Yahoo confirmed in September 2016 that it had been the victim of hacking which had compromised approximately half a billion accounts; however, it has now revealed that a Yahoo cyberattack in 2013 was two times as big. Apparently, the details of over 1,000,000,000 users were stolen in the 2013 Yahoo cyberattack.
The Yahoo cyberattack acknowledged in September was, at the time, the largest data breach ever reported. The news was particularly worrying for Yahoo as it had recently come to an agreement to sell its core business to Verizon Communications. Although it is understood that the deal has not been thwarted, Verizon has demanded a substantial reduction in price as a consequence of the Yahoo brand being devalued.
It has since come to light that certain figures at Yahoo were in fact aware of the breach well in advance of the deal with Verizon. One former executive has alleged that some were indeed aware of the breach shortly after it happened.
The said former executive also indicated that the breach concerned many more records than the acknowledged 500 million, even suggesting that more than 1 billion accounts might have been compromised. The disclosure of the 2013 Yahoo cyberattack therefore does not come as a significant shock.
Verizon has reacted to the statement by effectively repeating what was said after its discovery of the 2014 Yahoo cyberattack, with a spokesperson saying “As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation.” Verizon will therefore review the probable consequences of the breach before it makes a decision regarding the purchase.
Yahoo Notifies Account Holders of 2013 Cyberattack
Yahoo is contacting its account holders whose information was jeopardised in the 2013 Yahoo cyberattack. It is estimated that the company has roughly 1,000,000,000 active users. It is unconfirmed whether or not all Yahoo users have been victims or if a portion of the 1 billion total includes inactive user accounts.
Customers have received a breach notice email which indicates that the cyberattack resulted in the theft of users’ full names, birth dates, personal telephone numbers, unencrypted security questions, as well as encrypted passwords. Given that the answers to security questions were stolen in the attack, it would be feasible for wrongdoers to reset users account passwords in order to gain access. Moreover, the algorithm used to encrypt user passwords (MD5) was dated and may also potentially be cracked.
Yahoo has had a relatively poor security record over the last few years. Although many similarly sized companies have invested large amounts of money into developing security controls, Yahoo has made significantly smaller investments in such technology compared to other large organizations, e.g. Google and Facebook. Even following other notable data breaches, Yahoo has proven to be slow in implementing extra security controls in order to improve protection of users’ data.
In 2012, Yahoo was the victim of a data breach that revealed some 450 thousand records, the 2013 cyberattack compromised 1 billion, and the 2014 attack exposed 500,000,000 records and included the theft of the company’s source code. More alarming worrying than the breaches themselves, is that Yahoo was apparently oblivious to the fact that a breach of 1 billion accounts had occurred in 2013. It was not until police notified Yahoo of the breach last month that it was in fact aware of the attack.
Yahoo was conducting its own investigation into the 2014 breach when law enforcement contacted it and furnished data that had apparently come from the 2014 attack. The data was supposedly obtained from an unidentified 3rd party. However, it quickly became evident that the data had in fact originated from another, unrelated, cyberattack which Yahoo was until then unaware of.
According to Independent security researchers who have been working together with Yahoo, users’ accounts were accessed by employing the stolen source code to crease forged cookies which allowed user accounts to be accessed without passwords. It is believed, however, that the the source code was in fact stolen during the 2014 attack. How the 2013 cyberattack on Yahoo happened remains rather unclear. Yahoo is of the opinion that the two attacks were carried out by a state-sponsored hacking group, however some security experts disagree with that assessment.
Following the most recent attack, Yahoo has obliged users to reset their passwords and unencrypted security questions have now been invalidated. Users are urged to ensure that they are using a secure password which has not been used elsewhere. In the event that passwords have been used for multiple web platforms or for numerous email accounts, users are advised to change them as well.