25th November, 2016

Yahoo: the breach still echos

In November 2014 the database of Yahoo was violated by hackers that were able to penetrate the systems. The vulnerability allowed them to steal confidential information for more than 500 million accounts, but Yahoo disclosure this information to the public only in September 2016, almost 2 years later.

On November 2014 the email servers of Yahoo were violated due to a vulnerability present in the authentication session: apparently the cookies generated could be bypassed without a valid authentication giving access to hackers to several customers information.

Although the IT department of Yahoo asked to announce the breach, the business decided to don't disclosure this threat, that was kept hidden to the public until the fall 2016 violating the "Security breach notification law" of the 2002, a law that requires an entity that has been subject to a data breach to notify immediately their customers and other parties about the breach.

After many rumors were raised during the summer about Yahoo accounts information sold in the black market, on the 22nd September 2016, Yahoo announced that many of its accounts had been compromised due to a vulnerability that has been detected on July 2016.

One of the company who performed an audit to the Yahoo systems, in late 2014, declared that Yahoo was already aware of the breach in November 2014, already 22 months before the official announce.

What has been stolen?

Yahoo confirmed that account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and unencrypted security questions and answers. Unencrypted password, credit card and bank account information were not violated.

Who carried the attack?

Yahoo claimed that the attack was performed by a "state-sponsored actor", but the company didn't share any information as to how it came to that conclusion.

Could this being only an excuse to justify why their protections were so weak? This could appear also as a perfect responsibility avoidance. Therefore we should also consider that a "state-sponsored actor" wouldn't have any interested to sell data to the black market, as it happened, letting discover to others that they were involved in criminal activities.

What is the point?

500 million Yahoo users are discovering that information related with their personal data, that are the same that are commonly used to perform phishing attacks, are today in the hands of hackers. The passwords, even if only the hashes were taken, are apparently the less dangerous information stolen, but what about the challenge responses to reset our passwords, like "what is your favouirte colour?" or "what is the name of your first pet?", that we might use to protect access to other information present in the web like other emails, a social network or an online shopping website where there will be also our credit card information? All these information should be considered not anymore secure if used in any other Internet web site.

What about the ethical problem?

The first point is that Yahoo didn't act correctly to avoid to assume the responsibility and to do not damage the company reputation. Doing that, Yahoo also violated the "Security breach notification law" exposing their customers to potential loss of other accounts handled by other providers (in the case they might have shared password or other challenge responses), but also for a potential identity theft on Internet using the data collected into the Yahoo accounts.

What are the consequences?

This probably happened in the worst moment for the company, right in the process of being sold to Verizon for 4.8$ billions, moreover with accuses of providing customer's data to the government complied with a secret order to search the incoming emails of all of its users in real-time for specific information. This request may have come from the FBI but more likely the NSA creating a “new and dangerous expansion of the government’s mass surveillance", while it's important to remark that companies like Microsoft, Google, Twitter and Facebook have all denied participating in a similar scheme at the behest of the government.

The fact that Yahoo staff knew of the breach at the time it occurred and kept quiet is absolutely unforgivable not only for Verizon, but also for that half billion customers who must now know if they can ever trust Yahoo again.

What actions have been carried by Yahoo?

Multiple issues are indicating that hackers might be still present inside some of the key systems that were subject to the data breach. Because many of the certificates that were issued to secure communications were self signed by the same Yahoo and not updated since January 2015, there is no guarantee that hackers haven’t got access to encrypted communications. Moreover, almost the half of those certificates were using the MD5 and SHA-1, that today is commonly considered insecure.

What to do in this case?

- First of all: force the logout from all active sessions, login again, change the password, force again the logout from all active session and login again.
- Where possible update also the challenge responses adding also a salt to each reply.
- Use complex passwords and store them in a secure way using a password manager stored locally.

Leave a comment


Swiss Identity and Access Management experts

Ask for a Demo