Yahoo Faces Loads Of Questions After It is Revealed That It Was Hacked Two Years Ago.
Yahoo may have confirmed that it was hacked in 2014 but its statement left a gaping hole in our knowledge and has left us with various pressing unanswered questions. The idea that the personal data of approximately half a billion users has been stolen by ‘state-sponsored’ hackers raises a lot of questions. According to the details that have been revealed to the public, the hacked data included, names, email addresses, security questions and phone numbers. Passwords were also taken but since they were in ‘hashed’ form they could not be immediately re-used. The company believes that the financial information, however, is safe.
The breach was confirmed on Thursday night but the statement and the notification that was sent to customers afterwards raised many questions. The major question that is raised is why it took so long for the company to disclose this, both from the date it was hacked and from the first appearance of the dumped data on the dark web about two months ago. The interesting is that this data was being sold by a user referred to as ‘Peace of Mind’ and this is the same user who sold data from MySpace and LinkedIn as well. According to Jeremiah Grossman, head of security strategy at infosec firm SentinelOne, “While we know the information was stolen in late 2014, we don’t have any indication as to when Yahoo first learned about this breach. This is an important detail in the story.”
Grossman ran information security for Yahoo till 2001 and he has some very interesting views on this particular ‘state-sponsored’ attack. He said that these claims have to be looked into greater detail. He believes that if these are indeed ‘state sponsored’ then why were they sold to the public? He said, “State-sponsored adversaries don’t typically publicly share stolen data or sell it, like profiteer hacker ‘Peace of Mind’. Peace of Mind was all about selling stolen Yahoo account data, so it’s unlikely he was state-sponsored. And if so, this means it’s possible we’re looking at two different Yahoo breaches with two different hacking groups in their system.”
Chris Hodson the EMEA chief information security officer at the enterprise security firm, Zscaler seems to agree with Grossman on this matter:
“With no technical details included in Yahoo’s report about how the data was exfiltrated, just that it was, it’s impossible to assess credibility of the ‘state sponsored’ claim. It might well be that Yahoo has had support from government departments and that attribution has been possible but equally, ‘state-sponsored’ is often prefixed to ‘actor’ in an effort to suggest sophisticated and surreptitious means of data exfiltration. We simply do not know.”
What happened to those passwords?
The questions and confusions don’t end here. We still aren’t sure that how well the stolen passwords were protected. The company has claimed that they were ‘hashed’ and hence are secure. For the readers who aren’t sure what hashing is, let it be known that it is basically a one-way transformation that enables the site to check whether the entered password in correct without the need to store the actual password. Yahoo further added that ‘the vast majority’ were hashed using ‘bcrypt’, which ensures that two identical passwords still have different entries in the company’s database. This method protects all users who have set ‘password’ as their passwords. This may be ensuring that these users don’t stand out but what about those users whose passwords weren’t hashed?
Security questions and Mergers. What’s next?
Another problem has been highlighted and is much more annoying. The ‘security questions’ that allowed us to reset our passwords having confirmed our first pet’s name or our mother’s maiden seems to have not been encrypted at all. Many questions are readable in plain text. We may be able to change passwords but how do you change your mother’s maiden name?
After so much trouble a lot of people are wondering that what will happen to Yahoo’s multi-billion dollar merger with Verizon. According to Kevin Cunningham, president and founder at identity company SailPoint, the breach should have already been priced in the merger if the due diligence by Verizon had been thorough. He said:
“Mergers are complicated endeavors, and the scrutiny under which both companies will reside during the course of the transaction only increases the stress to keep what should be sensitive information protected. Verizon certainly took on a calculated level of risk in acquiring Yahoo!, particularly because of its massive user base. The question of whether this breach will affect the sale price depends on how extensively it performed due diligence on Yahoo’s security controls. It’s a perfect illustration of the fact that this due diligence should include not just network security controls, but also identity governance controls, because as we’ve seen with LinkedIn, Dropbox and countless others, breaches very often result from compromised employee credentials.”
For people who have Yahoo accounts many of these questions are debatable. However, it is advised to all that they must change their passwords and security questions as soon as possible and if they have used the same information elsewhere as well, it must be rectified too. Another thing to keep in mind is that all password reset emails sent to a Yahoo mail Account must be considered compromised and must be dealt with accordingly.