The Yahoo Breach - 500 Million at Risk

By Kunal Anand,  John Gunn,  Bert Rankin,  Brad Bussie,  Mark Wilson

Users everywhere are reeling from Yahoo’s announcement that it was breached a full two years ago by an assumed state-sponsored bad actor who gained access to information on a whopping 500 million user accounts. Yahoo! CISO Bob Lord confirms that the stolen data likely included “names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.” Lord also said that Yahoo’s investigation thus far indicates that unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not affected.

Even by the benchmark of recently-announced breaches at MySpace, LinkedIn, Twitter, and Tumblr, the shear scope of the Yahoo breach is historic. That means that many of those affected are likely to quickly learn of it and take action. And while Yahoo! executives are probably worrying about the potential impact of the massive attack on the legacy Web 1.0 player’s upcoming Verizon merger, account holders are more focused about the potential impact on their own lives, property and privacy.  And worse, right now there’s probably millions of people who believe they’re unaffected because they’re not using a Yahoo account.

Unfortunately, they’re wrong.

Subscribers/users of Yahoo-owned properties and sites such as Flickr, Tumblr and fantasy football site also need to take immediate steps to protect personal information associated with additional Yahoo services and sites.

Kunal Anand, CTO, Prevoty: "Protecting a massive trove of user data is one of the biggest challenges that all businesses running web applications face. In the case of Yahoo!, there's a lot of interesting data aside from password hashes - potentially a lot of personally identifiable information (PII) per user. I think we have to remind ourselves how many properties and brands Yahoo! operates and multiply that by the number of data points the Internet company collects from its user base."

It’s unclear how effective damage control measures will be, or how diligently past users of Yahoo! will be in taking them. “So what are a half-billion consumer supposed to do now – change their passwords and all of the security questions for their fifty other online accounts? Don’t count on regulation to bring sanity back to the situation,” observes John Gunn, VP of Communications, VASCO Data Security.

Lord is recommending that at a minimum, users basically take the same basic steps that security professionals have recommended for years:

  • Change passwords and security questions and answers for any accounts for which a same or similar password was used;
  • Review their accounts for suspicious activity;
  • Be cautious of any unsolicited communications that ask for personal information or offer links to a web page asking for personal information; and
  • Avoid clicking on links or downloading attachments from suspicious emails.


It’s Every Company’s Problem Now

Michael Lipinski, CISO and chief security strategist at Securonix, calls the breach a perfect example that some of the organizations reading this statement are already breached. “You just don't know it yet, or, you may never know it. We can't keep accepting this level of ignorance as the best we can do.” His most pointed observations are saved for Yahoo: “Whether there was a cover up or if indeed, this breach was not uncovered for two years, this is a huge failure of the Yahoo team for not being able to identify this much earlier.”

Bert Rankin, CMO, Lastline, notes that the sheer magnitude of the breach is a clear wake-up call for better security: "It emphasizes the critical importance of maintaining strong authentication measures in both personal and professional web applications. With so many accounts potentially open for hacker use in distributing advanced malware, a data breach of this scale will no doubt have a far reaching impact on malware distribution worldwide.”

Rankin recommends using a second factor authentication to ensure that accounts are not being used by malware spammers, and in particular warns enterprise organizations that the breach is even more their problem than the individual users’. “Because enterprise assets such as laptops are used in blurred fashion between personal and professional every day in our daily lives, it also underscores the criticality of protecting organizations from the network core to the outer edges against advanced persistent threats. Perimeter defenses and signature solutions alone are wholly insufficient. A hack like this one provides a very large distribution hub through legitimate accounts, on a huge scale, and for years to come."

“Every single Yahoo user should be turning on Yahoo’s two factor authentication immediately,” says Jonathan Sander, vice president of product strategy for Lieberman Software. “Yahoo has been prompting users to do this for months and most have ignored the call for extra security. If a headline like this can’t motivate them to take Yahoo’s good advice and use the extra security they’re offering, I’m not sure what could.”

Since specifics on the breach aren’t available yet, it’s impossible to assess the full impacts, but all agree that accounts that have been breached have value, and that account holders are at immediate risk. Brad Bussie, CISSP, Director of Product Management, STEALTHbits Technologies, notes: “that accounts that have been breached have tangible value, because for ages and despite warnings not to, people have used the same password for multiple sites. The industry has been warning users for years that they need different complex passwords for each account they use online. The problem is that many consumers have dozens of accounts and remembering that many passwords is hard.

"So, what is the value of the breached accounts to the dark web and hacker community? The true value comes from the ability for attackers to socially engineer attacks specifically targeting breached victims. They have personal identifiable information most of the time, such as names, address, phone numbers, and email addresses. We may not realize it, but when an attacker gains control of your email, they in essence own your identity. The attacker that buys the breached credentials will dictate what level of mischief or flat out criminal activity that will ensue; some will design spoofing attacks to try and get at higher profile information within an organization, while others will directly attack other websites looking for the same username/password combination they obtained from the breach. The bottom line here is: if you have a current Yahoo account or have ever had a Yahoo account; change all of your passwords - pronto."

Mark Wilson, Product Management Director with STEALTHbits Technologies, agrees. "Unfortunately, these large-scale incidents against high profile organizations are becoming the norm.  The reason is that all attackers want the same two things; credentials and data – because data has value.  Organizations holding vast amounts of credentials, such as Yahoo, are prime targets.  Even if only 1% of the compromised credentials have access to data of any value, that’s still a full 2 million accounts worth of data.”

The mass amounts of PII “gives Yahoo! hackers more advanced abilities and better odds at accessing bank accounts, credit facilities, maybe even private content such as we have seen with ‘celebrity’ home movies.  It’s all data that bad actors are prepared to pay large sums for,” Wilson said.

"If you think about it, personal data may often have a larger dollar value than many businesses do."


A Silver Lining:  The Long-Overdue Death of Password Dinosaurs?

Something good can come of this as it could be the long-overdue deathblow to user names and passwords.  VASCO’s John Gunn: “User names and passwords are 30-year old technology that has been supplanted by multi-factor authentication methods that are more effective and much easier for users. When a meaningful number of users move their engagement away from online service providers who are mired in the past and have no concern for their users’ security, the industry will finally have to take action and implement security that will stop hackers.”

Unfortunately, for the time being, a full half billion current and former Yahoo! account holders can only wonder who’s got their information, what it’s being used for, and what lies ahead for them.

It may be another 4 years (or more) before they find out.