Data Breach at Yahoo: Largest in Internet History
Yahoo is back on the map – but not in the way it would like to be. Wrapping up a summer filled with an alarming number of industry-wide data breaches, the company finds itself at the tail end of what is thought to be the largest cybersecurity hack in Internet history. Just last week on Thursday, September 22, Yahoo announced that information associated with some 500 million accounts had been compromised – that’s half of its 1 billion users! The company hasn’t been able to catch a break over recent years and must now deal with this latest, poorly-timed incident. Addressing the matter, Yahoo released the following statement:
“We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.”
Here Yahoo claims that the news of a recent data breach actually happened two years ago in late 2014. It wasn’t discovered until recently that information associated with some 500 million users had been stolen. Lots of personal information was compromised in the attack, but luckily none of it is financially related to things like user credit cards or bank accounts. Apparently, financial-related data is stored separately from general personal information. But this does leave personal information exposed like names, emails, birthdates, telephone numbers, encrypted passwords (mainly in bcrypt) and security questions with their respective answers. They also go on to suggest that the attack was “state-sponsored”, but will not provide any indications as to what country is responsible. And wait for it, they attempt to wrap it up with a slight sense of relief. Supposedly, there is no current evidence to support the idea that the hacker could still be hiding somewhere inside the Yahoo network. There’s still so many questions to be answered. This statement released by Yahoo only skimmed the surface by addressing:
- When the attack took place and by whom it was executed
- What was stolen and who is compromised as a result
- That the Yahoo is free from hackers and how the company is proceeding
But what the statement doesn’t address are three of what I consider to be the most primary concerns of the matter. These are:
- How did this data breach go unnoticed for two whole years by Yahoo? Are they claiming they didn’t know anything sooner than they said, like in the case of the MoDaCo Data Breach?
- Is there any chance the hackers could still be lurking about in the Yahoo systems?
- How did Yahoo actually discover the breach after two years of it going undetected?
Of course, we wouldn’t bring these unanswered questions to your attention if we weren’t about to provide our perspective. Starting from the top, why did it take so long for this data breach at Yahoo to be uncovered?
According to the Cofounder of Tinfoil Security, Michael Borohovski suggests we consider the different intention of two different types of hackers. The two types are individual hackers and state-sponsored groups, who each have their own objectives when it comes to data breaches. In the case of individual hackers, they want to extract as much information as possible as quickly as possible. Then they use this to create fake profiles before trying to sell them as quickly as possible. They may not focus on covering their tracks as much, making it easier to detect these attacks. On the other hand, larger coordinated attacks often have deeper lying intentions. The hackers are willing to take the time to cover up their tracks in hopes that their intrusion goes unnoticed for some time. Often, they do this so well you only discover the breach by randomly stumbling upon a discrepancy. This could have likely been the case with Yahoo, but at least the company has finally recognized the privacy issue – better late than never.
Although, we shouldn’t brush off any possible negligence on the part of Yahoo. Until evidence reveals the presence of a state-sponsored attack, this could be an attempt to relieve some responsibility for leaving its users exposed. We’re not accusing Yahoo of anything, but you just never know. And incidentally, since writing this piece, it has been reported that the 1st Class-Action Lawsuit against Yahoo has been filed.
So Yahoo said in their statement that they have not found any evidence of the hacker’s presence, but is there still a chance they could be lurking in the shadows of the code?
For all we know, the hackers could very well be inside the Yahoo system waiting to strike. Again, no evidence has been found that would suggest this, but you’ve got to think about how many networks Yahoo has to hide in. Alex McGeorge, Head of Threat Research at Immunity, agrees that there is no surefire way to confirm the Yahoo system is no longer compromised. With the sheer size of Yahoo and all the surface area it has to cover amongst each of its service networks, it’s hard to guarantee anything.
Not to mention that in addition to worry about its own security, Yahoo has learned in the past that it needs to be concerned with the security measures of associated third party companies. Specifically, companies that you share data with must share a similar level of security to protect both of you from data breaches. The problem arises when the parent company is not writing or controlling the third party code, so it ends up leaving holes for an attack.
