On the cusp of a $4.8 billion acquisition by Verizon, Internet company Yahoo today disclosed an immense data breach in which a state-sponsored actor is believed to have broken into the company's network in late 2014 and stolen a copy of account information belonging to at least 500 million users.
According to a company statement, stolen information may have included names, email address telephone numbers, birth dates, hashed passwords and, in some instances, encrypted or unencrypted security questions and answers. For remediation purposes, Yahoo is invalidating these unencrypted security Q&As.
Unprotected passwords, payment card data and bank account information were not affected, the company asserted, also noting that there is no evidence that the network intruders still have a foothold in their systems.
The technology news site Recode had reported on Thursday that Yahoo would be imminently disclosing a major breach. Yet the announcement still managed to stun observers, after earlier reports had theorized that Yahoo would be confirming a previously reported 2012 data breach that may have affected around 200 million accounts.
News of that apparent 2012 breach came last August, when Yahoo confirmed to Motherboard that it was aware of a hacker with the online moniker “Peace” who was claiming to sell stolen Yahoo user data and credentials on a dark web marketplace. While the report indicated that the data appeared genuine, Yahoo never confirmed the authenticity of the hack or forced a password reset for its users.
Many experts thought today's announcement would verify that alleged attack, and not a heretofore unknown breach – let one that would rank among the largest of all time, perpetrated by a rogue nation's advanced persistent threat group.
Yahoo stated that it is taking steps to notify potentially affected users, but it is also recommending that users change their passwords if they haven't since 2014. The company statement also recommended that customers “avoid clicking on links or downloading attachments from suspicious emails and that they be cautious of unsolicited communications that ask for personal information.”
In the wake of the announcement, observers have speculated that the incident might drive down Yahoo's value and negatively impact its impending purchase by Verizon – a deal announced last July.
“It is imperative that companies make cybersecurity a top priority in the M&A process. Just as both parties' management is surely preparing for the acquisition by getting their house in order from a financial and operational perspective, it is equally important that they pay close attention to their cyber posture,” said Steven Grossman, vice president of strategy and enablement at Bay Dynamics, a cyber risk analytics firm, in emailed comments to SCMagazine.com.
In this instance, “a Yahoo breach may lead to lawsuits, which puts a significant liability on Yahoo's balance sheet that may reduce its value to Verizon. Additionally, a breach could cause a major hit to Yahoo's reputation that again may reduce its value and may reflect poorly on Verizon,” added Grossman.
Recode printed the following statement from Verizon-owned AOL: "Within the last two days, we were notified of Yahoo's security incident. We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact. We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment."
The announcement also prompted calls for better password management and data stewardship on the part of both companies and customers. Yahoo account holders, for instance, may now want to change passwords for not just Yahoo, but any other online service with which they registered the same credentials. Otherwise, those web services will be just as susceptible to the attackers.
“The industry has been warning users for years that they need different complex passwords for each account they use online. The problem is that many consumers have dozens of accounts and remembering that many passwords is hard,” said Brad Bussie, director of product management at data security software company STEALTHbits Technologies. Still, the practice is vital when one considers what's at stake.
“We may not realize it, but when an attacker gains control of your email, they in essence own your identity," Bussie explained. At that point, "some attackers will design spoofing attacks to try and get at higher-profile information within an organization, while others will directly attack other websites looking for the same username/password combination they obtained from the breach,” Bussie added.
Tony Gauda, CEO of data security company ThinAir, expressed concern over hackers using the stolen data to conduct effective spear phishing campaigns against Yahoo users. “Consumers are naturally weary of unsolicited calls, but when the caller knows your date of birth, and possibly the name of your first pet, the success of this form of scam increases dramatically,” said Gauda in comments sent to SCMagazine.com “All in all, this breach underscores just how valuable data is.”
Attackers could also potentially use compromised Yahoo accounts to spread malware to others. "With so many accounts potentially open for hacker use in distributing advanced malware, a data breach of this scale will no doubt have a far reaching impact on malware distribution worldwide, said Bert Rankin, CMO at malware protection firm Lastline. “A hack like the…Yahoo one can provide a very large distribution hub through legitimate accounts on a huge scale and for years to come.”
The apparent involvement by a foreign APT actor only makes the perpetrators' true intentions all the more mysterious. Vishal Gupta, CEO of digital rights management company Seclore, warned that “The fallout from this attack could be devastating. “For example, this nation now has access to 500 million phone numbers. With talk of Russian attempts to influence the election, it isn't difficult to imagine how access to the contact information, and personal details, of that many potential votes could be used maliciously.”
Still others expressed concern as to why Yahoo did not come forward sooner.
“What I'd be asking Yahoo is when it discovered that this attack took place. If it was 2014, and the company has known about it for the past two years, then why has it taken so long to reveal the extent of the breach?” mulled Keatron Evans, senior security researcher and principle of Blink Digital Security. “As this story continues to unfold, there may be even more damaging news that Yahoo did not reveal today. The one thing that is clear is that all enterprises need to learn from Yahoo's mistakes by putting in place a robust post-breach remediation plan that has the tools to investigate breaches faster and avoid them recurring in the future.”
“I am perhaps most troubled by news that this breach occurred in 2014, and yet the public is only learning details of it today,” said Sen. Mark Warner (D-Va.), member of the Senate Intelligence and Banking Committees, and co-founder of the bipartisan Senate Cybersecurity Caucus, in an official statement. “Action from Congress to create a uniform data breach notification standard so that consumers are notified in a much more timely manner is long overdue, and I urge my colleagues to work together to pass this essential legislation.”