Yahoo disclosed on Wednesday that more than a billion user accounts may have been compromised in a hack dating back to 2013. The incident, Yahoo says, is likely a different incident from the massive breach of 500 million user accounts that was disclosed in September.
“Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts,” Yahoo CISO Bob Lord wrote in a breach disclosure. “We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.”
Data stolen from affected accounts includes names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.
“Based on the ongoing investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies,” Lord explained. “The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used."
Yahoo previously claimed it had been attacked by a state-sponsored actor, but without any evidence to uphold that claim, many experts have casted doubt and suggested that Yahoo provide evidence to back up such claims.
In disclosing the additional breach today, Yahoo is holding to its claims that the attacks have been conducted by a state-sponsored actor.
“We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016,” Lord wrote.
Some security experts have speculated that it could be any one of the United States’ biggest cyberspace “enemies,” including Russia, China or North Korea.
“The good news is that if enterprises already mitigated their exposure after the first announcement, this second breach notice shouldn’t create additional exposure,” said John Bambenek, Threat Systems Manager of Fidelis Cybersecurity. “An assumption should be every Yahoo! account prior to the breaches were exposed unless the password AND security questions were changed.”
“This is a reminder of why security questions remain a poor idea,” Bambenek added. “ Once someone’s digital identity (their primary email), is connected to security questions, those questions will likely be carried forward to other accounts including bank accounts and credit card online accounts.”
Yahoo’s weak security controls and lack of visibility
“It's fair to assume that anything Yahoo had has been breached and they are undeniably reckless in failing to disclose the size, scale and breadth of the breach for so long,” Chris Roberts, chief security architect at cybersecurity firm Acalvio, told SecurityWeek.
“I think that the biggest frustration looking at this from the outside with the knowledge we have is simply ‘how the heck did they miss it?’ Either at the forensic level or the exfiltration layer,” Roberts asks. “The fact that this quantity of data and this length of hack has continued to go unnoticed, and appears to be a separate hit against Yahoo, smacks of absolute unawareness at some level within the organization for the very basics in security.”
"If the code had embedded secrets that allowed this forging cookies then that is a code implementation error embedding keys in the code,” explained Chris Wysopal, CTO of Veracode on attackers using Yahoo's code to forge cookies. “If there were no secrets then it would likely be a design flaw if access to the code alone could allow forging cookies. Secrets this important should be stored in an HSM (Hardware Security Module), not in the code or even a configuration file that an attack my be able to get access to.”
The ability to forge cookies is essentially a backdoor into user accounts that can be used undetected or hard to detect, Wysopal says. "This why you don't embed secrets in code, something we look for and have stats about. It's a backdoor once it is discovered."
“The newly announced data breach at Yahoo should come as no surprise to anyone,” says Nathan Wenzler, principal security architect at AsTech Consulting. “Considering the insufficient security measures that were previously reported to be implemented by the last investigation of 500 million stolen accounts, it’s clear that the defense strategy Yahoo used was not keeping up with the times.”
There are a two of elements that Willy Leichter, VP of Marketing at CipherCloud, says are disturbing about the latest breach disclosure.
“First is that Yahoo never spotted this breach, and only learned of it years later through outside sources,” Leichter said. “The extent of data exposed is still not clear and these revelations will likely continue. Clearly, better security tools were needed to monitor activity, and detect a major intrusion. The second element involves using effective encryption more widely, and limiting the risk of a breach by not storing all their sensitive data eggs in one basket.”
Venafi, a company that specializes in securing cryptographic keys and digital certificates, previously conducted an analysis of external Yahoo websites and discovered several problems. Researchers determined that more than a quarter of the certificates on the company’s sites have not been reissued since January 2015. Venafi pointed out that replacing certificates after a massive breach is critical to prevent attackers from accessing encrypted communications.
Another problem, Venafi found, is that many of the certificates use MD5 and SHA-1 cryptographic hashing functions, which are no longer considered secure.
Disclosure of the two massive breach comes just months after Yahoo agreed to sell its core internet business to telecom giant Verizon for $4.8 billion. Earlier this month, AOL CEO Tim Armstrong said he is “cautiously optimistic” that Verizon will complete acquisition of Yahoo, despite the previously disclosed breach.
In a statement, Verizon said it would wait until more is know about the attack. "As we've said all along, we will evaluate the situation as Yahoo continues its investigation," Verizon said.
Several class action lawsuits have been filed against Yahoo over the data breach disclosed in September. The users who filed lawsuits against Yahoo allege that the company misrepresented the safety of its systems and services, and the findings of security experts seem to back these claims, particularly when it comes to cryptographic controls.