Wednesday, September 28, 2016

Yahoo Says Hackers Stole Data on 500 Million Users in 2014

Bob Lord (via Hacker News):

A recent investigation by Yahoo has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.

Nicole Perlroth:

Yahoo announced on Thursday that the account information of at least 500 million users was stolen by hackers two years ago, in the biggest known intrusion of one company’s computer network.

[…]

Two years is an unusually long time to identify a hacking incident. According to the Ponemon Institute, which tracks data breaches, the average time it takes organizations to identify such an attack is 191 days, and the average time to contain a breach is 58 days after discovery.

Via John Gruber:

Verizon, in midst of acquiring Yahoo, only found out about this two days ago.

Nick Heer:

The massive 2014 breach disclosed today by Yahoo is just one of three reported hacks from the past four years. As noted previously, there was also a 2012 breach of 200 million accounts, and Emptywheel has pointed to an individual account hacked earlier this year.

There’s something very unsettling about the way tech companies are responding to these big security breaches: none of them informed their users with anything resembling a sense of urgency.

Lloyd Chambers:

Yahoo stored unenencrypted user data, including all sorts of personal data that should be stored encrypted, but was not—gross security incompetence to maintain a dossier on every user.

Nicole Perlroth and Vindu Goel (via Melanie Ehrenkranz, Slashdot):

The 2014 hiring of Mr. Stamos — who had a reputation for pushing for privacy and antisurveillance measures — was widely hailed by the security community as a sign that Yahoo was prioritizing its users’ privacy and security.

[…]

Mr. Stamos and his team had pressed for Yahoo to adopt end-to-end encryption for everything. […] Mr. Bonforte said he resisted the request because it would have hurt Yahoo’s ability to index and search message data to provide new user services.

[…]

But when it came time to commit meaningful dollars to improve Yahoo’s security infrastructure, Ms. Mayer repeatedly clashed with Mr. Stamos, according to the current and former employees. She denied Yahoo’s security team financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo’s production systems. Over the last few years, employees say, the Paranoids have been routinely hired away by competitors like Apple, Facebook and Google.

[…]

Mr. Stamos, who departed Yahoo for Facebook last year, declined to comment. But during his tenure, Ms. Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach. Employees say the move was rejected by Ms. Mayer’s team for fear that even something as simple as a password change would drive Yahoo’s shrinking email users to other services.

Update (2016-09-30): Bruce Schneier:

I did a bunch of press interviews after the hack, and repeatedly said that “state-sponsored actor” is often code for “please don’t blame us for our shoddy security because it was a really sophisticated attacker and we can’t be expected to defend ourselves against that.”

Well, it turns out that Yahoo! had shoddy security and it was a bunch of criminals that hacked them.

Update (2016-10-03): Paul Szoldra (via Slashdot):

To be sure, Yahoo has said that the breach affected at least 500 million users. But the former Yahoo exec estimated the number of accounts that could have potentially been stolen could be anywhere between 1 billion and 3 billion.

Update (2016-10-04): Joseph Menn (Hacker News):

Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.

[…]

The sources said the program was discovered by Yahoo’s security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in.

When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users’ security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails.

Update (2016-10-11): Sarah Perez (Hacker News, Slashdot):

At the beginning of October, Yahoo disabled an email forwarding feature, which would allow users to automatically redirect incoming emails sent to their Yahoo address to another account.

Update (2017-01-23): Tim Hardwick:

Yahoo is under investigation from the Securities and Exchange Commission over its failure to disclose its massive data breaches sooner, according to The Wall Street Journal.

Update (2017-10-04): Chance Miller (Hacker News):

Yahoo today has disclosed that the 2013 hack initially thought to have affected 1 billion accounts actually affected all 3 billion of its user accounts. The company made the announcement in a filling with the SEC…

Nick Heer:

If you ignore the press release’s spin of what wasn’t stolen, you’ll notice that they omit what was: as acknowledged previously, that includes names, email addresses, MD5 hashed passwords, phone numbers, birthdates, and security questions and answers.

Update (2018-10-24): Mitchel Broussard:

In the settlement, Yahoo has agreed to put $50 million into a fund for victims of the breach, provide two years of credit monitoring from AllClear, and a few other benefits for victims. The settlement is still awaiting court approval.

3 Comments RSS · Twitter

[…] Previously: Yahoo Says Hackers Stole Data on 500 Million Users in 2014. […]

[…] Previously: Yahoo Says Hackers Stole Data on 500 Million Users in 2014. […]

[…] Previously: Yahoo Says Hackers Stole Data on 500 Million Users in 2014. […]

Leave a Comment