In its quarterly report to the SEC, Yahoo disclosed that an adversary may have deployed cookies that would allow attackers to bypass credential log-in mechanisms when accessing online accounts.
In its quarterly report to the SEC, Yahoo disclosed that an adversary may have deployed cookies that would allow attackers to bypass credential log-in mechanisms when accessing online accounts.

In a filing with the Securities and Exchange Commission (SEC) on Wednesday, Yahoo admitted that some individuals within the company were aware of a network systems intrusion by a state-sponsored actor – one that ultimately led to the compromise of over 500 million accounts – shortly after the incident occurred in late 2014. The revelation is a potentially damaging one, considering that Yahoo sat on the news until finally disclosing the breach publicly on Sept. 22, 2016.

In the same quarterly report, Yahoo acknowledged evidence that an adversary – likely the same one responsible for the breach – deployed cookies that would allow attackers in certain instances to bypass credential log-in mechanisms when accessing victims' online accounts.

A source familiar with the Yahoo data breach described the act as counterfeiting a login cookie.

According to the filing, the mega-breach disclosure resulted from a July 2016 investigation into a rumored 2012 data breach, which "intensified an ongoing broader review of the Company's network and data security," including an August 2016 analysis of the 2014 state-sponsored network intrusion. (Yahoo was not able to substantiate rumors of the unrelated 2012 incident.) The source familiar with the case said that it was only after Yahoo conducted this additional analysis with the help of forensics experts that the company had a more complete picture of what truly occurred.

These latest developments continue to cast an unflattering light on Yahoo, whose handling of the breach debacle has already come under fierce criticism. Mike Patterson, VP of strategy at threat response management firm Rook Security, told SC Media in an email interview that if the company's account proves accurate, it's "probably the worst known case of procrastination I can think of,” adding that he was “shocked” by Yahoo's latest disclosures.

“If indeed Yahoo knew about this breach earlier, and they realized it affected their customers' account security, it would be very disappointing that they did not inform their customers to protect them,” agreed Corey Nachreiner, CTO at network security solutions provider WatchGuard Technologies, in his own email interview with SC Media. “No business is expected to be invulnerable, but we should expect businesses to quickly inform their customers if any security incident affects their data or accounts, especially if it could help the customers protect themselves from repercussions.”

A section of the SEC filing entitled “Security Incident” states that an Independent Committee of the Yahoo Board of Directors, under the advisement of independent counsel and a forensic expert, “is investigating, among other things, the scope of knowledge within the Company in 2014,” as well as “the extent to which certain users' account information had been accessed, the Company's security measures,” and the possible use of cookies.

The company also said it will forensically investigate a set of possible user account data that law enforcement authorities disclosed to the company on Monday. Authorities received the data from a hacker claiming to be in possession of Yahoo user information.

Larry Zulch, president and CEO of network performance and security firm Savvius, suggested to SC Media that the investigation should have yielded more definitive answers by now. “The inability of the forensics experts brought in by Yahoo to quickly determine an accurate view of act and actor points to a weakness in Yahoo's security stance that is common to most organizations: they can only react to breaches because they failed to prepare for them,” said Zulch in an email interview.

“The resulting uncertainty contributes to the challenges that Yahoo is currently facing. Yahoo should have been storing forensically useful packet data covering the time in question. Although this is a big task, modern techniques make it practical, and experiences like Yahoo's make it vital,” Zulch continued.

Several experts opined that the cookie revelation was particularly significant, including Nachreiner, who warned that “If attackers really did figure out how to add their own ‘persistent' cookie to an account, it essentially could give them unfettered access."

Patterson explained that the attackers may have potentially sidestepped the Yahoo password log-in process altogether if they had access to users' session and cookie data. “Essentially, the attack would load the Yahoo mail page just as any logged-in user would... This is a form of session hijacking,” said Patterson, noting that Yahoo has not specifically indicated if attackers were able to acquire the necessary session and cookie data to execute this scheme. “I'm assuming this was overlooked in the incident notification,” he added.

Yahoo has previously stated that user passwords stolen in the breach were hashed, but if cookies were indeed used to circumvent the log-in mechanism, then the fact that passwords were encrypted would potentially be irrelevant.

Meanwhile, Zulch noted that the cookie disclosure “indicates that the attacker planned for extended and repeated access to Yahoo. Planting the cookies makes subsequent access look like legitimate user activity, so the actor could return time and again with little fear of detection.”

Yahoo reported taking a $1 million hit in the quarter ended Sept. 30, noting that it will continue to be financially impacted by ongoing remediation, investigations and legal challenges. The company cited 23 different putative consumer class-action lawsuits that have been filed against the company in federal, state and international courts. Moreover, Yahoo's impending acquisition by Verizon is also imperiled by the breach.

Yahoo is not covered by cybersecurity liability insurance.

“The investigation of the Security Incident is ongoing, and we are still in the process of assessing the financial and other effects of the Security Incident,” the filing reads. “We may identify additional information that was accessed or stolen, or develop a clearer understanding of the Security Incident... which could have an adverse impact on our business, results of operations, financial results, and reputation.”

Next to what infidelity data service Ashley Madison experienced after its systems were hacked, the potential consequences Yahoo is dealing with is as dire as Patterson can recall a company facing. “Yahoo is super exposed here and we aren't even talking about investor lawsuits that would take place should the merger be terminated, in addition to questions about why this was never disclosed to the SEC in its annual filings,” said Patterson, calling Yahoo's lack of effective cyber policy “almost unforgivable.”

Asked for comment, Yahoo directed SC Media to its quarterly report.