcoin. But Kremez says the advertised details do not match Yahoo's description of what was taken.
It means that while Yahoo may have been looking for signs of a specific intrusion that matched the data Peace claimed to have, the company might have discovered a different one.
First, the number of accounts is way off: 200 million vs. 500 million. The Real Deal advertisement didn't mention having users' security questions. Yahoo hasn't said country code identifiers for accounts were leaked, which The Real Deal advertisement did. Peace claimed the database was from 2012, which predates Yahoo's estimation of a breach by two years.
"The likely scenario is that Yahoo has been investigating Tessa88's allegations and Peace's allegations," Kremez says. "While they were investigating, they stumbled upon other signs of intrusion."
Hashing Madness
Companies with enormous user bases such as Yahoo face large challenges in a changing security landscape. What have been considered the minimum safety standards around passwords have vastly changed over the last decade.
"It's a little bit difficult for companies like Yahoo because they are getting judged on yesterday's practices that are being measured on today's standards," says Troy Hunt, a data breach expert who runs the Have I Been Pwned breach notification service.
The issue revolves around the mathematical processes that are applied to passwords. Since passwords can't be stored in plain text, they're processed with a one-way deterministic algorithm to produce a hash.
Growing computational power has meant the output of some algorithms can be rapidly guessed. Over the years, companies have switched to stronger algorithms, which slows down rate at which attackers can guess the output, which is the hash stored on their systems.
For a company with as many users as Yahoo, migrating to a new algorithm and securing weak hashes is a huge problem, says John Bambenek, manager for threat systems at Fidelis Cybersecurity. "That's a heavy drinking week for your IT department if you do that," he says.
The easy way would be to ask all users to create a new password. But companies don't want to issue full password reset decrees - for good reason. Users get annoyed. It also raises suspicions if a company has been breached, which is a potential public relations problem.
The result is that some companies are forever in a state of transition, Hunt says. Yahoo says the "majority" of the leaked passwords were encrypted with bcrypt - a well-regarded, purpose-built password-hashing algorithm - but that indicates that some passwords were not so strongly hashed.
Dropbox, which said in August that 69 million accounts created before mid-2012 were compromised, is another example. Hunt says half of those passwords were encrypted with bcrypt, while the other half were encrypted with SHA1, which is now considered very weak (see Dropbox's Big, Bad, Belated Breach Notification).
A hashing algorithm such as MD5 can be computed billions of times per second on consumer-grade hardware, whereas an algorithm like bcrypt may be only hundreds of times per second, Hunt says.
A way around the problem is to take hashes that can be rapidly guessed, such as MD5s or SHA1s, and run them through bcrypt. But it would appear from several of the large breaches from this year that companies have just rolled over to a new password hashing algorithms and not secured the weaker ones, Hunt says.
That's why, in part, the Yahoo breach still poses a risk. If the weak hashes can be cracked, those passwords can be tried against other services, such as bank or social media accounts.