Yahoo! data breach
In late 2014, hackers stole information associated with at least 500 million Yahoo! user accounts. This breach was publicly disclosed by Yahoo two years later on September 22, 2016.[1] The data breach is the largest discovered in the history of the Internet. Specific details of material taken include names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and encrypted passwords.[2]
Events
Yahoo alleged in its statement that the breach was carried out by "state-sponsored" hackers,[3] but did not name any country.[2]
It is believed that the hack compromised personal data from the accounts including names, email addresses, telephone numbers, dates of birth, hashed passwords (the majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.[4][5] The statement also claimed that the hacker was no longer in Yahoo's system and that the company was fully cooperating with law enforcement.[6] Users were advised to be wary of unusual activity in their accounts, including suspicious emails.[1] The information gained in the breach, especially the security questions and answers, could help hackers break into victims' other online accounts.[7][8] Security experts cautioned that the incident could have far-reaching consequences involving privacy, potentially including finance and banking as well as personal information of people's lives—including information pulled from any other accounts that can be hacked with the gained account data.[1]
Yahoo recommends its users to change their password and security questions and answers for their Yahoo account as well any other accounts on which the same or similar credentials were used, review their accounts for suspicious activity, be cautious of any unsolicited communications that ask for personal information and avoid clicking on links or downloading attachments from suspicious emails.[5] Computer security experts point out that there may be millions of people, as users of Flickr, Sky and BT who do not realize that they have a Yahoo! account.[9] or Yahoo users who stopped using their accounts years earlier.[8][10][11][12]
As of September 26, 2016, it is unknown how long the company had been aware of the breach.[6] Yahoo's confirmation of the data breach came almost two months after the company said it was investigating claims that a hacker, called "Peace_of_mind" or "Peace", who previously sold data taken from LinkedIn, Twitter and Myspace,[13][14] was offering stolen user account details from 200 million Yahoo accounts for 3 bitcoins, (less than US$2000) on the darknet market, "TheRealDeal", [15][16] but he claims the data are from "2012 most likely".[17]
A spokesperson for Verizon Communications, which agreed to buy Yahoo! in July 2016, stated that Verizon had only become aware of the breach within the past two days.[2] Verizon had offered $4.83 billion in July 2016 for Yahoo's core properties.[18]
Marissa Mayer, the CEO of Yahoo, has known about the data breach since at least July 2016 but withheld the information from investors, regulators and acquirer Verizon until September.[19] In a September 9 securities filing, Yahoo said it wasn’t aware of any "security breaches" or "loss, theft, unauthorized access or acquisition" of user data.[20][21][22] On November 9th the company stated in a securities filing[23] that Yahoo employees knew in 2014 that a state-sponsored hacker had broken into its network.[24] The document suggests that the company did not understand the extent of the attack until a claim by a hacker in July to have obtained vast amounts of Yahoo user data led to an intensification of an internal review.[25] The filing also said that the company is now investigating evidence that the hackers behind the 2014 breach found a way to access user accounts without their passwords via a cookie-based attack.[25][26]
Multiple experts that have looked into the issue believe that the security breach was the largest such incident made public in the history of the Internet.[2][18]
Other actors having access to Yahoo's data and more include the United States' National Security Agency (NSA), which has access to the company's data via the surveillance program PRISM, as well as by other methods. Similar to the breach, the NSA and GCHQ have secretly broken into the main communications links that connect Yahoo and Google data centers around the world in Britain's MUSCULAR program and thereby gained the ability to collect metadata and content at will from hundreds of millions of user accounts.[27][28][29][30][31]
Attribution of responsibility and motivation
According to Yahoo, the breach was carried out by a "state-sponsored actor"[6] and the organization claims that such "intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry".[7] While Yahoo did not name any country, some suspect China or Russia to be behind the hack.[2][32][33]
U.S. intelligence officials, who declined to give their names to the media, highlighted similarities between the attack and previous breaches linked to the Russian government.[2] Yahoo in fall 2014 detected what it believed was a small breach "involving 30 to 40 accounts", carried out by hackers believed to be "working on behalf of the Russian government" - according to Yahoo executives because it was launched from computers in that country. Yahoo reported the incident to the FBI in late 2014 and notified affected users.[34]