The third and final question is how was the breach even discovered? But before we get to that, let’s ponder as to who could be on the other side of this attack.
Where Did The Yahoo Data Breach Come From?
There’s debate as to whether the attack came from Russia, China or whether it is just a scapegoat for Yahoo. Both Russia and China have been associated with these sorts of cyberattacks in the past – they both have the power to execute them successfully too. Here are some things to think about for each option:
- Russia: There is no doubt that Russia has been involved in these sorts of cyberattacks in the past. However, it is thought that this is not of typical Russian style, since they often engage in particularly targeted attacks. Often they have to do with the state of the Russian economy (i.e energy sector) or at times even to undermine certain politicians.
- China: It has been said that China loves to gather all sorts of information that they can get their hands on, especially personal data. The country has been implicated in past massive data breaches involving the United States Office of Personnel Management and Google, where the huge tech company was the target of Operation Aurora.
- Scapegoat: There is also the possibility that Yahoo is choosing to call this a state-sponsored attack for the sake of finding a scapegoat. The reason being that it doesn’t look as bad if the company falls victim to a huge, basically unstoppable national cyber force rather than an individual hacker.
Of course, the list above is pure speculation. We’ll have to keep an eye on the news as the situation progresses. The only thing that has definitely been confirmed is that 500 million users have been exposed as a result of the breach!
Second Yahoo Data Breach in 2016: One Leads to Another
This probably won’t come as a surprise, but it’s not the first time Yahoo has been the target of a data breach attack. Let alone, it’s not the first time this year that there have been concerns about a Yahoo data breach.
The only reason this breach was uncovered in the first place is because of reports about another potential attack.
Basically back in July, it was reported that a hacker by the name of “Peace” claimed to have information about 200 million Yahoo accounts. The anonymous hacker claimed that the information came from a 2012 breach and was now being sold on the deep web for around £1,400 – according to a tech site called Motherboard. This same hacker had supposedly sold stolen account information in the past from companies like LinkedIn and MySpace. Each of these breaches occurred in the same 2012 timeframe mentioned by “Peace”. In fact, one notable incident stemming from the LinkedIn breach ended up with Mark Zuckerberg having his Twitter account hacked.
Some online news outlets caught wind of this claim and one company by the name of CNET had posted an article about it. The piece suggested that Yahoo was about to confirm the breach of 200 million users related to an incident in 2012 that caught light earlier this year in 2016. Not long after, new articles were being released outlining a much more significant attack against Yahoo. It turns out that the company was unable to detect the initial breach that was reported, but rather stumbled upon something way larger. Yahoo was the victim of a massive cyberattack leaving 500 million of its users exposed. The original breach being investigated regarding its 200 million users was never really confirmed by Yahoo. Needless to say, Yahoo has had an eventful summer along with the other targets of cyberattacks like Talk Talk, Sage and others.
With Four Years Comes Four Breaches (2012 to 2016)
Two breaches in just one year, where one is confirmed and the other still up for debate. If there’s already been two cases in just 2016 alone, you may be wondering what the years leading up to this has looked like. Hopefully this will give you an idea:
- Earlier in 2012: Yahoo acquires Associated Content, an online publishing platform. This was renamed the Yahoo Contributor Network and eventually rebranded to Yahoo Voices. Upon acquiring this company, Yahoo did not immediately integrate its own authentication process for users and instead relied on the previous infrastructure. As a result, Yahoo was exposed to an SQL injection attack that left about 450,000 accounts and respective passwords exposed. It was later mentioned by Yahoo that only 5% of the passwords were still effective.
- Later in 2012: Later that same year, another company called AstroYogi.com was operating under the Yahoo brand and had been compromised. Basically, any Yahoo user that visited this site was at risk of having personal data stolen. Again, an SQL injection attack was the method used to breach Yahoo by first entering AstroYogi.com. Without getting too technical, the tactic used in the attack was based on the fact that users were redirected from Yahoo to AstroYogi.com. Anyone who wanted to click from Yahoo’s page to AstroYogi.com required that their credentials (i.e. username and password) must be sent from the former to the latter. The hackers took advantage of this to get at Yahoo data. Yahoo would go ahead and keep this in mind for all of its future acquisitions.
