Yahoo Breach: User Data Considered Toxic



Computer science and security rely on precision for the descriptions of their constructs and concepts. But there are some things that defy description in these realms, and the Yahoo data breach is one of them.

Wrapping your head around the idea of a breach that affects half a billion users is a difficult task, and it’s not one that anyone has had to contemplate until now. Yahoo’s data breach is far and away the largest on record in terms of the number of users involved. The economic effect on the company will take years to calculate, and it may never be fully known, as is often the case with these breaches. Though Yahoo, already on the ropes and in the middle of a sale to Verizon, may see some rather unpleasant effects quite soon.

From the user’s perspective, too, the massive amount of data taken in the compromise - including dates of birth, email addresses, physical addresses, and security questions and answers - could have far-reaching effects. The information is an identity thief’s starter kit, even without bank account or payment card data. Yahoo has pointed the finger at a state-sponsored attacker, as is customary in these incidents.

“Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter,” the company said in a statement on the compromise.

As gory as they are, the public details of the Yahoo compromise aren’t what’s really interesting or important here. The intriguing part in this case is how long it took Yahoo to uncover and disclose the data breach. In its public statements, the company said it discovered the compromise recently, but the data was stolen in 2014. That fact has drawn the attention of Capitol Hill and a group of senators is asking some very uncomfortable questions of Yahoo CEO Marissa Mayer.

In their letter, Sens. Ed Markey, Patrick Leahy, Elizabeth Warren, Al Franken, Richard Blumenthal and Ron Wyden asked Mayer when and how Yahoo learned of the breach, why the company took so long to uncover it, and whether any government agencies warned Yahoo of an attack by state-sponsored attackers. The lawmakers also said that the data taken from Yahoo could be used easily in other attacks.

“The stolen data included usernames, passwords, email addresses, telephone numbers, dates of birth, and security questions and answers,” the senators said. “This is highly sensitive, personal information that hackers can use not only to access Yahoo customer accounts, but also potentially to gain access to any other account or service that users access with similar login or personal information, including bank information and social media profiles.”

Much of the data stolen from Yahoo may well be out of date and many of the users affected by the breach may have forgotten years ago that they even had Yahoo accounts. But adversaries know well that people are lazy and reuse credentials all over the web, and whoever compromised Yahoo has had a two-year head start on using the stolen data. Now that the breach is public, users can go and change their Yahoo passwords and any others that may be linked to that account, but they can’t change their dates of birth or other personal information, much as some might like to do so.

Guarding a pile of data as large as the one Yahoo owns is no mean feat. It’s a complex, difficult, and never ending task, and largely a thankless one. Yahoo, like Google, survives by mining user data and as long as it stores that valuable information, it will attract attackers. That data, as precious as it to Yahoo, is poisonous, too. Perhaps it’s time for these companies to rid themselves of the toxin and quit collecting and warehousing untold petabytes of users’ data.

A pipe dream? Probably. But so is the idea that it’s possible to protect that data effectively.

Dennis Fisher

WHITEPAPERS

The Definitive Guide to Data Loss Prevention

Dennis Fisher

Dennis Fisher is editor-in-chief at Duo Security. He is an award-winning technology journalist who has specialized in covering information security and privacy for the last 15 years. Prior to joining Duo, he was one of the founding editors of On the Wire, Threatpost and previously covered security for TechTarget and eWeek.