Sean Sullivan, security adviser at cyber security firm F-Secure Labs declares China as his top suspect and notes that "there have been no past cases of a service provider like Yahoo being targeted [by Russia]" whose hackers tend to perpetrate targeted attacks, either in areas important for their economy, such as the energy sector, and lately to undermine politicians, while "China likes to vacuum up all kinds of information" and "has a voracious appetite for personal information".[35] Examples of state-sponsored data breaches with China in suspicion are the massive data breach[36] of 18 million people from the United States Office of Personnel Management and the attacks on Google in 2010, dubbed Operation Aurora.[35]
Others have expressed doubt of Yahoo's claim of the attack being state sponsored, as it would be less embarrassing for Yahoo to attribute an attack to a nation state, which typically have the most sophisticated hacking capabilities, than to attribute it to a cybercriminal group or individual—particularly as Yahoo is in the middle of being acquired by Verizon.[32] Senior research scientist Kenneth Geers from Comodo, however, notes that "Yahoo is a strategic player on the World Wide Web, which makes it a good—and valid—target for nation-state intelligence collection".[32]
Arizona-based cybersecurity company InfoArmor issued a report[37] whose conclusion challenged Yahoo's position that a nation-state actor orchestrated the heist after reviewing a small sample of compromised accounts. According to the report the breach was the work of an Eastern European criminal gang who later sold the entire hacked database to at least three clients, including one state-sponsored group and since early 2015 no longer offer to sell the full database, but are seeking "to extract something from the dump for significant amounts of money" with the prices varying based on the value of the target. It is hard to know who the ultimate mastermind of a hack might be as criminal hackers sometimes provide information to government intelligence agencies or offer their services for hire. Andrew Komarov, the firm's chief intelligence officer said the hackers, dubbed Group E, have a track record of selling stolen personal data on the dark web, have been previously linked to breaches at LinkedIn, Tumblr, and MySpace.[38] The company appears to have access to portions of the Yahoo database. It successfully decrypted the passwords for 8 of 10 Yahoo accounts provided by The Wall Street Journal within a day, and provided personal information associated with the accounts. According to the investigation, Group E was the source of some databases sold by the two hackers, named "Tessa88" and "Peace of Mind"[20] which the hacker group "used [...] to broker that data out".[21] According to InfoArmor, "the Yahoo data leak as well as the other notable exposures, opens the door to significant opportunities for cyber-espionage and targeted attacks to occur" and may be the key in several targeted attacks against US Government personnel, which resulted after the disclosed contacts of the affected high-level officials of intelligence community happened in October 2015.[37][39]
2012 hack
According to an interview by Wired via encrypted, anonymous instant messaging with the person selling the accounts on the dark web, "Peace_of_mind", the earlier hack in 2012 was done by a "'team' of Russians".[13]
On the question of how he came to possess this data and is only selling it now, "Peace_of_mind" responds:
Well, these breaches were shared between the team and used for our own purposes. During this time, some members started selling to other people. The people who we sold to [were] selective, not random or in public forums and such, but people who would use [the data] for their own purposes and not resell or trade. Although [after] long enough, certain individuals obtained the data and started to sell [it] in bulk ($100/100k accounts, etc.) in the public. After noticing this, I decided for myself to start making a little extra cash to start selling publicly, as well.
And to why the crew did not want to sell the whole collection earlier:
It is not of value if data is made public. We had our own use for it and other buyers did as well. In addition, buyers expect this type of data to remain private for as long as possible. There are many [databases] not made public for that reason and [in] use for many years to come.
And to the question of how he was able to make more by selling the data privately:
Well, [the] main use is for spamming. There is a lot of money to be made there, as [well as] in selling to private buyers looking for specific targets. As well, password reuse —as seen in recent headlines of account takeovers of high profile people. Many simply don’t care to use different passwords which allows you to compile lists of Netflix, Paypal, Amazon, etc. to sell in bulk. (50K/100K/etc)
As the online black market site TheRealDeal was under distributed denial-of-service attack (DDoS) as of September 22, 2016,[15] the status of the listing was unknown.
