Global Weekly Executive Summary, 06 OCT 2017

Yahoo Breaches Affected All 3 Billion Accounts

The 2013-2016 Yahoo data breaches that affected 1 billion user accounts were infamous for being the largest on record since they were announced in December 2016. On 3 October, Yahoo announced that the 2013 breach was larger than previously thought, likely affecting all of the 3 billion Yahoo user accounts that existed at the time.

Details:

  • In August 2013, an unknown attacker stole data associated with all existing Yahoo user account.
  • The types of data stolen were “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.” (Source: Yahoo 2013 Account Security Update FAQs)
  • Cleartext passwords, payment card data, and bank account information were not among the stolen information.
  • The August 2013 breach was the first of three large Yahoo data breaches. The second occurred in late 2014, and the third occurred in 2015 and 2016.
  • Yahoo has said that they believe that “an unauthorized third party accessed our proprietary code to learn how to forge cookies.” and that they “were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password.” “Outside forensic experts have identified user accounts for which they believe forged cookies were taken or used.”
  • Yahoo stated that “We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company” They did not clarify which state they believed was behind the theft.
  • The US Department of Justice has charged two Russian Federal Security Service (FSB) officers and two hackers in connection with the 2014 breach.
  • Yahoo used MD5 to hash passwords prior to the August 2013 breach. They began using the bcrypt password hashing mechanism later in 2013.
  • In December 2016, Yahoo required a password change for all users who had not changed their password since the breach. They also invalidated unencrypted security questions that could be used to access an account.
  • Yahoo was acquired by Verizon and became a part of Oath, an umbrella company that covers AOL, Yahoo, and the brands that operated under those companies like Tumblr, Flickr, MapQuest, HuffPost, Endgaget, and Moviefone.
  • In September 2017, a US District Judge ruled that Yahoo must face litigation on behalf of the users whose personal information was stolen in the breaches.

Significance: The largest data breach in history is now even larger, and it took nearly a year of investigation with the assistance of outside experts to determine the real scope of the breach. We may find this pattern repeating in other breaches like the recent Equifax data breach which initially reported that 143 million US customers were affected before revising the number upward to 145 million in the US with 300,000 in the UK.  Security professional have questioned how billions of user records could have been exfiltrated before the Yahoo security team noticed the they were compromised.

Sources:

Yahoo, Yahoo 2013 Account Security Update FAQs

Oath, Yahoo provides notice to additional users affected by previously disclosed 2013 data theft

Yahoo, Important Security Information for Yahoo Users

Reuters, Yahoo must face litigation by data breach victims: U.S. judge