500 million end users affected by suspected state-sponsored attack on Yahoo network

Multinational technology company Yahoo has reported that a massive attack on its network in 2014 allowed hackers to steal data from no less than half a billion users. Yahoo, which confirmed details of the breach months after reports of a major hack, said its investigation had concluded that “certain user account information was stolen” and that the attack emanated from what it believes is “a state-sponsored actor.”

A statement issued by the US Internet giant reads: “Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen. Yahoo is working closely with the law enforcement community on this matter.”

The comments follow on from a report published earlier this year quoting a security researcher who said that some 200 million accounts may have been accessed and that hacked data was being offered for sale online.

Yahoo has reported that the stolen information may have included names, e-mail addresses, birth dates and scrambled passwords along with encrypted or unencrypted security questions and answers that could help hackers break into victims’ other online accounts.

While there’s no official record of the largest breaches, many analysts have referred to the MySpace hack revealed earlier this year as the biggest episode to date, with 360 million users allegedly affected by that episode.

Ammunition for the hackers

Computer security analyst Graham Cluley has suggested the stolen Yahoo data “could be useful ammunition for any hacker attempting to break into Yahoo accounts, or those interested in exploring whether users might have employed the same security questions or answers elsewhere on the web in a bid to protect themselves.”

Cluley noted that, while Yahoo said that it believes the hacking episode was state-sponsored, the company has provided no details regarding what makes it think this to be the case. “If I had to break the bad news that my company had been hacked, I would feel much happier saying that the attackers were ‘state-sponsored’ rather than teen hackers,” observed Cluley.

The Silicon Valley-based Yahoo has stated it appears that stolen data didn’t include unprotected passwords or information associated with payments or bank accounts. Yahoo is asking affected users to change their passwords, and recommending that anyone who hasn’t done so since 2014 should take the same action as a precaution.

Users of Yahoo online services are urged to review their accounts for suspicious activity and change passwords and security question information used to log in anywhere else if it matches that used for Yahoo.

“Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry,” said Yahoo in its official statement. “Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account.”

Deal with Verizon

Confirmation of the major cyber breach comes two months after Yahoo sealed a deal to sell its core Internet business to telecoms giant Verizon for $4.8 billion, thereby ending its two-decade long spell as an independent company.

Corey Williams, senior director of products and marketing at Centrify, told Risk UK: “Yahoo may very well be facing an existential crisis. Already besieged by business execution issues and enduring a fire sale to Verizon, this may be the straw that breaks the camel’s back. Since this breach occurred in 2014 and appears to have been neither properly communicated or handled, it may very well give Verizon an ‘out’ or, at the least, a reason to renegotiate the deal.”

Williams added: “This is less a story about 500 million user accounts being stolen, and more one about how lax security and poor handling of incidents can impact the very existence of a company. The stakes for properly securing access to corporate resources and handling security incidents couldn’t be any higher.”

Jes Breslaw, director of strategy for the EMEA at Delphix, has also made comment on the importance of embedding strong data security into everyday practices.

“Time and time again, we’ve seen the wide-ranging implications of a data breach,” outlined Breslaw. “Consumer confidence takes a hit, reputations are left in tatters and fingers are pointed at those in charge of safeguarding the organisation from attack. Yet, despite the growing number of global scandals, our research shows that only a quarter of data in the UK is masked.”

Breslaw added: “Traditionally, organisations are very good at taking measures to protect data in their production systems, such as their websites, but neglect to protect the sensitive information held in their non-production environments where IT testing and development happens. In what’s an evolving threat landscape, data conscious organisations need to ensure that data security is embedded into everyday practices. What’s required is an irreversible process that obfuscates personal information, but ensures that dummy data is still available such that organisations can prioritise security while also ensuring development processes continue unhindered.”

In conclusion, Breslaw told Risk UK: “Embracing new technologies, including those that combine data virtualisation with data masking, ensures that organisations can ‘pseudonymise’ data once and guarantee that all subsequent copies have the same protective policies applied. This will future-proof the business against costly data breaches and ensure compliance while improving agility and time-to-market.”

200 million records offered for sale

Also commenting at length on the Yahoo data breach, Joe Hancock (cyber security lead at Mishcon de Reya) stated: “This is a huge loss of 500 million records which has gone seemingly undetected for over 18 months. 200 million records have been offered for sale since August, and may have come from a previous data breach. Attributing this breach to a state actor is unusual, as such a large data set would usually be targeted by criminals. Yahoo has moved quite slowly to confirm the breach, and indeed to put protective options in place, although the sheer scale of the data lost here is hard to comprehend.”

Following that theme, Hancock opined: “The release is likely to increase the use of the stolen credentials for other online services, or where a similar password has been used. The fact that security questions and answers were lost is also concerning, as they’re often common to many services. It’s hard to remember to change your mother’s maiden name or that of your first pet. There are likely to be more historical breaches coming to light in this manner, although they may not be attached to such a large brand.”

Hancock explained that, after the well-publicised 2013 data breach at Target, legal claims ran into millions of dollars and continued for several years. In the case of the TalkTalk breach, the company’s share price fell by 11.5% before recovering. “Breaches like this hit a business’ balance sheet.”

Mark Skilton, a Professor of Practice at Warwick Business School and an expert on cyber security, has issued a statement. “While it’s not a surprise to hear the magnitude of users that have been ‘corporate hacked’ – after all, the rise of the digital business means everyone is more or less online these days – what’s shocking is the date, 2014, and the sense of resignation that some may have to the event. This is far too late for professional cyber security risk management, and certainly from the organisational practices inside a company like Yahoo! that one would expect. The other factor is the legal impact for Yahoo from the reputational damage and liability in losses for customers. This could yet be significant and a headache for Verizon in its planned imminent takeover of Yahoo.”

Lateness of attack discovery

According to Skilton, the lateness of the attack discovery and the indication that it was a Government state-sponsored attack suggests both a highly professional stealth attack or perhaps some failure in basic perimeter monitoring by Yahoo’s internal security practice.

“Either way, serious questions on internal checking of data breaches must be addressed. There will be a significant internal review in Yahoo and Verizon to develop a turnaround plan for this hack, but it also suggests a need for a stronger Government and industry role to increase cyber protection in the light of the rise in more stealth attacks.”

Skilton added: “The infamous Russian bank stealth attack exhibited a similar ‘slow burn’ from an undetected stealth attack that resulted in an estimated one billion Euro loss from several banks. This Yahoo situation isn’t at that level of financial loss, but the impact and rise of huge cyber attacks will undoubtedly demand stronger cyber responses.”

Response from the Information Commissioner’s Office

UK Information Commissioner Elizabeth Denham has issued a statement on the Yahoo attack. “The vast number of people affected by this cyber attack is staggering,” suggested Denham, “and demonstrates just how severe the consequences of a security hack can be. The US authorities will be looking to track down the hackers, but in the meantime it’s our job to ask serious questions of Yahoo on behalf of British citizens.”

The Information Commissioner also said: “We don’t yet know all the details of how this hack happened, but there’s a sobering and important message here for companies that acquire and handle personal data. People’s personal information must be securely protected under lock and key, and that key must be impossible for hackers to find.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts