Yahoo publicly confirmed on Sept. 22 that it was the victim of a breach that exposed the information of more than 500 million users. What wasn’t publicly disclosed is exactly how the breach occurred and the methods used by Yahoo to discover the intrusion. The obvious assumption made by many is that Yahoo was simply confirming a public report made by a hacker, but as eWEEK has now learned, that’s not the case.
On Aug. 1, a hacker known as “Peace”‘ first alleged that he had 200 million Yahoo user accounts gained from a breach and he was selling them for three Bitcoins, which are worth approximately $1,900.
Sources familiar with the investigation at Yahoo confirmed to eWEEK that following the claims made by Peace, Yahoo did in fact initiate an internal investigation to see if the claims were legitimate.
As it turns out, after its investigation, Yahoo ultimately found no evidence to substantiate Peace’s claims of gaining Yahoo user account information by way of a breach that occurred in 2012. That said, after completing the investigation into the alleged 2012 breach, Yahoo’s internal security team conducted a broader, deep-dive review of its systems. In so doing, the team identified evidence of a breach by a state-sponsored actor that occurred in 2014.
In terms of root cause of the actual breach, Yahoo is not publicly saying anything other than it was state-sponsored. Sources familiar with the matter were unable to add any additional insight into the direct technical cause either.
In the past, Yahoo has provided some technical insight into breaches, albeit at a much smaller scale. Yahoo was in fact breached in 2012, in an attack that led to the disclosure of information on 450,000 users. At the time, Yahoo disclosed that the breach was the result of a SQL injection flaw.
By blaming the newly disclosed 2014 attack on state-sponsored hackers, Yahoo is implying that it faced a well-funded, organized and technologically adept adversary. It also means that a simple SQL injection or phishing attack did not lead to the loss of more than 500 million accounts. In addition, it’s important to understand that while the attack happened in 2014, Yahoo was unaware of it until this year, meaning the time to discovery for the breach was at least two years.
While taking two years to discover a breach is an unacceptably long period of time, consider that nation-state actors have been able to hide critical vulnerabilities from major IT vendors for a decade or more.
A group known only as “Shadow Brokers” publicly announced in August that it was selling cyber-weapons stolen from U.S. National Security Agency (NSA)-linked Equation Group. Some of the vulnerabilities publicly disclosed by Shadow Brokers include exploits of widely deployed Cisco routers.
Digging into the realm of speculation, it is possible that a nation-state-backed group that had access to unknown Equation Group zero-days in IT infrastructure equipment took aim at Yahoo. That doesn’t mean the NSA took aim at Yahoo, since we know now that likely another nation-state was able to pilfer the Equation Group’s tools.
Given that the Equation Group zero-days by definition were publicly unknown until August, when coincidentally Peace alleged to have access to Yahoo account information, perhaps those tools were used against Yahoo. Again, pure speculation, but the timing lines up and is very coincidental.
Regardless of the actual root cause, the bottom line is that half a billion users are at risk. To be fair, Yahoo did encrypt and hash its passwords, making them more difficult to use. Then again, if the attack did come from a nation-state with exotic technical capabilities, the attackers likely have the capability to decrypt hashed passwords, especially given that they have had the information for the last two years.
Perhaps more damaging than just the passwords though is the unencrypted user information, including telephone numbers, dates of birth and account security questions. Aside from being able to simply reuse an existing Yahoo password, the attacker now has more personally identifiable information about users that could be used in other attacks, or even to create fake identities.
The fallout from and the investigation into the 2014 Yahoo breach that was confirmed on Sept. 22 is far from over and will likely continue for months, if not years, to come. As more details emerge into the actual technical root cause of the breach, no doubt other organizations will come to realize they too have been impacted. Ultimately though, as the complete details of the breach emerge, lessons will be learned and hopefully no other organization will suffer the same kind of massive breach that Yahoo is now forced to deal with.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.