- Sometime in 2013: Yahoo Japan reports being hacked leaving roughly 22 million account names compromised. At the time, company representatives said they noticed an unauthorised attempt to gain entry to the company database. The hack resulted in the leak of login IDs, but not passwords or anything else that can be used to change a password. This affected 1.27 million accounts, leaving them exposed to unsolicited phishing, malware and other hacker attacks. It’s also worth mentioning that Yahoo Japan says they have not been affected by the recent newsworthy attacks.
- Summer of 2016: Reports of one breach lead to another massive one that occurred in 2014 and went undetected for 2 years. It is said that Yahoo’s original investigation came back empty handed and then they decided to broaden the scope of the search. Later they discovered a much more serious matter at hand.
Although they keep claiming to be especially concerned with their users’ privacy rights, their track record may suggest otherwise. Wouldn’t you agree that it’s time Yahoo puts some attention and money into their security processes? I know I do.
How You Can Be Impacted Without Being A Yahoo Member
[bctt tweet=”Yahoo… more like Boohoo.” username=”totalshredltd”] At least, this is how the company and its users should be feeling after learning about a massive data breach going unnoticed for roughly two years. Even more so when you stop to think about all of the ways this impacts both members and non-members of Yahoo.
For those of you who are current Yahoo users, this clearly applies to you. However, this also applies to some people out there who don’t consider themselves as Yahoo users – but actually are in a way. If you’ve ever signed up for services like Flickr, Sky or BT (which are owned by Yahoo), you actually have a Yahoo account. These require a Yahoo login to use each service meaning you are also at risk. We also can’t forget about all of us who once opened a Yahoo account having not touched it for years – well, you could be at risk too.
Although Yahoo has taken precautions to ensure the stolen data cannot be used against their own systems, it can still be used with other companies that you have online accounts with. The stolen information is used in “credential stuffing” attacks where hackers basically use programs to run your passwords through a variety of online networks. Since people often reuse one or two passwords for multiple accounts, hackers are able to gain access to these too. These sorts of attacks have become increasingly popular over the past year and a half. It has been said that on average, hackers are only successful with about 1 to 2% of these accounts. So you better hope that you’re not in the 1 to 2% – either way, change your passwords and security question answers immediately. It’s extremely important that you do those two things, especially if those passwords are used for online banking and social media accounts. The last thing you need is someone gaining access to your savings or pretending to be you through fake online accounts. Don’t make it easy for hackers to get one over on you.
If you’re feeling a little weary, you may like these additional ways that you can protect yourself as a current Yahoo member:
- Use Yahoo Login Verification: This requires that every time you sign on from a new, unrecognised device you must enter a verification code sent to your phone or email.
- Sign up for Yahoo Account Key: With this service, you hook your mobile phone up to your Yahoo account. The best part is that no passwords are required. How it works is that each time you want to sign into your account, a notification appears on your phone asking if you’re trying to sign in from your computer. Once you confirm that you are, you will be logged in immediately. So only you have the means of getting into your account and there’s no need to worry about having a password stolen – just keep your email address and phone safe!
- Be Cautious: This incident in general could give way to more hacking and phishing schemes from people pretending to be Yahoo. Especially, since they may be able to get their hands on the list of leaked accounts.
Marissa Mayer’s Uphill Battle with Yahoo
Yahoo has had quite the ride over the past decade between its ups and downs (mainly downs), as well as its many CEOs. Going back eight years ago, it was a time when Yahoo declined a huge £34 billion offer from Microsoft since they thought it severely undervalued them as a company – it was never worth that much again. Following that, the company and investor confidence got shaky. Yahoo went through four CEOs in just six years, until Marissa Mayer took the reigns in July 2012 to try and transform Yahoo.
