Yahoo said that more a billion user accounts had been hacked in an incident that occurred in August 2013, a disclosure that comes on the heels of Yahoo’s announcement in September that 500 million accounts were compromised in a separate incident in 2014. Together, they are the largest known breaches ever of a single company's user data.
Crucially, Yahoo says it has not been able to identify the hackers behind the 2013 theft. The breach highlights the need for strong encryption and user education about passwords and general cybersecurity protections. It also shows how important it is to develop and maintain a culture of cybersecurity, especially as organizations grow larger.
According to the New York Times: “Security has taken a back seat at Yahoo in recent years, compared to Silicon Valley competitors like Google and Facebook. Yahoo’s security team clashed with top executives, including the chief executive, Marissa Mayer, over the cost and customer inconvenience of proposed security measures.”
Yahoo CISO Bob Lord said in a statement that, with the assistance of outside forensic experts, the company analyzed data that law enforcement provided to the company and that a third party had claimed was Yahoo user data, which turned out to be the case.
For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using the MD5 algorithm) and, in some cases, encrypted or unencrypted security questions and answers. Lord said. The investigation indicates that the stolen information did not include passwords in clear text, payment card data or bank account information, according to Lord.
Yahoo said it is notifying potentially affected users and have taken steps to secure their accounts, including requiring users to change their passwords — a step it did not take in September. The company has also invalidated unencrypted security questions and answers so that they cannot be used to access an account.
Separately, Lord said Yahoo thinks an unauthorized third party accessed its proprietary code to learn how to forge cookies, which could allow an intruder to access users’ accounts without a password. “The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used,” Lord said. “We are notifying the affected account holders, and have invalidated the forged cookies. We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.”
Lord recommended that user change their passwords and security questions and answers for any other accounts on which users used the same or similar information used for their Yahoo account, review all of their accounts for suspicious activity, be cautious of any unsolicited communications that ask for their personal information or that refer then to a web page asking for personal information, and avoid clicking on links or downloading attachments from suspicious emails. He also said users should consider using Yahoo Account Key, an authentication tool that eliminates the need to use a password on Yahoo altogether.
Security experts say that the latest disclosure is a major black eye for Yahoo. “It’s not just one sophisticated adversary that gets in,” Ben Johnson, co-founder and chief security strategist at Carbon Black, a security company, told the Times. “Typically companies get compromised multiple times due to the same vulnerability or employee culture.”
The scale of such breaches is growing as companies increasingly put more and more data into similar databases, he says. “When you have these huge databases of information, it’s millions — and now billions — of accounts lost,” he said.
Security expert Brian Krebs, writing on his blog Krebs on Security, noted that “for years I have been urging friends and family to migrate off of Yahoo email, mainly because the company appeared to fall far behind its peers in blocking spam and other email-based attacks. But also because of pseudo-security features (like secret questions) that tend to end up weakening the security of accounts. I stand by that recommendation.”