Somewhere between 500 million and 1.5 billion users’ personally identifiable information (PII) has been stolen from Yahoo in two separate breaches that possibly overlapped. Attribution is speculated to be either nation state or an extremely capable group of hackers. As usual, this is very difficult to ascertain, especially during an ongoing investigation where details are thin.
My suspicion is that differing measures of negligence and technology debt are responsible for many of these big breaches. Massive companies that have been around for a while tend to accumulate older technology at a rate that’s difficult to replace, both from a resource and willingness perspective. This older technology presents attackers with potential weak points in the infrastructure.
Negligence comes from not adequately protecting the PII and other valuable data when sufficient technology has existed for many years. Attackers breach networks all the time, but the exfiltration of useful data should be extremely rare, if that data is properly protected. It appears that Yahoo was not doing enough to protect their users’ information at the time of the breaches.
Organizations that collect PII need to ensure that the information is minimal and appropriate. Only collect the PII you need to provide the service for your business and no more. Further, you need to protect that personal information using strong encryption.
Disappointingly, the stolen passwords were hashed with MD5, a hashing algorithm that as of 2008 was considered “cryptographically broken and unsuitable for further use.” It’s also disappointing that security questions were stored unencrypted on the company’s systems. This makes it trivial for anyone in possession of this information to breach users’ accounts. Thankfully, Yahoo has since strengthened the hashing algorithm, but that’s cold comfort for the affected users.
Organizations that collect and store authentication information need to do so in a way that conforms to security best practices. This means properly salting, hashing and stretching your users’ passwords. Even if the intruders get a hold of your password database it should be practically useless.
Given that Yahoo admits source code for authentication cookies was stolen and used, it calls into question how much personal data was stolen from users’ inboxes during the extended breach period. It also wouldn’t be a stretch to wonder how much of the stolen information was then used in spear phishing or other targeted campaigns during this same period. A side note to users reading this: it’s important to remember that the stronger your password, the longer it will take criminals to crack it if a password database is stolen. This gives you more time to change your password in the event of a breach, before hackers figure out your old one.
What’s often missing is the coordination of people, processes and tools. Very often in large breaches there is a failure in one or more of these three key areas. The tools are there to detect, respond and report automatically to events that occur in the environment, but they also need capable people to spot the types of anomalies that machines are unable to detect. Finally, processes need to be put in place that allow the information gathered by the tools, and analyzed by the people, to be shared with relevant stakeholders in the business. This includes the security and risk teams, the affected business unit heads and any technical personnel that is required to resolve the issue.
It is imperative that any users affected by this breach take the time to reset all passwords for any accounts which shared a password with their Yahoo account to something unique, turn on two-factor authentication on all accounts that support it and change their answers to knowledge based authentication (security) questions to something unique for all accounts as well. Now that this personally identifiable information is in the wild users should also be vigilant for any fraudulent activity that could be the result of impersonation or targeted phishing campaigns.