Yahoo's security is a huge mess
The latest reports on the data breach revelations at Yahoo, suggest that the company lost data for more than one billion users as far back as August 2013 and that the data is suspected to contain names, email addresses, hashed passwords, security questions and associated answers. In addition, Yahoo has stated that the attackers have accessed Yahoo proprietary code used to generate cookies for user access without credentials.
This major breach raises a number of questions, including: why did it take so long to identify and notify authorities about it? What are the implications for Yahoo users? What might this mean for Yahoo going forward? And what can other companies learn from these events?
Yahoo appears to have been informed by law enforcement that the breach may have occurred, indicating that its internal detection controls have been, and may continue to be, inadequate. This is reinforced by a statement from Bob Lord, Yahoo's CISO, who stated, "We have not been able to identify the intrusion associated with this theft".
Although Yahoo claims that this 2013 notification is distinct from the 2014 breach -- reported in September 2016 -- it raises questions as to why this more significant breach was not identified during earlier investigations. It is possible that forensic investigations may have been too focused on the 2014 breach or simply incomplete. But to add balance to this argument, it should be stated that it is not clear whether the breached systems were related. However, following the 2014 breach, Yahoo should certainly have considered further investigations to identify if any wider breaches had already occurred.
So, what are the implications for Yahoo users? Considering that this breach constitutes approximately one third of Yahoo’s user base, it would be a fair assumption for all Yahoo users that their accounts have been compromised. The data set reported comprises both username and passwords, and whilst the passwords are reportedly encrypted, the weak algorithm in use leaves them wide open to abuse.
If you have not already done so, we would advise Yahoo users and users of related services such as Flickr and Tumblr, to change their passwords with immediate effect. If you have used your Yahoo password with any other service, you should change these too. If you have registered for a web site using a Yahoo email account, you should also consider resetting your password for these services, especially if you haven't used them for some time. Password reset services often use email addresses to manage a password change or forgotten password function. Anyone with access to the breached data could potentially use this information to access any site associated with your Yahoo email account.
Where the Finger Points
Given that Yahoo has announced that proprietary data was accessed, the breach is currently assumed to extend to Yahoo internal systems, suggesting a highly skilled and motivated adversary. Yahoo itself suggested that a state-sponsored hacking group was to blame; other sources have pointed the finger to a professional criminal gang, selling hacked credentials for bitcoins. Access to millions of email accounts would be a clear motivation to many different threat actors of course, including foreign intelligence services and governments.
Reports of the Yahoo breach data being sold on the Darkweb have arisen since the breach, with criminal gangs being attributed to the sale. Claims that the data may have been bought by intelligence services have also been made. Whilst we cannot comment on the veracity of these claims, it’s definitely plausible.
Anecdotal evidence regarding third parties that use Yahoo services raises questions regarding Yahoo’s own understanding of the breach. Service providers such as Sky and BT use Yahoo to provide email and other account management services. These providers have issued guidance regarding what users should do with respect to their Yahoo accounts, for example changing their account passwords, however it is understood they have not directly contacted affected users proactively.
BT’s customer help notification states, "If we detect suspicious account activity which makes us think your account may be compromised, we'll secure the account immediately and prompt you to change your password".
It could be semantics, however this would indicate that BT has not been informed which accounts have been compromised, which leads to the question, does Yahoo even know which accounts have been compromised?
Sky’s statement takes a carte blanche approach suggesting that all users change their passwords. Again, this broad brush approach suggests that it may not know specifically who has been compromised.
Has Yahoo shared information regarding directly affected users with these third parties, or not? Or are the third parties showing due diligence, releasing little specific information whilst trying to avoid an alarmist approach? It is difficult to make a call regarding what machinations have been undertaken behind the scenes, and irrespective, on whom does the obligation to inform and advise affected users lie; Yahoo, or the third parties? One would speculate that these third parties have an obligation to inform affected users as the original contract was with them, not with Yahoo. Is a general statement on their website sufficient, or should pro-active notification of affected users be undertaken? Where does the responsibility lie and who covers the cost of this? I expect legal teams are in overdrive.
We fully expect that further information about the extent of the breach will be released in the near future, but in the meantime, it’s certainly not looking good for Yahoo.
Accentuate the Positive
There are always lessons learned from these major breaches and if nothing else, it kicks some companies into action to make sure it is not them making the next breach headlines. While it is clear that Yahoo should have been in a stronger position to protect its customers’ personal information, it also seems to be the case that there was no response strategy in place to alert and inform users and third parties.
By 2018, the General Data Protection Regulation (GDPR) will require any company doing business in the European Union to more securely collect, store and use personal information and ensure the right procedures are in place to detect, report and investigate a personal data breach. Failure to do so may result in major fines. For Yahoo, the horse may have bolted already, but for other companies the clock is still ticking.
Mark Crowther is the associate director at Cyberis.