Yahoo yesterday announced that a newly discovered breach exposed “data associated with more than one billion user accounts” in August of 2013.
“The company has not been able to identify the intrusion associated with this theft,” Yahoo said in a statement.
Notably, Yahoo says the breach is likely distinct from a breach of at least 500 million user accounts the company disclosed on September 22, 2016.
The information potentially accessed in this case includes names, email addresses, phone numbers, birthdates, hashed passwords and security questions and answers.
All those potentially affected are being required to change their passwords and their security questions and answers.
“Separately, Yahoo previously disclosed that its outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password,” the company stated. “Based on the ongoing investigation, the company believes an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies.”
Yahoo says it has connected some of this activity to “the same state-sponsored actor” it believes was responsible for the previous breach disclosed in September.
Nathan Wenzler, principal security architect at AsTech Consulting, told eSecurity Planet that the new breach should come as no surprise to anyone. “Considering the insufficient security measures that were previously reported to be implemented by the last investigation of 500 million stolen accounts, it’s clear that the defense strategy Yahoo used was not keeping up with the times,” he said.
Wenzler said the breach should also serve as a reminder that being large and well-funded doesn’t mean an organization is secure. “Users should always be vigilant and change their credentials on a regular basis, even when used on the websites of very well established and reputable companies,” he said.
“Organizations of all sizes should be taking note of these breaches and use this as a good opportunity to review their own security posture to ensure that outdated and weak security measures aren’t being used,” Wenzler added. “Something like the MD5 hashing that Yahoo was using to protect account information hasn’t been considered a viable security protocol in several years, and is easily cracked.”
And Acalvio chief security architect Chris Roberts suggested by email that it would be advisable to assume at this point that anything Yahoo had has been breached. “At this time anyone who touched Yahoo needs to do some serious housekeeping on all their systems, all of their passwords and all of their accounts to make sure there is no cross contamination,” he said.
Skyhigh Networks CEO Rajiv Gupta said by email that it’s important to keep in mind that leaked data from one billion accounts means hackers now have one billion keys to use in targeted attacks against corporations, government agencies and public figures. “Not every key will unlock a vault, but many will serve as footholds for hackers trying to gain entry to highly sensitive information,” he said.
“Database breaches have a tremendous ripple effect,” Gupta added. “Especially in this new era of cloud computing, the rate of password reuse means even a stolen consumer app password can be the weak link that leads to a catastrophic incident. Hackers can use compromised accounts and personal data to conduct targeted attacks on anything from a government official’s state email to a CEO’s twitter account.”
A recent eSecurity Planet article offered advice on securing corporate data in a post-perimeter world.