Just a few months after announcing that in 2014 500 million accounts were hacked, Yahoo Inc. is at it again, disclosing this week that in 2013 one billion accounts were hacked in the largest data breach recorded in history.
Yahoo believes that this breach is separate from the breach reported back in September, and as of now, the company hasn’t been able to determine how the data from the one billion accounts was stolen. The company is notifying the account holders who have been affected, and those users will be required to change their passwords.
Stolen user information from the accounts affected could include names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5), and encrypted or unencrypted security questions and answers.
On the bright side, Yahoo’s internal investigation believes that payment card data or bank account information was not stolen from these accounts, as it is not stored on the same system.
The company was made aware of the hack by law enforcement in November, and is investigating “the creation of forged cookies that could allow an intruder to access users’ accounts without a password.”
Bob Lord, Yahoo’s chief information security officer, wrote in a post announcing the hack that, “we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies where taken or used.”
Yahoo is taking steps to secure the affected accounts. On top of requiring users to change their passwords, Yahoo has invalidated unencrypted security questions and answers, invalidated the forged cookies, and hardened its systems to secure them against similar attacks.
The next steps for affected users are simple, says David Senf, vice-president of infrastructure solutions group at analyst firm IDC Canada: Reset your password and start using good habits when creating passwords on other sites.
“If you have or had a Yahoo email account and use the same login password to access other email and online accounts, change them all. Changing and updating passwords, and not recycling them, are good practices in any event,” he writes in an email. “Moreover, try to select very different security challenge and response questions when setting up an account online. These are the sorts of questions that ask you where you first went to school or what the name of your first pet was.”
Though the data has been breached for years, it’s very possible Yahoo account holders may find themselves the victims of a ransomware style attack that locks them out of their own accounts – if it hasn’t happened already, Senf says.
“Because the full login credentials have been compromised, as the attacker I can change your password to lock you out of your account. Of course first I’ll send you a message to let you know I will do it and how much to pay me to get your email back,” he says.
Whether or not these steps will be enough to restore confidence in the company after two recording-breaking data breaches is another matter entirely.
“For years I have been urging friends and family to migrate off of Yahoo email, mainly because the company appeared to fall far behind its peers in blocking spam and other email-based attacks – but also because of pseudo-security features (like secret questions) that tend to end up weakening the security of accounts,” Krebs on Security researcher Brian Krebs wrote in a blog post after the news broke.
Customer trust isn’t the only problem heading Yahoo’s way. After revealing the smaller breach of 500 million in September, six U.S. senators sent the tech company a letter demanding exactly when the company had learned of the intrusion, finding it “unacceptable that millions of Americans’ data may have been compromised for two years.”
Vermont senator Patrick Leahy has called for a hearing before a senate judiciary committee, which has yet to be scheduled.
The breach could also lead to additional fallout relating to July’s Verizon deal as well. The company initially purchased Yahoo for $4.8 billion USD, but has since sought a discount of $1 billion based on the numerous problems Yahoo has experienced since the deal was announced. This includes a report published in October revealing that Yahoo cooperated with the NSA to scan user emails for keywords.
“As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation. We will review the impact of this new development before reaching any final conclusions,” a Verizon spokesperson said regarding the latest Yahoo hack.