You’ve already been victimized by Yahoo!’s massive breach



The theft of an estimated one billion user accounts from Yahoo! was big news on Wednesday. But for Yahoo! users, the damage from the 2013 incident has almost certainly already been done.

The news Wednesday was that online search and advertising giant Yahoo! was the victim of another massive data breach – this one even bigger than the theft of some 500 million user accounts that it disclosed last fall.

But the theft, involving an estimated one billion Yahoo! user accounts, isn’t new. In fact: it is ancient history by data breach standards, with the theft occurring in 2013 unbeknownst to Yahoo! The news left customers of the company scrambling to change passwords. Unfortunately, the length of time taken to recognize and disclose the breach means that the damage from the heist has almost certainly been done.

News about the breach was first disclosed in a statement by Yahoo! Chief Information Security Officer Bob Lord on December 14. Lord said that the company became aware of the heist only last month, when law enforcement provided Yahoo! with data files that a “third party” claimed were Yahoo user data. A forensic analysis of it confirmed that it was Yahoo data, but that it was not linked to an incident the company disclosed on September 22, 2016 and that affected some 500 million users.

“Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016,” Lord said.

The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers, Lord said. Payment card or bank account information was not part of the heist.

Yahoo’s advice to customers is sensible sounding enough. Its users are advised to change their passwords and security questions for their Yahoo account and “any other accounts on which you used the same or similar information.” Users are advised to review accounts for suspicious activity and beware of unsolicited communications that ask for personal information. Customers are advised to use a two-factor solution to secure their Yahoo account, Yahoo Account Key.

That’s all well and good, but the truth is that this news and advice is too little and far too late. By Yahoo’s own accounting, the theft of data occurred in August, 2013 – more than three years ago. Yahoo missed the theft at the time, for reasons that we can’t determine, and became aware of it only when presented with evidence of the theft.

The truth is that the stolen data – usernames, passwords, date of birth, as well as challenge and response questions that can be used to reset passwords – has been in the hands of cyber criminals or state sponsored actors for years, and has likely already been used to compromise accounts in a targeted fashion or en masse.

Who are these people? Well, with 1 billion names to choose from (effectively, Yahoo’s user base), the cyber criminals have plenty of targets to choose from. Bloomberg reported, for example, that 150,000 U.S. government and military employees are among the victims in the latest breach. And, using data analysis tools, attackers might also combine the data stolen from Yahoo with data from other, similar breaches, compiling detailed profiles of high value targets that could then inform spear phishing attacks. With more than three years having transpired since the initial theft, it’s likely that the “possible” attacks that may have followed from such an incident have already occurred. We’re not speculating on what might happen, so much as reflecting on the shape of what already has.

Given the breadth of the data breach and hacking problem, it is difficult to separate the threads connecting one incident to another. Did the Yahoo breach in 2013 provide the information that fueled other attacks – and which ones? Or was the Yahoo attack itself the outgrowth of another data leak involving a Yahoo employee or employees? It is difficult to know.

What we do know is that the cumulative effect of all these breaches on our economy and society. The U.S. Department of Health and Human Services reported that it has received reports of 286 breaches affecting more than 15 million people in 2016. 93 of them were hacking incidents affecting more than 12 million people. And that’s just reported incidents in one sector (healthcare).

It’s impossible to estimate the full impact of incidents like Yahoo – especially so long after they’ve occurred. Like dangerous chemicals seeping into a well, the effects of data leaks and thefts like those at Yahoo may register immediately, but take months or years to fully appreciate and grasp. The damage is done. All we can do now is to move forward – a bit the worse for wear – and make sure that we’re smarter the second time around.

Paul Roberts

ANALYST REPORTS

Gartner 2017 Magic Quadrant for Enterprise Data Loss Prevention (DLP)

Paul Roberts

Paul Roberts is the editor in chief of The Security Ledger and founder of the Security of Things Forum. A seasoned reporter, Paul has more than a decade of experience covering the IT security space. His writing has appeared in publications including The Christian Science Monitor, MIT Technology Review and The Economist Intelligence Unit. He's appeared on news outlets including Al Jazeera America, NPR's Marketplace Tech Report and The Oprah Show.