The August 2013 breach of one billion Yahoo customer accounts is far worse than at first thought: the firm’s new owner claimed yesterday that it actually compromised all Yahoo users at the time, three billion in total.
A short update from Oath, a new media and tech firm formed by Verizon as the parent company for Yahoo and AOL, claimed the statement was based on “new intelligence” and the help of outside forensic experts.
Once again, the compromised information didn’t include passwords in clear text, payment card data, or bank account information.
However, it may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using crackable MD5) and, in some cases, encrypted or unencrypted security questions and answers.
That’s a treasure trove of information for fraudsters looking to launch follow-on scams and identity fraud.
"Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats," said Chandra McMahon, Verizon CISO. "Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon's experience and resources."
Venafi chief security strategist, Kevin Bocek, said the revelations weren’t surprising and argued that the attackers most likely “exploited a blind spot in Yahoo’s encrypted tunnels”.
He said Venafi Labs found multiple security issues, including: use of the brute force-able MD5 hashing function to ‘protect’ Yahoo digital certificates; use of the insecure SHA-1 function to protect 41% of external certificates; and over a quarter (27%) of external certificates which had not been reissued since January 2015, potentially allowing attackers to maintain access to encrypted communications.
“This access would allow the perpetrators to empty the bank vault without anyone noticing,” Bocek argued.
“Unfortunately, Yahoo’s cryptography practices are not unusual. Undetected exfiltration of large amounts of data is a symptom of weak cryptography practices. We see this in nearly every major data breach.”
Although many Yahoo users would not have used the service as their primary account, the figures are still astonishing and could increase in number the scores of class action lawsuits already facing new owner Verizon.
Some 500 million Yahoo accounts were also compromised in a separate 2014 breach disclosed in September 2016. It’s not known if the two were linked, although the 2014 incident is thought to have been the work of state-sponsored actors.