For the second time in less than three months, Yahoo has disclosed a massive data breach, and this is one for the record books. The company said more than one billion accounts are affected by the breach, and Yahoo officials still aren’t exactly sure how the attackers got in.
On Wednesday evening, Yahoo CISO Bob Lord said the company had been investigating the incident for some time after law enforcement officials came to Yahoo with evidence that the company had been compromised. The Yahoo security team dug into the records and the company’s system, trying to determine what had happened. What they discovered is that unknown attackers got into the company’s network in 2013 and made off with a truckload of user data, including names, hashed passwords, email addresses, phone numbers, and birth dates.
“As we previously disclosed in November, law enforcement provided us with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts,” Lord said in his statement.
That’s a painful paragraph for a CISO to write. But the next two sentences must have been even more difficult.
This has been a rough stretch for Yahoo’s security team, to say the least.
“We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016,” Lord wrote.
The September Yahoo breach was no small affair, either. That one affected about 500 million users. There’s almost certainly quite a bit of overlap between the two breaches, but that’s still an enormous, unprecedented volume of user data that was compromised. Almost an unimaginable amount of data.
But there’s more.
“Separately, we previously disclosed that our outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used,” Lord said.
So the attackers not only had access to a deep pool of user data, they also were able to get into Yahoo’s internal repositories and see how the company builds cookies for user authentication. The attackers then were able to use forged cookies to access users’ accounts. Lord said the company believes some of this activity was done by the same attackers who were responsible for the earlier breach, which Yahoo attributed to state-sponsored adversaries.
This has been a rough stretch for Yahoo’s security team, to say the least. Losing data from 1.5 billion accounts in the space of a few months is enough to give anyone nightmares and there are CSOs around the country breathing a sigh of relief that it didn’t happen to them. At least not this time. And that’s kind of the point of all of this.
Security is really hard and it’s made even more difficult by the asymmetric nature of the offense-defense conflict. Defenders have to be vigilant at all times and protect all of their assets, while attackers can pick their targets and opportunities whenever they see fit and they can keep trying until they succeed, without any penalty. It’s an unbalanced playing field and companies such as Yahoo that have the money to bring in top security talent can tilt it a little in their favor. But it will never shift completely, and it’s important to keep that in mind when breaches like this occur. Patient, well-resourced attackers will always enjoy an advantage, even against smart, well-resourced defenders.
Image: Dudu Pontes, CC By license.