Yahoo is in deep trouble as the company discovered another cyber-security breach, which is believed to have compromised over one billion accounts. For the record, Yahoo’s 2013 hacking makes it the biggest ever data breach given the number of accounts involved. In November this year, Yahoo had admitted in a filing with the US Securities and Exchange Commission (SEC) that some of its staff knew about a possible 2014 hacking. However, the company first revealed about a data breach on 22 September, 2016.
Now it looks like a bigger security incident took place in 2013 with over one billion accounts being compromised. So what exactly is this latest data breach all about and what does it mean for a Yahoo user? Here’s what is known so far.
When did the data breach occur? Why did they just discover it?
In November, Yahoo had said that it was still analysing the data files it got from law enforcement agencies, where a third-party claimed it was all Yahoo user data. The SEC filing had noted that in “late July 2016, a hacker claimed to have obtained certain Yahoo user data.” Yahoo itself was not able to verify this, and instead broadened its review of their data network and security.
The results are now in, and according to Yahoo it was indeed their user data. Worse, an analysis of the data by forensic experts confirmed that “an unauthorised third party, in August 2013, stole data associated with more than one billion user accounts.” In an official blogpost on Yahoo’s Tumblr account, Bob Lord who is Yahoo’s Chief Information Security Officer, said they have still not been able to “identify the intrusion associated with this theft.”
Yahoo also thinks this incident is different from the one they reported in September.
On the basis of what has been revealed it is fair to say that Yahoo’s network was breached twice; once in 2013 with one billion accounts affected, and the second time in 2014 with 500 million accounts affected. What is not confirmed is if it was the same hacker or state-sponsored actor in both cases.
So how serious is the data breach from Yahoo?
Based on the company’s revelations, information stolen includes “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.” Basically everything that was there protecting a Yahoo account is gone, along with every possible bit of information the hackers could have gleaned from the database.
However, Yahoo says the “investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information.” For now, Yahoo says it does not think that the system in which “payment card data, bank account information” was stored is affected. But given that Yahoo is just discovering a 2013 data hack, this is hardly reassuring.
What else has been impacted?
The news doesn’t get better for Yahoo. In the SEC filing, Yahoo had said forensic experts from outside the organisation were looking into whether the hacker had created forged cookies. These cookies would have given the hacker unfettered access to a user’s account, without the need for a password. Yahoo confirms that some “unauthorized third party” has indeed got access to their “proprietary code to learn how to forge cookies.”
According to Yahoo’s latest post, “the outside forensic experts have identified user accounts for which they believe forged cookies were taken or used.”
So what is Yahoo doing now?
It has started notifying affected account holders. It has also rendered the forged cookies invalid. Yahoo thinks this hacking is also linked to the the same state-sponsored actor, which was responsible for the data theft revealed in September 2016, but has confirmed it for sure.
As a Yahoo user, what should you do?
Yahoo will alert potentially affected users. Password change is mandatory. Yahoo has also “invalidated unencrypted security questions and answers.” If you were keeping the same security question for your Yahoo account and your Gmail or Outlook, it is time to change those. The information may no longer be safe.
Also review any suspicious logins for your Yahoo account. Don’t click on email or links asking personal information on behalf of anyone, including someone claiming to be from Yahoo. This could be a phishing attempt. If you feel that your data can’t be kept safe anymore, then you can consider closing your account, but remember some data might have already been compromised.
So what next?
According to Yahoo, this is still an ongoing investigation and “final conclusions” may differ as the company might find new information. Give how the 2014 data breach of 500 million accounts has now been overshadowed by the 2013 breach of over one billion accounts, there’s a chance that Yahoo will discover more issues. Yahoo has not confirmed whether they’ve managed to fully secure their systems.