Hemant Bhargava, professor of technology management at University of California-Davis, and Northeastern University law professor Andrea Matwyshyn discussed the implications of the data breach at Yahoo on the Knowledge at Wharton show on Wharton Business Radio on SiriusXM channel 111. (Listen to the podcast at the top of this page.)
Yahoo’s data breach may be good for overall security standards
Download File: https://cinurl.com/2vA6fx
Yahoo already faces user lawsuits over the breach. When exactly Yahoo discovered the breach will come out in the litigation, says Matwyshyn. She notes that the notifications that require companies to contact impacted account holders about data breaches within certain periods of time vary by state.
The Internet service company Yahoo! was subjected to the largest data breach on record.[1] Two major data breaches of user account data to hackers were revealed during the second half of 2016. The first announced breach, reported in September 2016, had occurred sometime in late 2014, and affected over 500 million Yahoo! user accounts.[2] A separate data breach, occurring earlier around August 2013, was reported in December 2016. Initially believed to have affected over 1 billion user accounts,[3] Yahoo! later affirmed in October 2017 that all 3 billion of its user accounts were impacted.[4] Both breaches are considered the largest discovered in the history of the Internet. Specific details of material taken include names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and hashed passwords.[5] Further, Yahoo! reported that the late 2014 breach likely used manufactured web cookies to falsify login credentials, allowing hackers to gain access to any account without a password.[6][7][8][9]
The first reported data breach in 2016 had taken place sometime in late 2014, according to Yahoo![16][17][18] The hackers had obtained data from over 500 million user accounts, including account names, email addresses, telephone numbers, dates of birth, hashed passwords, and in some cases, encrypted or unencrypted security questions and answers.[19][20] Security experts noted that the majority of Yahoo!'s passwords used the bcrypt hashing algorithm, which is considered difficult to crack, with the rest using the older MD5 algorithm, which can be broken rather quickly.[21]
In its November 2016 SEC filing, Yahoo! reported they had been aware of an intrusion into their network in 2014, but had not understood the extent of the breach until it began investigation of a separate data breach incident around July 2016.[6][30] Wired believes this separate data breach involved the Peace data from July 2016.[18] Yahoo!'s previous SEC filing on September 9, prior to the breach announcement, had stated that it was not aware of any "security breaches" or "loss, theft, unauthorized access or acquisition" of user data.[31]
The November 2016 SEC filing noted that the company believed the data breach had been conducted through a cookie-based attack that allowed hackers to authenticate as any other user without their password.[6][7][32] Yahoo! and its outside security analysts confirmed this was the method of intrusion in their December 2016 announcement of the August 2013 data breach, and had invalidated all previous cookies to eliminate this route.[3][8][33] In a regulatory filing in 2017, Yahoo! reported that 32 million accounts were accessed through this cookie-based attack through 2015 and 2016.[34] Multiple experts believe that the security breach was the largest such incident made public in the history of the Internet at the time.[5][35]
The first data breach occurred on Yahoo! servers in August 2013; Yahoo! stated this was a separate breach from the late 2014 one and was conducted by an "unauthorized third party".[3] Similar data as from the late 2014 breach had been taken from over 1 billion user accounts, including unencrypted security questions and answers. Yahoo! reported the breach on December 14, 2016, and forced all affected users to change passwords, and to reenter any unencrypted security questions and answers to make them encrypted in the future.[3] In February 2017, Yahoo! notified some users that data from the breach and forged cookies could have been used to access these accounts.[36] This breach is now considered the largest known breach of its kind on the Internet.[3][37] In October 2017, Yahoo! updated its assessment of the hack, and stated that it believes all of its 3 billion accounts at the time of the August 2013 breach were affected.[4][38]
