Yahoo: From t-shirt-gate to 500 millions customer breach
Yahoo has admitted to the biggest data breach in history, losing more than half a billion users details to a ‘state-sponsored’ attack
Back in the halcyon days of mid-2012, Yahoo had appointed a new CEO, Marissa Mayer, and was embarking on a rejuvenated push to take back market share from Google. That seems like a long time ago now, as Yahoo’s entire customer base reels from the revelation that more than 500 million customer records have been hacked, in what is believed to be the biggest data breach in history.
Late last week Yahoo execs were forced to admit that hackers had stolen the encrypted passwords and personal details - including phone numbers, birth dates and certain security details - of millions of users way back in 2014, a breach that has taken two years to announce. Alongside the announcement, Yahoo has begun encouraging users to change their potentially compromised passwords via popups and reminders during the login process, as well as encouraging the use of two-factor authentication by using a tied mobile device. Unfortunately, the possibility of a chained attack by hackers testing the captured credentials against other services, such as online banking accounts is all too real, and the attackers have had plenty of time to do so.
Ilia Kolochenko, CEO High-Tech Bridge commented: “Until the breach is properly investigated it's too early and premature to make any conclusions both about the origins and the attackers. For example, we should keep in mind that governments are not the only players on the Dark Web with important technical and financial capabilities. Yahoo's database is a perfect good for almost any cybercrime gang as it can be used to conduct chained and password reuse attacks against companies and individuals.
It's pretty worrying to see that even such companies as Yahoo cannot detect breaches when they occur, and start acting only once customer data is for sale in the public domain. Yahoo users can expect a huge rise in password reuse and spear-phishing attacks as a result of this breach, which they have now had no opportunity to prepare for.”
Reports claim that the discovery was the result of a July 2016 probe into claims by a hacker called ‘Peace’ that details of more than 200m accounts had been accessed. Although no evidence was found to support this claim, a deeper investigation found what Yahoo has called a state-sponsored hack affecting more than half a billion accounts.
“Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry,” the company said in a statement. “Yahoo and other companies have launched programmes to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account.”
The firm said around 10,000 users have received such alerts since its new scheme was introduced last December.
"The investigation has found no evidence that the state-sponsored actor is currently in Yahoo's network," the company said.
Just months before this successful ‘state sponsored’ attack, High-Tech Bridge had been in contact with Yahoo on security matters. Specifically Yahoo’s then fledgling bug bounty program, which High-Tech Bridge participated in - only to discover that the ‘bounty’ on successful bug submission was a $12 voucher for Yahoo’s Corporate store. The disproportionately low value of this reward compared to the expertise required (and the black-market value of an unpatched vulnerability) led to much lively debate in the security industry (dubbed ‘t-shirt gate’).
Yahoo responded via a blog post by Ramses Martinez, Director, Yahoo Paranoids, who admitted that historically “we didn’t have a formal process to recognize and reward people who sent issues to us”. Yahoo instituted more reasonable bounties in October 2013, and eventually more than 100 researchers received proper bounties, including High-Tech Bridge whose $1000 bounty was donated to the Open Security Foundation.
In fairness, the vulnerabilities found during ‘t-shirt gate’ were more user focused, such as an XSS flaw which allowed a Yahoo account to be taken over if the user clicked a crafted link. The newly-revealed compromise is somewhat more serious, as Ilia Kolochenko, highlighted: “This breach raises a lot of questions about internal security policies at Yahoo. For example, why were such a huge number of accounts compromised? SQL injections (supposing that an insecure web application or a web service was involved) cannot be totally prevented, however, database's internal security mechanisms should detect and prevent such anomalies when somebody is dumping the entire database.”
It’s certain the aftershocks will continue to reverberate for some time after this historic breach, and although it’s the largest to date it’s far from the first major internet company to suffer, with recent victims including Myspace (427m users details found on the dark web in May 2016), along with 117m LinkedIn accounts and 65 million emails stripped out of blogging platform Tumblr.
A final note on Yahoo, it’s interesting that when Ms Mayer took the helm all the way back in 2012, Yahoo’s stock price was around the $15.96 mark. Even accounting for a post breach dip, it’s today sitting around the $42 mark, post-Verizon takeover, and even worse, that post-breach dip was negligible. Certainly Yahoo’s user security worries haven’t translated into stock market losses – maybe it’s a sign that the price of user security just isn’t worth paying for modern corporations?