A second massive and “distinct” Yahoo breach – affecting more than one billion users – that was disclosed Wednesday has raised a number of questions, primarily why the internet company didn't suss out the intrusion earlier, how to mitigate a troubling pattern of attacks, and what this second disclosure might mean for Verizon's impending acquisition of Yahoo.

“The first bit of information that really stood out is that the breach occurred in 2013, before the breach that was reported last September, which had taken place in 2014,” SecBI CTO Alex Vaystikh told SC Media. “The severity of this incident cannot be overlooked. Not only was the intrusion itself not detected in 2013, but no signs of it were discovered during the investigation of the 2014 breach.”

That Yahoo could fall victim to such a massive breach sent out ripples of alarm. 

“If Yahoo, one of the largest tech companies in the world, is struggling with security, how can companies with less resources combat these bad actors?” Jason Hart, vice president and CTO for Gemalto's Data Protection solutions, told SC Media.

Indeed, “companies with fewer resources” should take notice, Sarah Stephens, head of cyber, media and E&O, JLT Specialty, told SC Media, because “they may also be missing detection of significant events.”

Yahoo's failure to uncover breaches sooner and the difficulty it faces in identifying the culprits – the company has said only that an unauthorized third party is to blame and briefly mentioned cookies in an ongoing investigation into the creation of forged cookies and links to a state-sponsored actor in its Wednesday press release – mirrors the struggles organizations face to detect, attribute, prevent and eliminate attacks from what are often well-planned attacks with long-term goals from a patient adversary. “These attacks, by nature, do not occur over one night,” said Vaystikh. “They have high dwell time, lasting weeks, months and maybe even years before they are noticed.”

Yahoo Data Breach Leaves Users Wide Eyed, But Those in Security Know Better 

Somewhere between 500 million and 1.5 billion users' personally identifiable information (PII) has been stolen from Yahoo in two separate breaches that possibly overlapped. 
For John's complete Yahoo blog click here. 

Without “any clear technical details, it's difficult to make any conclusions on who or what was at the origins of the breach," lia Kolochenko, CEO of High-Tech Bridge, told SC Media.

But cybersecurity pros were quick to hazard a guess at what those unidentified hackers might be after. The Yahoo breach also illuminates a growing trend that finds hackers “breaching user accounts, not necessarily to infiltrate corporate networks and applications, but to grab highly sensitive data hiding in email and other unstructured file stores,” Kevin Cunningham, president and co-founder of SailPoint, told SC Media.

Yahoo email accounts are likely chock full of sensitive files, such as tax or financial documents and healthcare information. “And that's what hackers are after today: sensitive data that is ripe for the taking,” Cunningham said.

Protecting unstructured data, which by some estimations, Cunningham said, could comprise 80 percent of enterprise data. will continue to be “an incredibly big challenge” for those organizations that don't have “proper" visibility into that stored data. “Not only do companies struggle to understand what data even lives in these unstructured data stores, but because hackers often steal copies, it's sometimes impossible to know what data was even taken,” he said. “And, even if you identify and stop an attack, the data is still in the hands of the bad guys.”

The latest attack on the heels of the breach revealed in September “raises serious questions” about Yahoo's security, JLT's Stephens said. “It is fairly extraordinary that a delay of several years could have occurred before the scale of the attack was uncovered,” she said. “A sophisticated and well-established tech behemoth such as Yahoo is likely to have best-in-class intrusion detection and escalation capabilities.”

If attackers used the company's code to forge cookies, the implications could be long-lasting and further highlight poor security on Yahoo's part. "If the code had embedded secrets that allowed this forging of cookies, then that is a code implementation error embedding keys in the code,” Chris Wysopal, CTO of Veracode, informed SC Media. “If there were no secrets then it would likely be a design flaw if access to the code alone could allow forging cookies.”

It is a matter of best practice that important secrets instead “should be stored in an HSM (Hardware Security Module), not in the code or even a configuration file that an attack may be able to get access to,” Wysopal said. “Then there is the access to the propriety code itself. Companies typically consider this the crown jewels and guard it well. How did that access happen?”

He compared getting the information to forge cookies as “essentially a backdoor into user accounts that you can use undetected (or hard to detect) into the future. This is why you don't embed secrets in code, something we look for and have stats about. It's a backdoor once it is discovered."

But all the blame doesn't lay at Yahoo's feet. The latest breach is indicative of poor or outdated security strategies and an indictment of established practices by cloud storage SaaS companies. Further, it raises the question as to how data is used. “The increasing occurrences of these hacks is evolving the conversation around SaaS security from ‘if' to ‘when,'” Joshua Eddy, an expert in product marketing for data storage software and hardware at CTERA, told SC Media. “What we do know is that all of the major cloud storage SaaS companies share some aspect of the data management and security management with their customers.”

Not one of those companies “can claim to allow their customers to enjoy exclusive ownership of their data, their metadata, their encryption keys and their access credentials,” he said. “For a certain class of security-conscious enterprises, this is fundamentally unacceptable."