1Bn Accounts Compromised in 2013 Yahoo Cyberattack

In September 2016, Yahoo announced it had been hacked and half a billion accounts were compromised; however, yesterday it was revealed that a 2013 Yahoo cyberattack that was twice the size. The credentials of more than 1 billion users were reportedly stolen in the 2013 Yahoo cyberattack.

The Yahoo cyberattack announced in September was the largest data breach ever reported. This was particularly bad news as the company had just agreed to sell its core business to Verizon Communications. While the deal is not believed to have been derailed, Verizon is now seeking a substantial reduction in the purchase price as a result of the Yahoo brand being devalued.

It since emerged that some individuals at Yahoo were even aware of the breach long before the deal with Verizon was agreed. It has been suggested by one former executive that some individuals were aware of the breach soon after it occurred.

That executive also said the breach involved far more records than 500 million, even suggesting well over 1 billion accounts may have been compromised. The announcement about the 2013 Yahoo cyberattack therefore does not come as a major surprise.

Verizon has responded to the announcement by essentially repeating what was said after it discovered the 2014 Yahoo cyberattack, saying “As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation.” Verizon will be reviewing the impact of the breach before any decision is made about what do about the purchase.

Account Holders Notified of 2013 Yahoo Cyberattack

Yahoo is now notifying account holders if their information was compromised in the 2013 Yahoo cyberattack. The company has approximately 1 billion active users. It is unclear if all have been impacted or if some of the 1bn total includes inactive users.

According to the breach notice emailed to customers, the cyberattack resulted I the theft of users’ names, dates of birth, telephone numbers, unencrypted security questions, and encrypted passwords. Since the answers to security questions were stolen, it would be possible for criminals to reset the passwords on users’ accounts to gain access. However, the algorithm used to encrypt passwords (MD5) was old and could also potentially be cracked.

Security at Yahoo has been relatively poor in recent years. While many organizations have invested huge amounts of money into improving security controls, Yahoo has invested considerably less than other large organizations such as Facebook and Google. Even after notable data breaches, Yahoo was slow to implement additional security controls to better protect users’ data.

In 2012, Yahoo suffered a data breach that exposed 450,000 records, the 2013 Yahoo cyberattack exposed 1 bn, and the 2014 attack exposed 500 million records and the company’s source code was also stolen. Perhaps more worrying than the breaches, is Yahoo was allegedly unaware that it had experienced a breach of 1 bn accounts in 2013. The company only discovered it had been attacked after being notified by law enforcement last month.

Yahoo was investigating the 2014 breach when it was contacted by law enforcement and provided with data that had allegedly come from the 2014 hack. The data had been obtained from an undisclosed third party. However, it soon became clear that the data had come from a separate cyberattack which Yahoo was unaware of.

Independent security researchers working with Yahoo believe that access to users’ accounts was gained by using the stolen source code to crease forged cookies that enabled accounts to be accessed without passwords. However, the source code was allegedly stolen in the 2014 attack. How the 2013 Yahoo cyberattack occurred remains a mystery. Yahoo believes both attacks were conducted by a state-sponsored hacking group, although not all security experts agree.

In response to the recent attack, Yahoo has forced a password reset on users’ accounts and any unencrypted security questions have been invalidated. Users should ensure they use a secure password that has not been used elsewhere, and if passwords have been recycled across multiple web platforms or for other email accounts, they too should be changed.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news