The already suffering Yahoo is yet again in hot waters for the reveal of yet another massive breach, which affects over a billion user e-mail accounts. Yes, this isn’t a joke. Yahoo is out there to set hacking records and it’s inching closer by compromising its image and impending $4.8 billion acquisition by telecom giant Verizon.
Taking to its official blog, Yahoo has today disclosed that its servers were not only breached back in 2014 — which it has already confirmed but another breach had occurred in August 2013 as well. This breach, the company says, is likely distinct from the one next year but has led to two-fold the damage identified in the previously disclosed hack. User data of over a billion accounts was stolen in this breach and Yahoo’s chief information security officer Bob Lord has penned that Yahoo might have found evidence of the breach but how the intruders got into their systems and stole the data is still unknown.
We believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft.
Since this even monstrous intrusion was suffered before the 500 million account breach in 2014 then how can it remain unknown to Yahoo officials till date. This breach was only discovered because of alerts from law enforcement agencies which pushed them to examine the data with the help of outside forensic experts. Are they also looking into reports of Yahoo helping U.S intelligence agencies gather information by scanning e-mail accounts of its users? Ah, never mind.
Though some employees have previously mentioned that they had the knowledge of the previously disclosed hack even before the company went for public disclosure of the same. They were wary of some unusual activity on the company’s e-mail servers but chose to ignore it as spam. This disclosure only adds to the security problems for the company.
As for the data stolen by intruders, it included most of the user’s personal information but not any financial (credit/debit card) details. This also doesn’t include bank account details or plaintext password. The official statement mentions the availability of the following info to the intruders:
For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.
Further, Bloomberg reports that the leaked credentials include stolen data of more than 150,000 U.S. government and military employees. This new leak could enable foreign intelligence services to scour the massive database and empower them with personal and work info for undercover employees. It could pose a serious threat to national security and Yahoo is to blame for all the mess.
In addition, Yahoo’s CISO Bob Lord goes on to add that the hackers have also gained access to their proprietary code and it has been used to forge cookies that could be used to access accounts without a password. The company believes that some of these forged cookies were used in the state-sponsored (or cyber-criminal led!?) attack which was disclosed in September this year.
Based on the ongoing investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used.
Much like every other technology behemoth in jeopardy, Yahoo is also elevating the status of their users to the king. They’re in the process of notifying breached account holders of the grave incident and helping them sort their passwords (and setup two-factor authentication). This, however, further adds to my already existing anxiety for the company’s $4.8 billion merger deal with Verizon. While the telecom carrier had doubts of the previous hack being material, this disclosure will only act as sand to the dying fire.
This billion user account breach gives Verizon another plausible reason to either demand a rebate in the deal prize for real or back out from the same to protect their own brand image in the market. Linking yourself to Yahoo as this instant could be fatal and deteriorate the brand it has built over the years. Commenting on today’s breach, a Verizon spokesperson said,
As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation. We will review the impact of this new development before reaching any final conclusions.