Peter A Clarke

It would be fair to say that 2016 has been an annus horribilis for Yahoo. In September it announced a data breach, stretching back to 2014, which affected 500 million accounts.  Today it announced a breach which occurred a year earlier, in August 2013. The information taken includes names, dates of birth, hashed passwords and some security questions and answers.  It is a disastrous development for Yahoo users and will be another blow to an organisation that has been struggling for some time.  Apart from the immediate reputational damage the regulators will not be far behind.

All of this does highlight the need for proper and up to date data security measures and processes to detect breaches after they have occurred.

The announcement provides:

SUNNYVALE, Calif.–(BUSINESS WIRE)– Yahoo! Inc. (NASDAQ:YHOO) has identified data security issues concerning certain Yahoo user accounts. Yahoo has taken steps to secure user accounts and is working closely with law enforcement.

As Yahoo previously disclosed in November, law enforcement provided the company with data files that a third party claimed was Yahoo user data. The company analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, Yahoo believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. The company has not been able to identify the intrusion associated with this theft. Yahoo believes this incident is likely distinct from the incident the company disclosed on September 22, 2016.

For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected.

Yahoo is notifying potentially affected users and has taken steps to secure their accounts, including requiring users to change their passwords. Yahoo has also invalidated unencrypted security questions and answers so that they cannot be used to access an account.

Separately, Yahoo previously disclosed that its outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, the company believes an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. Yahoo is notifying the affected account holders, and has invalidated the forged cookies. The company has connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.

Yahoo encourages users to review all of their online accounts for suspicious activity and to change their passwords and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account. The company further recommends that users avoid clicking links or downloading attachments from suspicious emails and that they be cautious of unsolicited communications that ask for personal information. Additionally, Yahoo recommends using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether. 

That has been accompanied by extensive reporting, such as the Guardian’s  Yahoo hack: user information stolen in breach of 1bn accounts which provides:

Yahoo said on Wednesday it had discovered another major cyber attack, saying data from more than 1bn user accounts was compromised in August 2013, making it the largest such breach in history.

The number of affected accounts was double the number implicated in a 2014 breach that the internet company disclosed in September and blamed on hackers working on behalf of a government.

“An unauthorised party” broke into the accounts, Yahoo said in a statement posted on its website. The company believes the hacks are connected and that the breaches are “state-sponsored”.

The hackers used “forged ‘cookies’” – bits of code that stay in the user’s browser cache so that a website doesn’t require a login with every visit, wrote Yahoo’s chief information security officer, Bob Lord. The cookies “could allow an intruder to access users’ accounts without a password” by misidentifying anyone using them as the owner of an email account. The breach may be related to theft of Yahoo’s proprietary code, Lord said.

The company began to suspect the breach in November, when law enforcement approached the company with what a third party claimed was “user data;” Lord’s post suggests that the data included forged cookies.

“For years I have been urging friends and family to migrate off of Yahoo email, mainly because I watched for years as the company appeared to fall far behind its peers in blocking spam and other email-based attacks,” wrote security researcher Brian Krebs as news of the attack broke. “I stand by that recommendation.”

Yahoo said the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.

After Yahoo revealed the smaller – but still historic – security breach in September, six US senators sent Yahoo a letter demanding the company reveal exactly when it had learned of the intrusion. Vermont senator Patrick Leahy, ranking member of the senate judiciary committe, called for a hearing; no hearing has been scheduled thus far.

The senators, including Leahy, said they were “disturbed that user information was first compromised in 2014, yet the company only announced the breach last week.” The six legislators found the reveleation that “millions of Americans’ data may have been compromised for two years” to be “unacceptable.”

The company is being acquired by Verizon for $4.8bn but the sale has not been an easy one. In October, a report revealed that the company had cooperated with the NSA to scan users’ emails for keywords on behalf of the agency.

A Verizon lawyer, Craig Silliman, said that the September breach had clearly damaged Yahoo’s value and hinted that the damage ought to be reflected in the buying price. “I think we have a reasonable basis to believe right now that the impact is material and we’re looking to Yahoo to demonstrate to us the full impact,” Silliman told reporters in October. “If they believe that it’s not, then they’ll need to show us that.”

Email breaches remain especially vexing to users, since they can reveal bank and family details as well as passwords that users share between systems or have received in their email accounts. Password-sharing has become so common that databases of login information are often used by hackers to test for email-and-password combinations on retailer websites like Walmart or Amazon.

Payment card data and bank account information were not stored in the system believed to be affected, the company said. Yahoo is notifying all the users affected and asking them to change their passwords. Yahoo owns assets far beyond its popular webmail service and its news site: other properties include blogging platform Tumblr and photo-sharing site Flickr, as well as Yahoo Finance.