News

Yahoo Breach Exposed 1 Billion Accounts

• By Kurt Mackie
• 12/15/2016

Yahoo this week provided details about another security breach that exposed the data of "more than one billion user accounts."

The theft occurred almost three years ago, in August of 2013, but it's now a new notice coming from Yahoo as of this week. Yahoo had earlier admitted, in September of this year, that 500-million accounts had been exposed in late 2014. However, this week's one billion accounts exposure represents a new breach record on top of that 500-million figure. It doubles the previous record that also was set by Yahoo.

"To me, this looks like essentially all of Yahoo's users have had their details stolen with half of them having suffered the indignity twice," commented Richard Windsor, an analyst with London-based Edison Investment Research, in a blog post.

Yahoo is currently getting purchased by telecom services provider Verizon. The deal originally was estimated at $4.8 billion, but Verizon indicated back in September that it, too, wasn't aware of the earlier breach before engaging in discussions. Windsor offered some thinking on Yahoo's valuation in the wake of the breach disclosures, saying that the "core business for which Verizon is nominally paying [is] $4.8bn but given the risk that it walks away, we are now valuing it at zero."

Yahoo is attributing the latest data theft to "the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016," according to an announcement. The company became aware of this latest breach after "law enforcement" provided it with "data files that a third party claimed was Yahoo user data."

It seems Yahoo doesn't know who took the data. Moreover, the earlier state-sponsored claim has been questioned by some security researchers, according to a blog post by software security provider Kaspersky Lab.

Yahoo hired outside forensics experts to look into the breach, and they identified accounts where "forged cookies were taken or used." Yahoo is contacting those account holders and it has "invalidated the forged cookies," its notice indicated.

In general, Yahoo is notifying "potentially affected users." It wants Yahoo users to change their passwords. Answers to security questions for accessing accounts have been invalidated by Yahoo because that information was exposed in the data breach. Users should change their security Q&As, too, Yahoo advised.

Yahoo's user passwords were hashed, or encrypted, during the breach. However, Yahoo was using MD5 for the hashing at the time of the data breach. It later upgraded its hashing solution to bcrypt, but that process started in "the summer of 2013." The bcrypt approach added "salting and multiple rounds of computation" to the hashing technique. See this Visualstudiomagazine.com article for an in-depth description of salting a password hash.

The MD5 hashing approach has been deprecated because it was been subject to "collision attacks," a method used to decrypt passwords, according to Jonathan Care, a research director at Gartner Inc., in a blog post.

"MD5 is strongly deprecated and this points to troubling software development security practices in Yahoo or its suppliers," Care stated.

Care added that question-and-answer security measures used by Web sites aren't proving to be effective, especially given such massive data breaches. He also downplayed the effectiveness of passwords compared with emerging biometric security approaches. Organizations such as Yahoo will need things like machine analytics to be better prepared, he suggested.