On December 14, 2016, Yahoo posted a Security Notice announcing that over 1 billion Yahoo user accounts were breached in August, 2013. This data breach is separate, although possibly linked, to the September 22, 2016 state-sponsored breach that affected 500 million people. The repercussions of this data breach are wide-reaching and promise to be long-lasting.
Yahoo announced that an unauthorized third party breached the data files of 1 billion Yahoo users, with names, email addresses, telephone numbers, dates of birth, hashed passwords and some encrypted / unencrypted security questions and answers. Although the breach did not include patent data or clear-text passwords, the volume of information breached nonetheless puts 1 billion Yahoo users at risk. The reality is, these users have been at risk for three years already and the damage will only cascade from there.
The data could be used to target individuals with phishing attacks, particularly when boosted with other breached data. As Absolute’s Richard Henderson notes to Tech Target’s Search Security, the situation becomes even more dire if these password hashes are broken. And they likely will be, given the vulnerabilities with MD5 hashes.
"Things get dicey when we look at the longstanding problem of password reuse. If the billion password hashes have been broken, then that provides a ton of ammunition for attackers to attempt to get into other accounts belonging to the same target. Organizations watching these developments should be taking the time to thoroughly review how they are storing passwords themselves. If they're not storing hashes appended with a long enough random salt -- and it needs to be a unique salt per user -- then they need to get on top of that right away."
Both Yahoo breaches are associated with state-sponsored attacks, leading to risks beyond just fraud or identity theft; there have already been examples of people whose personal safety have been put at risk, likely as the result of this breached data. It is also not unrealistic to expect the hashes to break, exposing 1 billion passwords.
Although Yahoo is taking steps to require users to change their passwords and security questions (a step they overlooked with the first breach), it’s a situation of too little, too late. These passwords have been out in the wild for three years, with the potential damage already done. It is likely the problem of password reuse will lead to a whole cascade of future data breaches that will be discovered in the short and long term.
Organizations, even those who invest heavily in security technology, often lack the visibility or controls around encryption to detect the movement of encrypted traffic, making a breach such as this one very difficult to detect. Although Yahoo will be faced with years of litigation and fines associated with the breaches of 2016, and may lose footing in its deal with Verizon, the costs of this breach will be borne by individuals and by other organizations.
While there are tools you can use to compare the breached passwords to user passwords, to weed out any accounts that may be compromised, organizations need to look beyond simply having users update their passwords. As was put forth by Philip Lieberman, “if you are not constantly looking for intrusions and running your shop to minimize losses, you will always find yourself in a total loss of security,” the takeaway being that organizations could assume that the Yahoo breach may have led to breaches in their own organization. As the Yahoo breach demonstrated, even looking for irregularities may not uncover a breach of this sort easily, so we predict that this is not the last we’ll hear about the Yahoo breach.