Half a billion user records have been stolen from Yahoo, in what the company have called a "State Sponsored" hack. Yahoo's belief that it's the victim of a state sponsored hack has been questioned by some commentators, not least Yahoo's former engineering Infosec chief, Jeremiah Grossman, who suggested that "State-sponsored adversaries don’t typically publicly share stolen data or sell it".
Whoever the attacker, it's now known that the stolen details included names, email addresses, security questions and phone numbers. Hashed passwords were also stolen. To Yahoo's credit these passwords were hashed with 'bycrpyt', a secure method which includes a salt in the hashing process. While this makes determining the password more difficult, it's not impossible.
Yahoo may have adopted good practice to obfuscate the password data held, however the same care was not taken for other data, with some security question information for millions of users believed not to have been encrytped or hashed and available in clear text to hackers. Security questions could comprise typical answers such as users' mother's maiden name, favourite pet, city of birth etc. This information could prove to be extremely valuable for future attacks on other applications beyond Yahoo.
Protecting Accounts that have been CompromisedBefore we move onto the potential ramifications of the Yahoo breach here's a checklist of what to do following any incident where a service provider has been breached and user data is stolen:
- Change the password immediately (For Yahoo in this case)
- If the same password is in use for other apps, change it there too
- Make the new password(s) strong
- Never use the same password for multiple accounts
- Be wary of phishing emails asking users to log into Yahoo and change password. Always visit the site directly, not through a link
- Change security question answers (ideally using fake information)
- Enable 2-Factor authentication on Yahoo and any other high value account.
The Compound Effect of the Yahoo Breach
Yahoo's bad practice in not encrypting security questions, and the typically weak password practices by users, creates the perfect conditions for the Yahoo breach to have significant ramifications beyond just Yahoo.
With names, email addresses, security questions, phone numbers and hashed passwords stolen, those with malicious intent have a wealth of data to leverage. Perhaps more damaging than passwords, the security questions and answers stolen in the breach will provide a security hole in many users' accounts for years to come - after all, the name of the city where you were born, or your mother's maiden name are not going to change. This information can help hackers impersonate individuals by authenticating via correct security question answers, potentially taking control of accounts they don't have passwords for.
Password Re-use Putting your Organisation at Risk
If employees within your organistion are asked to create and update passwords for business apps, it’s likely that they are already have re-used personal passwords for those accounts. If those employees had Yahoo accounts, the recently stolen Yahoo passwords are potentially the same as ones current protecting your business accounts, making these systems vulnerable to attack.
This very scenario happened to Dropbox after an employee had their LinkedIn email address and password stolen. In 2012, when 6.5 million LinkedIn usernames and passwords were stolen by Russian cybercriminals, one of those accounts happened to belong to a Dropbox employee. Unfortunately for Dropbox, the employee had used the same username and password for his Dropbox administrator account as he had to access his personal LinkedIn account. Once stolen, hackers used the LinkedIn credentials to access the Dropbox admin account and harvest thousands of customer records.
Password re-use is a common trait amongst users. In fact, Cambridge University’s Security Group found that password re-use is as high as 49%. Essentially, users tend to use the same password for every two accounts that require a log in.
The concern for organisations is that passwore re-use amongst employees is putting business applications at risk. This form of Insider Threat is not malicious, it's borne out of blissful ignorance, but it is endemic and poses a huge cyber security risk. The most recent UK Government Information Security Breaches Survey found that employees are involved in 81% of information security breaches.
If you're concerned about how the Yahoo hack, or weak employee practices, could pose a security risk for your organisation check out the video below: