Rumor Mill: Yahoo Breach Affected Hundreds of MillionsBut Password Reuse and Other Breached Sites - Not Yahoo - Could Be Culprit
Update (Sept. 23, 2016): Yahoo has disclosed that a massive data breach resulted in the exposure of at least 500 million users' accounts.
See Also: Stopping BEC and EAC
Don't leap to conclusions on the basis of a new report that suggests Yahoo is preparing to warn the world that it was hacked and lost hundreds of millions of users' account credentials.
"Yahoo is poised to confirm a massive data breach of its service"
It says the supposed breach is the same one that came to light in early August, when a hacker known as Peace - a.k.a. Peace_of_mind - began advertising 200 million alleged Yahoo credentials for sale on a darknet marketplace called The Real Deal, as technology news site Motherboard first reported. Peace told the site that the data likely dated from 2012, had already been traded privately for some time, and was now available for 3 bitcoins, worth about $1,800.
Peace was also the seller behind the stolen LinkedIn, Fling, MySpace and Tumblr credentials, many dating from years ago, as part of what's been a wave of historical mega-breaches belatedly coming to light as the information has been offered for sale via the cybercrime underground.
But some security experts have urged against reading too much into the new report. "I'm skeptical that they're going to say there's been a breach," Sean Sullivan, a security specialist for Finnish security firm F-Secure, tells me. "They might be like: there's a huge cache of verified accounts with verified passwords," he says, meaning that the information may have been obtained via a breach, but not necessarily a breach involving Yahoo.
"The asking price was miniscule, so clearly it's not something they had to pay to exfiltrate," Sullivan says. Hence one possibility, he says, is that the supposed Yahoo data breach is the result of attackers taking email and password combinations from other hacked sites - such as Adobe or Dropbox - and finding ones that worked on Yahoo's site. Sullivan said it would have been easy for attackers to harvest the information, create a script to test it against Yahoo, and then sell it to others.
Rampant Password Reuse
The ease and prevalence of that practice has led some technology firms to scrape public data dumps and proactively test whether the information contains reused passwords that could be used to log into any of the accounts registered with their service. In 2013, Facebook, for one, began reviewing public data dumps and forcing users to reset their passwords if they'd been reused.
Following the report that Peace was offering about 200 million old Yahoo passwords for sale, Yahoo said that it was "aware of a claim" and investigating.
Perhaps not coincidentally, Sullivan notes that since this past summer, he's begun seeing frequent reminders from Yahoo whenever he logs in, encouraging him to change his password. "It's just been my personal experience of Yahoo encouraging the heck out of, 'Hey, update your password," which in my case is complex and unique, and thus I've been waiting to see evidence of if I should, and also just because in my case there's nothing in my [Yahoo] account that's mission critical."
Another possibility is that as part of the $4.8 billion sale of Yahoo's core business to Verizon, it plans to issue a financial disclosure saying that legally speaking, it could face future legal action as the result of compromised credentials.
Sullivan says such a statement would likely read: "We don't know if there was a breach, but our lawyers say we are liable to cover the cost," which might see the company offering to provide identity theft monitoring.
Or another possibility is that a short seller is attempting to manipulate Verizon or Yahoo's stock price.
The warning that hundreds of millions of Yahoo accounts may have been compromised is a reminder of how much Yahoo's star has fallen. Initially, the site positioned itself in large part as a portal to the rest of the internet as well as a search engine. But as the portal paradigm faded and Google became the search engine giant, Yahoo suffered.
The news about possible breach at Yahoo! just reminded me I have an account with them. Must see what, if anything, I've been missing :) :)— BrianHonan (@BrianHonan) September 22, 2016
As Dublin-based information security consultant Brian Honan notes via Twitter, news of the breach may now lead to a spike in the use of Yahoo, if only for lapsed users to remind themselves of what they used to use the service for.