Who is this Marissa Mayer seeking to do the impossible, you ask? Mayer was a former Google executive who loved a challenge. When joining Yahoo, Marissa Mayer was filling the position no one wanted to be in – the CEO of Yahoo. She had previously played a key role in the design of Google’s major products such as Gmail and Google Web Search. It was thought that she was the most qualified person to turn Yahoo around – some thought no one was qualified because it was an impossible feat. At the time of her arrival, Yahoo had its feet in a bit of everything. This had seriously affected the longevity of the company as competitors took the time to zone in on their core areas and outperformed Yahoo by a landslide. A couple examples include Google in the search engine industry and Amazon in e-commerce. The odds started to stack up against Yahoo, especially when they were late to the punch in the uprising of mobile platforms.
As you can see, Mayer has had her work cut out for her over the past four years. Despite being an incredibly difficult feat to pull off, Mayer’s time at Yahoo has been described as “extravagant” and inactive”. This may refer to all of the recent acquisitions by Yahoo since her arrival, but a failed attempt to improve the company’s longevity. Her acquisition craze amounted to $3 billion, include $1.1 billion spent on Tumblr – which hasn’t provided much value, if any. Among many other acquisitions, she purchased another social platform called Flickr. However, the much debated and latest activity in the M&A field for Yahoo, is their acquisition by Verizon – though this may be as compromised as Yahoo’s users at this point.
In light of the recent incident, it has even been said that Mayer had been unresponsive to suggestions regarding the level of security at Yahoo. Specifically, Alex Stamos, former Head of Information Security at Yahoo urged her to do so, without success. He has since gone on to become the Chief Security Officer for Facebook since 2015.
The criticism does not fall short there, as it is also believed that Mayer had been part of the investigations leading up to this announcement for quite some time. Supposedly, she has been closely involved in the matter stemming from the first report of Internet hacker, Peace, selling information about 200 million Yahoo accounts online. We’re not sure if it’s the stress finally getting to her, but Mayer failed to disclose any information about this when negotiating the Verizon deal. Obviously this will have its own consequences to follow. As for what Marissa Mayer’s future at Yahoo holds for her, we will have to wait and see.
Pending Approval: Acquisition by Verizon
Eight years after turning down a whopping £34 billion offer from Microsoft (the most offered for an Internet company), Yahoo has accepted an offer on July 25 that is just a fraction of the amount. The talks surrounding the Verizon acquisition of Yahoo’s core business (i.e. mail, finance and sports) for a total of about £3.7 billion have been confirmed. This hardly seems acceptable on Yahoo’s part compared to the Microsoft offer, but that’s what happens when you fall from your past peak valuation of over £77.3 billion. The sixteen years since being worth that much have not placed the company in a favourable position. Following the tech bubble burst, the company has been on a steady decline.
So why did Verizon not only agree, but sought out to buy Yahoo?
Well, the company was supposedly interested in the audience that Yahoo attracts, rather than the actual user accounts of its services. Particularly, they wanted to make an addition to its online advertising business which could be done through the acquisition of Yahoo. The telecom company wants to transition into a media company stating that Yahoo provides the necessary means for them to scale. Clearly, the acquisition of Yahoo plays a vital role in this strategy, but how will this be affected by Mayer’s negligence and secrecy?
The whole situation really gets interesting when you consider the timing of this news release. It was right in the midst of the approval process required for the acquisition to go through. It goes without saying that this news comes at a bad time for Yahoo, and sooner rather than too late for Verizon.
Deal or No Deal: How Will the Acquisition Unfold?
Verizon hasn’t discussed the matter in detail, but has given us enough information to sense the dissatisfaction – likely due to hearing about the news only now. You can read their comment on the matter for yourself here:
“Within the last two days, we were notified of Yahoo’s security incident. We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact. We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment.”
