Yahoo Data Breach: What Actually Happened?
The past 15 years have seen some large scale and truly horrifying security breaches; some are so devastating that it bankrupted the victim company. A security or data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. Stolen Information, Stolen Information, Password Guessing, Recording Keystrokes, Phishing, Malware, and Denial-of-Service are some common types of data breaches. According to Forbes, Data breaches exposed 4.1 billion records in the first six months of 2019. On an organization level, AOL was the first victim of phishing attacks in 1996 but Yahoo Data Breach was the biggest data breach in history. Let’s review and analyze the case.
Impact: 3 billion user accounts
Yahoo Data Breach Settlement Amount: $117.5 million
In September 2016, the once-mighty Internet titan, while trying to sell itself to Verizon, announced it had been the victim of a security breach. As it turns out, probably the biggest data breach in history. The breach was most likely the result of attacks by a state-sponsored actor that started in 2014. The compromise exposed the real names, email addresses, dates of birth, and telephone numbers of 500 million Yahoo users. The company revealed that most of the passwords involved had been hashed using the robust bcrypt algorithm. Bcrypt is an algorithm that hashes passwords with salt. A salt is a randomly chosen value, added to the hashing process, to make a hash unique even if the password that is hashed is identical. Using bcrypt makes passwords unusable unless cracked. As it turned out a couple of months later, Yahoo had been compromised before the breach. The company revealed that a different group of hackers had stolen the information of 1 billion accounts. Besides names, birthdates, email addresses, and passwords (these were not as well protected as those involved in 2014), security questions and answers were also compromised. Finally, in October of 2017, Yahoo revised its estimate, saying that all 3 billion user accounts had been compromised in this 2013 breach. The breaches cost Yahoo an estimated $350 million of the sale price to Verizon. Verizon ultimately paid 4.48 billion for Yahoo’s core Internet business. The sale agreement stipulated that the two companies shared regulatory and legal liabilities from the breaches.
Attack Vector (how they got in): Improper Input validation allowed attackers to take on any identity they choose by exploiting a weakness in the creation of user identifying and authorizing cookies. Cookies are pieces of information that get stored on the client device to overcome the inherent stateless behavior of web servers. Because a stateless web server has no direct means to remember the state or connection details about a connected client, an identifying piece of information is stored on the client (think unique ID code) in the form of a cookie. This cookie should be unique for every user or client connecting to the server, and it will allow the web application to correlate details about the user, typically stored in a database, to the client connection. This allows a normally stateless connection to remember you logged in and use that login to tie your user account to a set of authorized actions. Imagine that if the information stored in a cookie, the information that uniquely identifies a user of the system isn’t that unique, can be stolen or is guessable (as was the case with Yahoo), now an attacker can assume the identity of anyone and use the privileges that come with that account to do evil.
With Six Modern Cybersecurity Practices that kind of access, an attacker can assume the identity of every user and individually download all their personal information or find a privileged user with access to the application’s database or other supporting systems to place themselves into a position where they can mass extract data or mass destroy resources. Identifiable information should be unique and impossible to guess and should be useless if somehow stolen.
As per The Guardian, the hackers used “forged cookies” — bits of code that stay in the user’s browser cache so that a website doesn’t require a login with every visit, wrote Yahoo’s chief information security officer, Bob Lord. The cookies ́could allow an intruder to access users’ accounts without a password” by misidentifying anyone using them as the owner of an email account.
Security breaches are happening all around us to companies big and small. Not a day goes by where there isn’t some new victim in the newspaper. The newest one bigger and more involved than the previous one. So if you are looking to establish, maintain, improve, and implement Cybersecurity strategies in your organization, then this book will be of great help to you.
Modern Cybersecurity Practices by Pascal Ackerman, will help you identify the cybersecurity needs for your particular environment, help you design and start a security program that fits those needs and teach you how to keep an eye on the overall effectiveness of the program and test and improve your overall security posture.
For more CyberSecurity books, check our website.