web
stats
Screengrab: PIxabay, geralt

The Facts —

  • Yahoo, which was acquired by Verizon in June, confirmed on Tuesday that all 3 billion Yahoo accounts in existence with the company in August 2013 were affected by data theft that occurred at the time by “an unauthorized party.”
  • The company made the announcement through an account security website that it originally set up in December 2016, meant to inform those people initially thought to have been affected by the data theft.
    • The theft affected all email, Tumblr, Fantasy, and Flickr accounts, according to CNN.
  • The account security website, as updated, said:

“On December 14, 2016, Yahoo announced that, based on its analysis of data files provided by law enforcement, the company believed that an unauthorized party stole data associated with certain user accounts in August 2013. In addition to posting a public notice on its website and issuing a press release, Yahoo notified the users it had identified at that time as potentially affected. We recently obtained additional information and, after analyzing it with the assistance of outside forensic experts, we have identified additional user accounts that were affected. We are now notifying the additional user accounts…

Based on an analysis of the information with the assistance of outside forensic experts, Yahoo has determined that all accounts that existed at the time of the August 2013 theft were likely affected.”

  • Yahoo said that the following user data may have been compromised in the August 2013 data theft:

“[N]ames, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”

    • Yahoo explained “hashed” passwords as follows:

“Hashing is a one-way mathematical function that converts an original string of data into a seemingly random string of characters. As such, passwords that have been hashed can’t be reversed into the original plain text password. At the time of the August 2013 incident, Yahoo used MD5 to hash passwords. Yahoo began upgrading password protection to bcrypt in the summer of 2013. Bcrypt is a password hashing mechanism that incorporates security features, including salting and multiple rounds of computation, to provide advanced protection against password cracking.”

  • Yahoo said an investigation into the August 2013 user data theft indicated that the following user data was likely not compromised:

“[P]asswords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected.”

RELATED: Court Upholds FBI’s Right to Prevent Tech Companies from Disclosing Government Requests for Consumer Data

  • After the theft was first announced last year, Yahoo’s Chief Information Security Officer (CISO) Bob Lord said that “more than one billion” accounts had been affected, in a press release published on 14 December 2016:

“As we previously disclosed in November, law enforcement provided us with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft.”

  • Yahoo emphasized that this new update is not due to a new data breach, and that the company took action with its December 2016 announcement of the theft to protect all accounts at that existed at that time, saying:

“It is important to note that, in connection with Yahoo’s December 2016 announcement of the August 2013 theft, Yahoo took action to protect all accounts. The company required all users who had not changed their passwords since the time of the theft to do so. Yahoo also invalidated unencrypted security questions and answers so they cannot be used to access an account.”

  • The investigation is ongoing and individuals responsible for the data theft in August 2013 are not yet known, but the data was found to be up for sale on the dark web, according to cybersecurity firm InfoArmor, which discovered the stolen data in August 2016, according to CNN.
    • The dark web refers to an encrypted portion of the internet that is only accessible with special software.
    • CNN Tech reported in December 2016:

“At the time [InfoArmor] discovered the stolen Yahoo data], it was sold to three parties for $300,000 each. Data is still for sale, but now that the breach is public, the price is expected to drop.”

The Context —

“We have confirmed, based on a recent investigation, that a copy of certain user account information was stolen from our network in late 2014 by what we believe is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.”

“Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.”

  • The Department of Justice (DOJ) indicted four people in connection with the 2014 attack, two Russian spies and two hackers, it announced in a press release on 15 March. The DOJ said:

“A grand jury in the Northern District of California has indicted four defendants, including two officers of the Russian Federal Security Service (FSB), for computer hacking, economic espionage and other criminal offenses in connection with a conspiracy, beginning in January 2014, to access Yahoo’s network and the contents of webmail accounts. The defendants are Dmitry Aleksandrovich Dokuchaev, 33, a Russian national and resident; Igor Anatolyevich Sushchin, 43, a Russian national and resident; Alexsey Alexseyevich Belan, aka ‘Magg,’ 29, a Russian national and resident; and Karim Baratov, aka ‘Kay,’ ‘Karim Taloverov’ and ‘Karim Akehmet Tokbergenov,’ 22, a Canadian national and a resident of Canada.”

  • In a press release published on 14 December 2016, Yahoo’s Lord said of the August 2013 data theft:

“We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.”

What Yahoo Did to Protect User Accounts in December 2016 —

  • Yahoo said in its October account security update that in connection with its December 2016 announcement of the August 2013 theft, the company “took action to protect users beyond those identified at that time as potentially affected” by doing the the following:
    • Required potentially affected users to change their passwords
    • Requiring all other users who had not changed their passwords since the time of the theft to do so
    • Invalidating unencrypted security questions and answers so they cannot be used to access an account
    • “[C]ontinuing to work closely with law enforcement” and continuing to “enhance our safeguards and systems that detect and prevent unauthorized access to user accounts”
  • Yahoo said it encourages all current users to take the following additional account security measures:
    • “Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo Account”
    • “Review your accounts for suspicious activity”
    • “Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information”
    • “Avoid clicking on links or downloading attachments from suspicious emails”
    • “[C]onsider using Yahoo Account Key,” which is an authentication tool that completely eliminates the need to use a password on Yahoo

Reactions from Experts —

  • Wesley McGrew, a security expert at Horne Cyber, told CNN that it’s not out of the ordinary for external investigations of data breaches to find a greater number of victims than initially anticipated. McGrew said:

“This often happens with breaches, on a much smaller scale. Initially, the investigation establishes a set of compromised systems and data that encompasses a set of users, then later something is discovered that expands the compromised systems [or] access.”

“Remember, though, that the data breaches actually took place in 2013, so all this notifying took place three years after the fact. The news is also problematic as this means roughly 2 billion users didn’t get direct notifications. Yahoo points out, though, that it also notified all users of the breach on its website.”

  • Ben Johnson, Chief Technology Officer at Obsidian Security, told CNN that Yahoo may never be certain about exactly what data was stolen. Johnson said:

“The fact is attackers are having field days and the problem is only going to get worse.”

Stephanie Haney contributed to this report.

The Whim News Team
AUTHOR

The Whim News Desk

We'd rather be second and accurate than be first and wrong. The Whim News Desk is a dedicated team of researchers and investigators committed to presenting the news without bias. Follow us @TheWhimOnline for daily news coverage without the spin!

Related News

Read More Justice Department Investigating Fetal Tissue Practices by Planned Parenthood, Others

The Whim News Desk , in News

Read More Senate to Vote on GOP Tax Bill By Week’s End

The Whim News Desk , in Politics

Read More Chinese Billionaire Buys Stake in Brooklyn Nets, Creates Record $2.3B Valuation

The Whim News Desk , in News

Send this to a friend