‘New Intelligence’ Reveals Every Single Yahoo User Account Was Pwned
Yahoo says its entire user base of 3 billion accounts was compromised by an August 2013 data breach. While the breach had been previously disclosed, the count of victims is triple Yahoo’s December 2016 estimate that 1 billion accounts were compromised.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
The revised count comes as the result of “new intelligence” gathered by third-party digital forensic experts who have been working with Yahoo following its June acquisition by Verizon, Yahoo says. Verizon paid $4.5 billion for Yahoo, which is now part of its Oath subsidiary.
“We are now notifying the additional user accounts,” Yahoo says in a FAQ posted Tuesday.
The 2013 breach exposed names, email addresses, phone numbers and birthdates. In some cases, unencrypted versions of security questions and answers that were used to recover account access were also stolen. It also exposed passwords that have been hashed using the MD5 algorithm, which at the time was already considered an unsafe password-handling practice.
Because Yahoo forced a system-wide password reset and invalidated all users’ security questions and answers when it originally disclosed the breach last December, newly discovered breach victims don’t face any new risks.
But by any measure, the new 3 billion breach figure is staggering, says Troy Hunt, an Australian information security expert who runs the Have I Been Pwned data breach notification site.
“Yahoo is a little bit like Equifax,” Hunt says, referring to the intrusion at the credit bureau that exposed 145.5 million personal records, including credit card data and Social Security numbers for a majority of U.S. adults. “Every time you go ‘Nah, this is it, we’ve hit rock bottom,’ it just keeps getting worse.”
Separate Breach: 2014 Hack
In September 2016, Yahoo warned that it had suffered a 2014 security breach that compromised 500 million users’ accounts. The company’s board ultimately concluded that then CEO Marissa Mayer, other senior executives and the company’s legal team had failed to properly comprehend or investigate the attack when it came to light in 2014.
But long before Yahoo’s September 2016 breach alert, suspicions were strong – even within Yahoo – that its email system had been compromised, says Nick Bilogorskiy, senior director of threat operations for security vendor Cyphort.
Bilogorskiy was the chief malware analyst for Facebook between 2010 and 2011. During that time, he says he had contact with Yahoo researchers who softly advised him to avoid storing sensitive information on Yahoo’s email systems.
“I’m not surprised,” Bilogorskiy says of the latest disclosure. “It’s kind of been the industry’s worst kept secret that Yahoo mail specifically is inherently very insecure.”
Yahoo’s new warning that 3 billion accounts were breached comes as it already faces a raft of class-action lawsuits. The U.S. Securities and Exchange Commission last year launched a probe into whether Yahoo violated securities laws by waiting too long to disclose its breaches to investors (see SEC Reportedly Probing Yahoo’s Breach Notification Speed).
Yahoo’s breach disclosures last year, which followed Verizon’s $4.8 billion July 2016 bid for the struggling search giant, appeared to have nearly derailed the deal. After the breaches were disclosed, Verizon secured a $350 million discount on its purchase price.
The revised acquisition terms require Yahoo to shoulder half of the costs related to government investigations and third-party litigation. Yahoo will also bear full liability for any shareholder lawsuits, as well as the SEC probe. The search giant did not carry cyber insurance.
Justice Department Indictment
Yahoo blamed a “state-sponsored” entity for the theft of 500 million account records, which occurred in late 2014. In an unusual development, however, the U.S. Department of Justice in March indicted four men on charges related to that intrusion (see Russian Spies, Two Others, Indicted in Yahoo Hack).
But only one man, 22-year-old Karim Baratov of Ontario, is in U.S. custody. He is facing allegations in San Francisco federal court of helping the three other defendants in breaching Yahoo’s email system (see Alleged Yahoo ‘Hacker for Hire’ Waives Extradition Hearing).
Two of the other accused men, Dmitry Dokuchaev and Igor Sushchin, are suspected of being agents of Russia’s FSB security service. They remain at large along with Alexsey Belan, an alleged hacker arrested in Greece in 2013 but now believed to be living in Russia.
The men have also been accused of using forged “cookies” to access accounts. When Yahoo first disclosed the August 2013 breach last December, Yahoo said the forged cookies had been used to access some accounts in 2015 and 2016.
Cookies are small data files that can enable continued access to an account for a period of time without needing access credentials. According to the indictment, Belan alledgedly stole a backup copy of Yahoo’s user database around November or December 2014.
That database contained a cryptographic value called a nonce that is associated with a user’s account. By obtaining a user’s unique nonce, the attackers could mint a cookie that gave them access to their target’s account, without having to obtain or use the actual login credentials, according to court documents. Prosecutors allege that the men used forged cookies to access at least 6,500 Yahoo accounts.
Executive Editor Mathew Schwartz also contributed to this story.