Apparently, Verizon has also only recently learned of these events. Though, a source close to the company says that they will need to see how the breach affects the Yahoo assets that are of particular interest. That is before any decisions are to be made about how to proceed. The individual also mentioned that the company will not release its own investigation into the matter since the deal hasn’t officially closed yet. Though, they will definitely want to be sure of any adverse effects and whether it’s worth passing over the Yahoo acquisition or bearing through it. After all, the acquisition of Yahoo was to play a pivotal role in the future strategy. There’s always the chance that Verizon will leverage this news to its benefit – again, who really knows.
However, Yahoo has explicitly stated in the merger agreement between the two companies that no security breaches had occurred and that none would occur by the time of the deal’s closing. Obviously, this clause itself has been breached, so we will have to see how Verizon decides to respond to the matter. It’s interesting because other hacks have exposed sensitive information during times of possible acquisitions, but not affected the outcome. Sameet Sinha, Analyst at B. Riley & Co. says “data breaches have become part of doing business now.” He further justifies this claim by the fact that Microsoft still agreed to buy LinkedIn earlier this year for $26.2 billion. This transaction was completed just a month after it was made public that LinkedIn had been breached in 2012. However, the situation between Verizon and Yahoo could play out entirely differently. Just because Microsoft decided to pursue this deal anyway, doesn’t mean that Verizon won’t walk away from the deal, or at least negotiate a better price for them. If they decided to go ahead with the acquisition anyway, Verizon would face an enormous challenge in reversing the fortunes of Yahoo – and an even greater one now in the face of user distrust.
Declining User Trust Falls with Share Price
Speaking of which, this is also a huge betrayal of its users trust under the presumptions that Yahoo knew about this attack as early as August, but failed to report it until recently. The acquisition transaction is amidst the regulatory approval stage – a very strange time if Yahoo did for some reason release this information intentionally. You would think that if Yahoo were hiding something, they would announce it once the transaction has been approved and completed. Or the total opposite in the case that they would want to release it before the approval process even began to ensure transparency for all parties.
Clearly users are not happy and considering a class action lawsuit has been filed against Yahoo with a participant pool of around 500,000 people. It claims “gross negligence” regarding the fact that it took the company two years to discover that they had been breached. The lawsuit is based on the fact that on average it takes 191 days for a hack to be uncovered and another 58 days to take control of the situation. However, if you remember us speaking about the intentions of individual versus state-sponsored attacks, this could play a role in the timeline of events. Regardless, this will likely devalue the company in the eyes of Verizon.
Speculation: Acquisition Priority Over User Privacy?
The way this situation has played out leaves Yahoo looking a little shady. Whether the timing of this information being made public was coincidental or not remains a question. Either way, Mayer failed to disclose any possible breaches and investigations to Verizon which are now likely to have adverse effects on the future of the deal. We should also consider that Yahoo wouldn’t want to confirm or release information anything until it’s absolutely sure of a breach.
All in all, there are too many questions that still need answers. We know this is going to have a huge impact on both companies involved in this transaction. You’ll have to wonder that if the transaction does go through, will there be a lack of trust between Verizon and Yahoo management? For now we can only speculate and watch as the situation unfolds. So what do you think, will the acquisition still go through or not?
OCTOBER 2, 2016 – Yahoo Data Breach UPDATE
A former Yahoo staffer, familiar with the site’s security architecture is calling into question where and how Yahoo got the 500 million user number from. Given this ex employee’s company knowledge and on going relationships with those within Yahoo as well as those on the investigating team, he strongly believes that the number could be a lot closer to between 1 – 3 billion users. In an article in Business Insider, this former Yahoo exec. In his conversation to Business Insider, he says:
“I believe it to be bigger than what’s being reported,” the executive, who no longer works for the company but claims to be in frequent contact with employees still there, including those investigating the breach, told Business Insider. “How they came up with 500 is a mystery.”
For now, all we can do is continue to sit tight. As and when news breaks, we’ll continue to keep you updated. [bctt tweet=”But one this is for sure, if the number happens to top 1 billion users, you can almost bet that Verizon will either be backing out or asking for a MASSIVE discount. ” username=”totalshredltd “]