Things got a lot worse for Yahoo and its users on Wednesday after the internet pioneer admitted a data breach in 2013 has exposed customer details linked to a further one billion accounts.
Although the firm has not been able to identify the specific intrusion associated with this August 2013 breach it believes the incident is separate from the compromise of around 500 million accounts revealed in September.
CISO Bob Lord added in a lengthy statement:
“For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected.”
As if that wasn’t enough bad news, Lord also revealed that a hacker – potentially the nation state operative(s) linked to the 2014 breach – has been able to access proprietary Yahoo code in order to learn how to forge cookies.
This could be used to access accounts without the need for a password.
Affected customers are being notified and urged to change their passwords, while unencrypted security questions and answers have been invalidated so they can’t be used to access accounts.
“With respect to the cookie forging activity, we invalidated the forged cookies and hardened our systems to secure them against similar attacks,” said Lord.
Security experts have been queueing up to argue that this incident, the biggest data breach ever recorded, should be the death knell for traditional password-based systems.
Brett McDowell, executive director of the FIDO Alliance, argued it should be a wake-up call to the industry.
“At the end of a year full of increasingly-severe data breaches and password credential leaks, we need to make 2017 the year that we end our dependency on password security and adopt un-phishable strong authentication for all websites and applications,” he claimed.
SecureAuth EMEA boss, James Thompson, said the incident proves password-based systems are broken.
“Is there anyone left that hasn’t had their credentials stolen?” he added. “Organizations must wake up and start thinking beyond the password as a method authentication as it is no longer enough.”
Imperva CTO Amichai Shulman added that the long dwell time has ensured this breach has an even bigger impact on Yahoo and its customers.
“While the passwords were not leaked in clear text, the time between leakage and detection allowed the attackers, using modern computing power, to crack most of the passwords,” he explained. “If the enterprises had promptly detected the breaches a lot of the potential damage could have been avoided.”
Tyler Moffit, senior threat research analyst at Webroot, added that it’s a disgrace Yahoo had to rely on a third party to bring the breach to its attention.
“The fact that Yahoo has taken steps to secure user accounts is of little comfort. These accounts have been compromised for years and the sheer number of them means they have already been a large source of identity theft. No one should have faith in Yahoo at this point and this breach might very well affect the $4.8 billion Verizon deal,” he said.
“This latest Yahoo breach is huge on many levels. All of the data stolen, including emails, passwords and security questions, make a potent package for identify theft. The main email account has links to other online logins and the average user likely has password overlap with multiple accounts.”
However, Ilia Kolochenko, CEO of web security firm High-Tech Bridge, struck a more pragmatic line, claiming that as the breach happened three years ago it’s unlikely to affect Yahoo customers today – unless someone makes the data public.
“The attackers who breached Yahoo, must have already leveraged the compromised data for their own purposes,” he added.