Yahoo Data Breach: What We Know Now
If you have been online in the past couple of days, you have likely seen something about a Yahoo data breach, whether it be a report hyping the announcement of the release or the release itself. This is shaping up to be the biggest known data breach and/or leak to date, surpassing MySpace, LinkedIn, Adobe, Dropbox, and Ashley Madison. The purpose of this post is to inform you of the facts and speculate as to the next steps and outcomes.
Yahoo Data Breach Timeline (not necessarily in order)
September 22, 2016
In the wee hours of the morning, recode announces that an insider close to the situation informed them that Yahoo would be releasing information related to a data breach that they have admittedly been investigating since the summer.
Read Yahoo’s Statement from their CISO here.
We find that the 200 million is really 500 million. Questions arise about whether the suspicion of a breach was disclosed to Verizon before the purchase agreement. Edit: It now appears as if Verizon was NOT aware of this breach until this week.
A hacker named Peace is giving Yahoo and Verizon anything but in terms of selling credentials “of 200 million Yahoo users from 2012 on the dark web for just over $1,800. (recode, 2016)
According to a sample of the data, it contains usernames, hashed passwords (created with md5 algorithm), dates of birth, and in some cases back-up email addresses. The data is being sold for 3 bitcoins, or around $1,860, and supposedly contains 200 million records from “2012 most likely,” according to Peace. (Motherboard, 2016)
Sometime in 2012
This is when Peace claims the data breach occurred.
Sometime in 2014
This is when Yahoo claims the data breach occurred.
I recall hearing about the leaks as it seemed when all the media and podcasters talked about this in August. I remember one had a realistic theory that Peace had compiled the list from other breaches. Because of the timing, it coincided with Dropbox and MySpace, so it was a logical deduction. I admittedly did not put much stock into the reports because it was was one of the lesser “sexy” breaches to talk about and research.
What is especially damning, as far as I can see, is that Yahoo CEO, Marissa Mayer may have known about the breach(es) during the negotiations for Verizon to purchase Yahoo. It was only this week that they were disclosed to investors, regulators, and Verizon this week according to CNBC and the Financial Times. This may not bode well for the soon-to-be sold company.
This can look really bad for several entities. First, Yahoo is already jumping on the “State Sponsored Hacking” bandwagon. I am not saying that it was or was not, I do not have enough information to do so. I am saying that releasing the information is not typically in the modis operandi for State Sponsored teams, less the speculation that Guccifer 2.0 is in fact Russian and is state sponsored and does release to Wiki Leaks.
According to Reuters (2016), “Steven Caponi, an attorney at K&L Gates with a practice including merger litigation, said that Yahoo’s breach could fall under the ‘material adverse change’ clause common in mergers allowing a buyer to walk away if its target’s value deteriorates and analysts are calling for a price decrease of $100 million to $200 million, depending on how many users leave Yahoo.”
Because of the scope of the breach, I foresee public confidence diminishing. Name, date of birth, security questions (for password reset – i.e. mother’s maiden name, favorite dog, etc.), possibly addresses and phone numbers; all these could have been compromised. They sound like ingredients to an identity theft cocktail or as USA Today calls them, “fullz.”
I have not found many technical details of how this happened yet. Therefore, I cannot form many conclusions that are of value to the topic at hand. I can say that one conclusion I draw is that we should prepare to see a mass exodus from Yahoo. I had a Yahoo account, but chose to terminate it yesterday, not because of this breach, but because I do not use it anymore. This reduces my attack surface and the possible accounts that can tarnish my name/reputation if compromised. I would not have thought/remembered to do so had it not been for this breach.
As always, if you think you may have been breached change your password. Consider changing all your passwords and determine if you’d be better off using a password manager like 1Password or LastPass. 2 Factor Authentication (2FA) and alternative authentication (i.e. Clef) are also viable options. Read my password blog here or here for more information about passwords.
You can also check haveibeenpwned.com to see which dump(s) your email address(es) are in, if any.
Be sure to check back as we are going to try and follow this story to see how it plays out.
Announcements and Resources
SANS Mentor Session
Security 504: Hacker Tools, Techniques, Exploits, and Incident Handling
Joe will be leading a SANS Mentor session for Security 504: Hacker Tools, Techniques, Exploits, and Incident Handling, which is the class that corresponds to the GIAC Certified Incident Handler (GCIH) certification. The dates are October 27 -December 15 from 6-9 PM (Eastern Time). Location is TDB. If your organization wants to host the training, email Joe and you can receive a discount. Sign up before September 29 and get a discount and a free attempt at GCIH. https://www.sans.org/mentor/class/sec504-atlanta-27oct2016-joe-gray
Other APS Posts
Most of What You Need to Know: Wi-Fi
Cybersecurity & the US 2016 Presidential Election
Most of What You Need to Know: Passwords
Change Your Email Password Now!
Qatar Bank Breached After Bangladesh
Bangladesh Bank Loses 80 Million USD
Ransomware Infects Android 4.x
Spotify Allegedly Hacked…Again
MedStar Health Cybersecurity Fails to Prevent Attack
Ransomware Locks MBR
Iranian hackers hit with Federal charges
Spear Phishermen Target Corporate W-2 Data
4 Things to Know About Ransomware
Ransomware Hits Mac Computers
Thanks for stopping by and checking out our podcast. We would appreciate if you could subscribe (assuming you like what you hear; we think you will). This is meant to be informative and to provide value to anyone who listens – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.
If you have ANY Cybersecurity needs, please contact us and a member of our staff with promptly reply to your question or concern.