Hackers stole data from more than one billion Yahoo user accounts, the company disclosed late today. This breach is believed to be in addition to the one that was announced just a few months ago.
The breach and resulting leak were not discovered by Yahoo, but rather by law enforcement officials who provided Yahoo with data files that a third party had obtained and claimed was stolen from Yahoo. Today, Yahoo - which Verizon announced this summer that it would acquire - said that after analyzing the data with the help of outside experts, it believes that the stolen information is real, and that over a billion accounts' worth of information had been stolen by some unauthorized party (or parties) in August of 2013; the attack is believed to have been perpetrated using forged cookies by hackers who had knowledge of Yahoo's internal system workings. As of yet, however, neither Yahoo nor law enforcement appears to know who it was who originally stole the data.
Yahoo did clarify that "Payment card data and bank account information are not stored in the system the company believes was affected," and that all all unencrypted security questions and answers have been invalided.
That said, one of the problems with challenge questions in general is that the answers are the same across different sites. The color of your first car, your mother's maiden name, and the place that you met your significant other don't change when you go from Yahoo to some other site. So, if you used your Yahoo password or challenge questions elsewhere, it might be wise to change them ASAP. Also, be wary of phishing emails referencing the Yahoo data leak - criminals will certainly try to exploit the panic that ensues after a major breach announcement.
Also, check out my article from September, The Biggest Lessons from the Yahoo Data Breach are the Ones Nobody is Talking About.
For those interested in what some others in the field have to say... here are some quotes, and they do not paint a pretty picture:
John Gunn, VP of Communications, VASCO Data Security: You can change your password after a breach, but you can't change the name of your first school, favorite teacher, or first animal. Multifactor authentication is simple, effective, and easy to implement - there is simply no reason for passwords to still be in use."
Bert Rankin, CMO, Lastline: "The damage that a big business suffers from an orchestrated attack can continue to exact costs for decades. The costs can include the hard dollar costs of litigation, paying ransoms, investigations and infrastructure replacement, and also soft-yet-real losses of escalating customer churn and brand value decline. "Companies often fail to account for the magnitude of potential losses when resourcing their preventative measures. Perhaps a logical Yahoo - Verizon deal adjustment, however, will be a sober reminder of just how important it is to get a state-of-art cyber defense strategy in place."
Jeff Hill, Director of Product Management, Prevalent: "By far the most disquieting element of this story is that it took Yahoo - not exactly a backwater, technophobic organization - over 3 years to discover bad actors on its network exfiltrating billions of records. The lesson is clear: no organization is immune to compromise. What makes this a significant episode is not the breach itself, but the time-to-detection. Criminal actors can do significant damage in days and weeks; give them years, and all bets are off."
Philip Lieberman, President of Lieberman Software: "Simple salting of the user database (inclusion of special dummy records) could have provided Yahoo with the visibility to the source of the loss, but even this simple technique was apparently not used. Security behind the protection of personally identifiable information (PII) is a matter of culture and dedication, and is not necessarily a money issue. The core of this problem lays at the feet of the CEO and Board of Directors - in this case in not managing and monitoring their most precious asset: their customers' information."
Willy Leichter, VP of Marketing, CipherCloud: "Yahoo never spotted this breach, and only learned of it years later through outside sources. Clearly, better security tools were needed to monitor activity, and detect a major intrusion."
Neil Daswani, CISO, LifeLock: "In today's world in which billions of customer records and accounts have been compromised, the real question may not be whether or not your information has been compromised, but rather whether or not you know when identity thieves are using your already stolen information."
Amichai Shulman, CTO, Imperva: "If there is one thing we learned in 2016, it is that breaches - and this Yahoo! one is one of the largest ever - can go undetected for years. Troves of data apparently compromised as long ago as 2012 popped on the Dark Net in 2016, which likely means that at least some of this data has been circulating through the Dark Net for years."
Paul Calatayud, CTO FireMon: "The fact that Yahoo is not sure how the breach occurred is not uncommon. Often the forensic data is there, but being able to shift through the complexities and scale of a large technology base is a challenge."
Brad Bussie, CISSP, Director of Product Management, STEALTHbits Technologies: "If you were not a victim in the last breach, chances are you will be affected by this one."