Legal and commercial responses
On November 9th it was reported that 23 lawsuits related to the breach have been filed against Yahoo so far.[24] In one lawsuit, filed in the U.S. District Court for the Southern District of California in San Diego, the plaintiffs contend that the hack caused an "intrusion into personal financial matters." In another lawsuit, filed in the U.S. District Court for the Northern District of California in San Jose, the plaintiff contends that Yahoo acted with gross negligence in dealing with and reporting the security breach. Yahoo declined to comment on ongoing litigation.[18]
In a letter to Yahoo CEO Marissa Mayer, six democratic senators (Elizabeth Warren, Patrick Leahy, Al Franken, Richard Blumenthal, Ron Wyden and Edward Markey) demand answers on when Yahoo discovered the breach, and why it took so long to disclose it to the public, calling the time lag between the security breach and its disclosure 'unacceptable'.[40][41][42]
The Federal Bureau of Investigation (FBI) confirmed that it was investigating the affair.[2]
Verizon Communications Inc. Chief Executive Lowell McAdam said he wasn't shocked by the hack - according to him "we all live in an internet world, it's not a question of if you're going to get hacked but when you are going to get hacked". He left the door open to possibly renegotiate the $4.83 billion price tag.[43] Craig Silliman, Verizon's general counsel told reporters in Washington Verizon has "a reasonable basis to believe right now that the impact is material" and that they're "looking to Yahoo to demonstrate [...] the full impact". The company's reputation has suffered online in the last few months, according to an analysis by marketing firm Spredfast: about 90 percent of the Twitter comments about Yahoo were negative in October up from 68 percent in August, before news of the hack.[44]
On October 28 the European privacy regulators "Article 29 Working Party" outlined concerns about the 2014 data breach as well as allegations that the company built a system that scanned customers' incoming emails at the request of U.S. intelligence services in a letter[45] to Yahoo.[46] They asked Yahoo to communicate all aspects of the data breach to the EU authorities, to notify the affected users of the "adverse effects" and to cooperate with all "upcoming national data protection authorities' enquiries and/or investigations".[47]
In late November Ireland's Data Protection Commissioner (DPC), the lead European regulator on privacy issues for Yahoo whose European headquarters are in Dublin, said it had stepped up its examination of the breach, that it was awaiting information from Yahoo on allegations it helped the U.S. government scan users' emails and that Yahoo was not actively investigating the breach but just examining it.[48]
See also
- 2012 Yahoo! Voices hack
- Database security
- Information security
- Internet security
- List of data breaches
- Multi-factor authentication
- Security hacker
- Web literacy
References
- 1 2 3 Perlroth, Nicole (September 22, 2016). "Yahoo Says Hackers Stole Data on 500 Million Users in 2014". The New York Times. Retrieved September 22, 2016.
- 1 2 3 4 5 6 7 "Yahoo 'state' hackers stole data from 500 million users". BBC News. September 23, 2016. Retrieved September 23, 2016.
- ↑ Tsukayama, Hayley; Timberg, Craig; Fung, Brian (September 22, 2016). "Yahoo confirms data breach affecting at least 500 million accounts". The Washington Post. Retrieved September 22, 2016.
- ↑ Newcomb, Alyssa (September 22, 2016). "Yahoo Says 'State-Sponsored Actor' Hacked 500M Accounts". NBC News. Retrieved September 22, 2016.
- 1 2 "Account Security Issue FAQs". Yahoo!. Retrieved September 23, 2016.
- 1 2 3 "Yahoo confirms data breach affecting at least 500 million accounts". The Washington Post. September 22, 2016. Retrieved September 22, 2016.
- 1 2 "Yahoo says 'state-sponsored' hack stole personal data from 500m accounts". The National. Retrieved September 25, 2016.
- 1 2 Weise, Elizabeth. "Are you a Yahoo user? Do this right now". USA Today. Retrieved September 25, 2016.
- ↑ Brown, Aaron. "If you're a Sky or BT customer – you need to reset your password NOW after Yahoo hack". Sunday Express. Retrieved September 25, 2016.
- ↑ Isidore, Chris. "You could have a Yahoo account without even knowing it". CNN. Retrieved September 25, 2016.
- ↑ Joseph, Rebecca. "Here's what you need to know about the Yahoo hack". GlobalNews. Retrieved September 25, 2016.
- ↑ Griffin, Andrew. "Yahoo hack: Hundreds of millions of people probably don't know they are part of the world's biggest data breach". The Independent. Retrieved September 25, 2016.
- 1 2 Greenberg, Andy. "An Interview With the Hacker Probably Selling Your Password Right Now". WIRED. Retrieved September 22, 2016.
- ↑ Cox, Joseph. "The Administrator of the Dark Web's Infamous Hacking Market Has Vanished". Vice Motherboard. Retrieved September 22, 2016.
- 1 2 Szoldra, Paul. "The dark web marketplace where you can buy 200 million Yahoo accounts is under cyberattack". Business Insider. Retrieved September 22, 2016.
- ↑ Brian, Womack. "Yahoo Says at Least 500 Million Accounts Breached in Attack". Bloomberg. Retrieved September 22, 2016.
- ↑ Cox, Joseph. "Yahoo 'Aware' Hacker Is Advertising 200 Million Supposed Accounts on Dark Web". Vice Motherboard. Retrieved September 25, 2016.
- 1 2 3 Larson, Selena (September 23, 2016). "Yahoo facing lawsuits in the wake of massive data breach". CNN. Retrieved September 25, 2016.
- ↑ Taylor, Harriet (September 23, 2016). "Yahoo CEO Mayer knew about data breach in July: Report". CNBC.
