More than 500 million Yahoo accounts have been stolen in what could have been a state-sponsored attack dating back to late 2014.

It is believed that data taken includes names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers, but not credit card data.

Yahoo! Keyboard
Yahoo! Keyboard – Wikimedia Commons

People still use Yahoo!?

“Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network,” Bob Lord, the company’s CISO said in a blog post.

“Yahoo is working closely with law enforcement on this matter.”

In a press release, the company said: “Yahoo is notifying potentially affected users and has taken steps to secure their accounts. These steps include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords. Yahoo is also recommending that users who haven’t changed their passwords since 2014 do so.”

The “vast majority” of account passwords were hashed with bcrypt, a tool which makes it difficult to convert information into plaintext. Bcrypt is an adaptive function, which means that over time, the iteration count can be increased to make it slower, making it resistant to brute-force search attacks.

Perhaps more troublesome is the issue of unencrypted security questions. “The elephant in the room is Yahoo’s admission that ‘encrypted or unencrypted security questions and answers’ might be amongst the hackers haul,” said Alex Mathews, EMEA Technical Manager at cyber security company Positive Technologies.

“If the investigation determines that this extremely sensitive information were stored unencrypted then serious questions need to be answered as this lack of security will highlight serious failings by Yahoo in its responsibility to protect customers.”

Reuters reports that the Q&A were deliberately left unencrypted to allow Yahoo to catch fake accounts more easily as fake accounts usually reused questions and answers.

“Although the size of the breach is staggering, what has stunned the industry most is the fact that it has taken Yahoo two years to disclose. In this time, a great deal of additional harm will have occurred to the comprised accounts ranging from account hijacking through to identity theft and fraud,” Jamie Graves, CEO of cyber security company ZoneFox, said.

“The Yahoo attack highlights the reason why good detection capabilities, aligned with laws that force this form of disclosure in a short period, such as the GDPR, are crucial to help protect personal information. Furthermore, organizations must not only have rigorous Cyber Security measures in place but also a disaster recovery plan to respond immediately to a breach if the, sometimes, inevitable occurs.”

US Senator Mark Warner said in a statement: “While its scale puts it among the largest on record, I am perhaps most troubled by news that this breach occurred in 2014, and yet the public is only learning details of it today.”

The other party that may be wondering why it took so long for the breach to be disclosed is Verizon. It is believed that the company, which in July announced plans to buy Yahoo’s core business for $4.8bn (£3.7bn), found out about the breach just two days ago.

Verizon has said that it is “evaluating its interests” regarding Yahoo.

State-sponsored attacks

News of a possible serious breach first emerged in August when a hacker called “Peace” attempted to sell information on 200 million Yahoo accounts, however FT reports sources inside Yahoo believe the two hacks are separate incidents. The Peace breach may date back to 2012.

Yahoo has not named the government suspected to be behind the more recent attack, and neither have any on record US governmental organizations, but Reuters claims three US intelligence officials said that they believed the attack resembled previous hacks traced to Russian intelligence agencies or hackers acting at their direction.

If Russia is indeed behind the breach, it comes at a time of increasing public awareness of cyber warfare. It is thought that Russia was responsible for a series of attacks on the Democratic National Committee, that saw controversial internal emails leaked on the eve of the Democratic convention. Again, nothing has ever been officially confirmed, but security firm CrowdStrike, called in by the DNC to trace the hacks, claims that Russian teams APT 29 and APT 28 were behind the attack.

CTO Dmitri Alperovitch said: “Their victims have been identified in the United States, Western Europe, Brazil, Canada, China, Georgia, Iran, Japan, Malaysia and South Korea. Extensive targeting of defense ministries and other military victims has been observed, the profile of which closely mirrors the strategic interests of the Russian government.”

Russia has a long history of suspected cyber attacks on European targets, causing the Estonian government to pursue backing up its national databases in either a UK or Luxembourg data center.

Of course, other nation-state hackers exist - including the US, with 2013 NSA cyber tools recently leaked online, possibly by Russia.

China has advanced cyber warfare capabilities, with perhaps the best known incident linked to the nation being Operation Aurora.

In January 2010, Google wrote in a blog post: “In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident – albeit a significant one – was something quite different.

“First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses – including the Internet, finance, technology, media and chemical sectors – have been similarly targeted. We are currently in the process of notifying those companies, and we are also working with the relevant US authorities.”

Targets from the ‘Elderwood Group’ cyber team are believed to have included Adobe, Juniper Networks, Rackspace, Symantec, Northrop Grumman, Morgan Stanley, Dow Chemical, and Yahoo.