According to Yahoo! this new breach was discovered while it was reviewing data given to them from law enforcement from an unnamed third-party hacker about a month prior.[39] They had been able to identify the method by which data were taken from the last 2014 hack using fake cookies during this investigation, but the method of the August 2013 breach was not clear to them upon their announcement.[3] Andrew Komarov, chief intelligence officer of the cybersecurity firm InfoArmor, had been helping Yahoo! and law enforcement already in response to the Peace data. In trying to track down the source of Peace's data, he discovered evidence of this latest breach from a dark web seller offering a list of more than one billion Yahoo! accounts for about $300,000 in August 2015. While two of the three buyers of this data were found to be underground spammers, the third buyer had specifically asked the seller of the Yahoo! data to affirm if ten names of United States and foreign government officials were on the offered list and information associated with them. Suspecting that this buyer may have been related to a foreign intelligence agency, Komarov discovered that the offered data included the accounts of over 150,000 names of people working for the United States government and military, as well as additional accounts associated with European Union, Canadian, British, and Australian governments.[39][40] Komarov alerted the appropriate agencies about this new data set and began working with them directly.[39] Komarov noted that while U.S. government policies have changed to keep key intelligence employees as low-key as possible, these affected users likely set up Yahoo! accounts for personal use well before such policies were in place, and included their work details as part of their profiles, making this information highly valuable for foreign intelligence groups.[40] Komarov had opted not to go to Yahoo! about the data, as they had previously been dismissive of InfoArmor's services in the past, and Komarov believed that Yahoo! would not thoroughly investigate the situation as it would threaten their Verizon buyout.[39]
In addition to government issues, Komarov and other security firms warned that the data from this breach can be used to attempt access to other accounts, since it included backup email contact addresses and security questions. Such data, these experts warn, could be used to create phishing attacks to lure users into revealing sensitive information which can then be used for malicious purposes. Hold Security, another cybersecurity firm, observed that some darkweb sellers were still selling this database for up to $200,000 as late as October 2016; Komarov found that the data continues to be available at a much lower price since the passwords have been forced changed, but the data can still be valuable for phishing attacks and gaining access to other accounts.[39]
Sean Sullivan, a security adviser at cyber security firm F-Secure Labs, declared China to be his top suspect and said that "there have been no past cases of a service provider like Yahoo! being targeted [by Russia]," whose hackers tend to perpetrate targeted attacks, either in areas important for their economy, such as the energy sector, or to undermine politicians, while "China likes to vacuum up all kinds of information" and "has a voracious appetite for personal information".[44] Examples of state-sponsored data breaches with China in suspicion include the massive data breach[45] of 18 million people from the United States Office of Personnel Management and the attacks on Google in 2010, dubbed Operation Aurora.[44]
InfoArmor issued a report that challenged Yahoo's claim that a nation-state orchestrated the heist after reviewing a small sample of compromised accounts.[47] InfoArmor had been able to obtain the list of affected accounts for analysis. InfoArmor determined that the breach was likely the work of an Eastern European criminal gang that later sold the entire hacked database to at least three clients, including one state-sponsored group. According to InfoArmor, by early 2015, the group no longer offered to sell the full database, but sought "to extract something from the dump for significant amounts of money." The report noted that it was difficult to determine who the ultimate mastermind of a hack might be, as criminal hackers sometimes provide information to government intelligence agencies or offer their services for hire. Komarov said the hackers may be related to Group E, who have had a track record of selling stolen personal data on the dark web, primarily to underground spammers, and were previously linked to breaches at LinkedIn, Tumblr, and MySpace.[48] InfoArmor had linked Group E as the source of the data that were offered by Peace, and believed that Group E was brokering the data to dark web sellers.[15] While InfoArmor did not believe a state-sponsored agency committed the breach, they warned of implications on foreign intelligences, as the breaches "opens the door to significant opportunities for cyber-espionage and targeted attacks," and may be the key in several targeted attacks against U.S. government personnel, which resulted after the disclosed contacts of the affected high-level officials of intelligence community in October 2015.[47][49]
Yahoo! stated that the 2013 breach is connected "to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016."[37] White House spokespersons stated that the FBI is currently investigating this breach, though the scope of its impact is unclear.[50] A United States official, speaking to CBS News, says that government investigators agree with Yahoo! that the hack was sponsored by a foreign state, possibly Russia.[51] Security experts speculate that because little of the data from this 2013 breach have been made available on the black market, the breach was likely targeted to find information on specific people.[51] 2ff7e9595c
Comments