- 1 2 McMillan, Robert. "Yahoo Hackers Were Criminals Rather Than State-Sponsored, Security Firm Says". The Wall Street Journal. Retrieved 15 October 2016.
- 1 2 Szoldra, Paul. "A cybersecurity firm is telling two very different stories of the Yahoo hack to news organizations". Retrieved 15 October 2016.
- ↑ "In September, Yahoo told Verizon it hadn't been hacked — but executives may have known for months". Business Insider. Retrieved 15 October 2016.
- ↑ "UNITED STATES SECURITIES AND EXCHANGE COMMISSION - Yahoo! Inc.". Retrieved 10 November 2016.
- 1 2 "Yahoo Employees Knew in 2014 About State-Sponsored Hacker Attack". The New York Times. Retrieved 10 November 2016.
- 1 2 "Yahoo discovered hack leading to major data breach two years before it was disclosed". The Washington Post. Retrieved 10 November 2016.
- ↑ "Yahoo knew of 'state-backed' hack in 2014". BBC. Retrieved 10 November 2016.
- ↑ Barton Gellman; Ashkan Soltani (October 30, 2013). "NSA infiltrates links to Yahoo, Google data centers worldwide, Snowden documents say". The Washington Post. Retrieved October 31, 2013.
- ↑ Barton Gellman; Todd Lindeman; Ashkan Soltani (October 30, 2013). "How the NSA is infiltrating private networks". The Washington Post. Retrieved October 31, 2013.
- ↑ Barton Gellman; Matt DeLong (October 30, 2013). "How the NSA's MUSCULAR program collects too much data from Yahoo and Google". The Washington Post. Retrieved October 31, 2013.
- ↑ Peterson, Andrea (October 30, 2013). "PRISM already gave the NSA access to tech giants. Here's why it wanted more.". The Washington Post. Retrieved October 31, 2013.
- ↑ "NSA statement on Washington Post report on infiltration of Google, Yahoo data center links". The Washington Post. October 30, 2013. Retrieved October 31, 2013.
- 1 2 3 Solon, Olivia. "China and Russia lead list of Yahoo hack suspects — but some doubt theory". The Guardian. Retrieved September 25, 2016.
- ↑ "U.S. Suspects Hackers in China Breached About 4 Million People's Records, Officials Say". The Wall Street Journal. Retrieved September 26, 2016.
- ↑ McMillan, Robert. "Yahoo Executives Detected a Hack Tied to Russia in 2014". The Wall Street Journal. Retrieved September 25, 2016.
- 1 2 Murgia, Madhumita. "Cyber experts look to usual suspects in Yahoo hack". Financial Times. Retrieved September 25, 2016.
- ↑ Nakashima, Ellen. "National Security Chinese breach data of 4 million federal workers". The Washington Post. Retrieved September 25, 2016.
- 1 2 "InfoArmor: Yahoo Data Breach Investigation". Retrieved 15 October 2016.
- ↑ "Here's Who Hacked Yahoo, According to One Cybersecurity Firm". Fortune. Retrieved 15 October 2016.
- ↑ Womack, Brian. "Yahoo Hacked by Criminals, Not State Sponsor, Security Firm Says". Bloomberg. Retrieved 15 October 2016.
- ↑ "Letter to Marissa Mayer signed by 6 senators" (PDF). leahy.senate.gov. Retrieved 30 September 2016.
- ↑ Fisher, Dennis. "Senators Demand Answers of Mayer on Yahoo Data Breach". OnTheWire. Retrieved 30 September 2016.
- ↑ Kuchler, Hannah. "US senators demand answers from Yahoo". The Financial Times. Retrieved 30 September 2016.
- ↑ "Verizon CEO Says Evaluating Whether Yahoo Hack Had 'Material Impact'". The Wall Street Journal. Retrieved 15 October 2016.
- ↑ "Verizon Says Yahoo Hack Could Reopen $4.8 Billion Deal Talks". The New York Times. Retrieved 15 October 2016.
- ↑ "ARTICLE 29 Data Protection Working Party Letter To Yahoo!" (PDF). Retrieved 2 November 2016.
- ↑ "EU Issues Data-Protection Warning to WhatsApp, Yahoo". The Wall Street Journal. Retrieved 29 October 2016.
- ↑ Fioretti, Julia. "EU data protection watchdogs warn WhatsApp, Yahoo on privacy". Reuters. Retrieved 29 October 2016.
- ↑ Bergin, Tom. "Irish data regulator steps up Yahoo hack probe, waits on email scanning". Reuters. Retrieved 26 November 2016.