Euro Security Watch with Mathew J. Schwartz

Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

Rumor Mill: Yahoo Breach Affected Hundreds of Millions

But Password Reuse and Other Breached Sites - Not Yahoo - Could Be Culprit
Rumor Mill: Yahoo Breach Affected Hundreds of Millions
Photo: Yun Huang Yong (Flickr/CC)

Update (Sept. 23, 2016): Yahoo has disclosed that a massive data breach resulted in the exposure of at least 500 million users' accounts.

See Also: AI-Driven Strategies for Effective Cyber Incident Recovery

Don't leap to conclusions on the basis of a new report that suggests Yahoo is preparing to warn the world that it was hacked and lost hundreds of millions of users' account credentials.

The data breach report, from technology news site Recode, claims that "Yahoo is poised to confirm a massive data breach of its service" that exposed credentials for hundreds of millions of users.

It says the supposed breach is the same one that came to light in early August, when a hacker known as Peace - a.k.a. Peace_of_mind - began advertising 200 million alleged Yahoo credentials for sale on a darknet marketplace called The Real Deal, as technology news site Motherboard first reported. Peace told the site that the data likely dated from 2012, had already been traded privately for some time, and was now available for 3 bitcoins, worth about $1,800.

Peace was also the seller behind the stolen LinkedIn, Fling, MySpace and Tumblr credentials, many dating from years ago, as part of what's been a wave of historical mega-breaches belatedly coming to light as the information has been offered for sale via the cybercrime underground.

But some security experts have urged against reading too much into the new report. "I'm skeptical that they're going to say there's been a breach," Sean Sullivan, a security specialist for Finnish security firm F-Secure, tells me. "They might be like: there's a huge cache of verified accounts with verified passwords," he says, meaning that the information may have been obtained via a breach, but not necessarily a breach involving Yahoo.

"The asking price was miniscule, so clearly it's not something they had to pay to exfiltrate," Sullivan says. Hence one possibility, he says, is that the supposed Yahoo data breach is the result of attackers taking email and password combinations from other hacked sites - such as Adobe or Dropbox - and finding ones that worked on Yahoo's site. Sullivan said it would have been easy for attackers to harvest the information, create a script to test it against Yahoo, and then sell it to others.

Rampant Password Reuse

The ease and prevalence of that practice has led some technology firms to scrape public data dumps and proactively test whether the information contains reused passwords that could be used to log into any of the accounts registered with their service. In 2013, Facebook, for one, began reviewing public data dumps and forcing users to reset their passwords if they'd been reused.

Following the report that Peace was offering about 200 million old Yahoo passwords for sale, Yahoo said that it was "aware of a claim" and investigating.

Perhaps not coincidentally, Sullivan notes that since this past summer, he's begun seeing frequent reminders from Yahoo whenever he logs in, encouraging him to change his password. "It's just been my personal experience of Yahoo encouraging the heck out of, 'Hey, update your password," which in my case is complex and unique, and thus I've been waiting to see evidence of if I should, and also just because in my case there's nothing in my [Yahoo] account that's mission critical."

Another possibility is that as part of the $4.8 billion sale of Yahoo's core business to Verizon, it plans to issue a financial disclosure saying that legally speaking, it could face future legal action as the result of compromised credentials.

Sullivan says such a statement would likely read: "We don't know if there was a breach, but our lawyers say we are liable to cover the cost," which might see the company offering to provide identity theft monitoring.

Or another possibility is that a short seller is attempting to manipulate Verizon or Yahoo's stock price.

Halcyon Days

The warning that hundreds of millions of Yahoo accounts may have been compromised is a reminder of how much Yahoo's star has fallen. Initially, the site positioned itself in large part as a portal to the rest of the internet as well as a search engine. But as the portal paradigm faded and Google became the search engine giant, Yahoo suffered.

As Dublin-based information security consultant Brian Honan notes via Twitter, news of the breach may now lead to a spike in the use of Yahoo, if only for lapsed users to remind themselves of what they used to use the service for.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.