It’s all over the press. Here is a quote from Reuters: “Yahoo Inc said on Thursday information associated with at least 500 million user accounts was stolen from its network in 2014 by what it believed was a “state-sponsored actor.”
The data stolen may have included names, email addresses, telephone numbers, dates of birth and hashed passwords (the vast majority with the relatively strong bcrypt algorithm) but may not have included unprotected passwords, payment card data or bank account information, the company said.
Right, that is how it usually goes. This whole disclosure smells like a professional crisis-handling exercise. Later, after more breach-investigation, they disclose that more credentials were stolen and that more data (credit cards) was exfiltrated than was known at the time of the discovery. It is disappointing that Yahoo doesn’t share more details about the hack, when it first discovered that it had been attacked.
It’s easy to blame Russia (likely) or China (unlikely) If I had to break the bad news that my company had been hacked, I would feel much happier saying that the attackers were “state-sponsored” rather than a bunch of 15-year-old kids working in their parents’ basement.
“The investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network,” the company said. “Yahoo said it was working with law enforcement on the matter. It was not clear how this disclosure might affect Yahoo’s plan to sell its email service and other core internet properties to Verizon Communications Inc.
Yahoo launched an investigation into a possible breach in early August after a Russian hacker named “Peace” offered to sell a data dump of over 200 million Yahoo accounts on the darknet for just $1,800 including usernames, easy-to-crack password hashes, dates of birth and backup email addresses.
Based on the chart below this is the largest data breach ever – so far!!!
This is going to be a phishing paradise with significant fallout
Phishing attacks likely will be the number one possible fallout, with Yahoo user accounts being used for social engineering attacks. However, since many people use the same username and passwords across multiple sites, the other thing that will rear its ugly head is called “credential-stuffing”, a brute-force attack where attackers inject stolen usernames and passwords into a website until they find a match using the stolen Yahoo username and passwords.
Yahoo put a security announcement on their website and has started to send users notices that they need to change their password.
The bad guys are going to have field day with this, so BE CAREFUL!
We can expect to be confronted with a raft of Yahoo-related scams in our inbox. As a matter of fact, as I was preparing this article I received a phishing email along with an infected attachment in RTF or Rich Text Format. See below:
Can you identify all the “markings” of a fake email from the screen capture above? Let’s hope so – it’s time for all of us to be EXTRA VIGILANT when opening emails.