Hacker stole data from 500m Yahoo users

Posted on September 22, 2016


A “state-sponsored actor” stole names, email addresses and some security information from more than 500m Yahoo users, the internet company said on Thursday, making it one of the biggest data breaches ever.

With more than 1bn monthly active Yahoo users in 2014 when the hack took place, the incident affected more than half of the company’s total audience. The disclosure comes as Yahoo is in the midst of finalising the sale of its core internet business to Verizon, the communications group, for $4.8bn.

    Yahoo started investigating the breach after it was first revealed in August, and its internal audit has found that even more people were affected than previously thought.

    Some 200m Yahoo user records have been offered for sale on underground marketplaces over the summer, prompting criticism from some in the security industry that Yahoo was responding too slowly to the breach.

    In an emailed comment, Verizon said it was notified of the security breach two days ago.

    “This is one of the largest breaches in history. While it’s not on the same magnitude as [the US Office of Personnel Management] because of the nature of the data, it’s a watershed moment in security,” said Kenneth White, a security researcher and director of the Open Crypto Audit Project.

    The Yahoo breach preceded a spate of high-profile hacking attacks last year including the US government’s Office of Personnel Management, in which intimate details from 22m people’s background checks were stolen, and the exposure of 37m users of Ashley Madison, a site for conducting extramarital affairs.

    Yahoo said that the account information taken from its network “may have included” names, email addresses, telephone numbers, dates of birth and passwords that were masked by a security technique known as hashing. However, some security consultants said Yahoo’s password protections were dated and inadequate.

    Potentially more damaging is its disclosure that “encrypted or unencrypted security questions and answers” may also have been compromised, which could give hackers the ability to break into those users’ other online accounts using personal information such as maiden names, memorable dates and pets’ names.

    Passwords and details of 5m big company employees leaked

    A close-up on an abstract design of a display, which is warning about a cyber attack

    Workers at world’s top 1,000 corporations could be compromised by recent data breaches

    Financial information such as bank account and credit card details were not stolen, Yahoo added. “The investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network,” the Silicon Valley-based company said. “Yahoo is working closely with law enforcement on this matter.”

    The news gave a boost to several information security stocks, including FireEye which was up 4.9 per cent and Palo Alto Networks, up 1.8 per cent.

    Yahoo said it was notifying potentially affected users, resetting their passwords and invalidating their security questions.

    In a statement, the FBI said it was “aware of the matter”. “We have regular contact and good working relationships with our private sector partners and the compromise of public and private sector systems is something we take very seriously,” the agency said. “The FBI will continue to investigate and hold accountable those who pose a threat in cyber space.”

    Yahoo’s passwords were protected using a method known as an MD5 hash, which security experts have criticised as being weak and easily compromised.

    “This methodology is extremely dated and we wouldn’t expect any modern, responsible companies, let alone a large internet corporation like Yahoo, to still be using it,” said Dave Palmer, director of technology at cyber security company Darktrace, which counts BT and Drax Power as clients.

    The leaked data seemed to have been identified on the dark web in June, when a listing claiming to have 200m Yahoo user accounts appeared online. The listing was added by a hacker going by the name Peace and was priced at three bitcoin, equivalent to $1,860. However, despite the hacker’s record of posting genuine data, Yahoo has not confirmed whether the details being sold belonged to its users.

    “The listing description contained 586 rows of data provided as a sample, each of which contained a username, date of birth and unsalted MD5 password hash. Some but not all of the rows also included email addresses,” said a spokesperson from Digital Shadows, a British cyber security firm.

    Verizon said on Thursday: “We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact.

    “We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in a position to further comment.”

    Yahoo’s shares were broadly flat following the disclosure, suggesting investors are not too worried about its impact on the Verizon deal. If it were to fall through, regulatory filings show that Yahoo would have to pay Verizon almost $145m in break fees.

    Additional reporting by David Crow and Pan Kwan Yuk.

    You must be logged in to post a comment Login