19th December, 2016

Yahoo: a breach's story

New discovers about the attack to Yahoo in November 2014: apparently the attack started in August 2013, where also passwords and other sensible data were compromised, including the source code of Yahoo that allowed the second attack that allowed to bypass the authentication to the portal.

Yahoo admitted to be hacked also in 2013, but in the previous attack the emails compromised were over one billion.

A short reminder about what happened last time ("Yahoo: the breach still echos"): Yahoo admits that their systems were violated in November 2014 by a "State-Sponsored Actor", that was able to access to their systems, stealing some confidential information, but without violating the security of the passwords, because they were encrypted using bcrypt.

This time things are more clear: in August 2013 an unidentified group of hackers were able to penetrate into the systems of Yahoo and to get many confidential information about the accounts, that this time where also including password hashed with MD5. The hackers had also access to the source code of the portal, that allowed them to develop the backdoor for the cookie authentication in the website, violation that was announced in September 2016.

This new evidences bring Yahoo even in a more difficult position for several reasons:

1) First of all because with more than one billion accounts violated, this case represents the biggest known informatic violation of the history.

2) Yahoo knew even before November 2014 about the violation and the only alert that raised for the users was an invitation to change their passwords, not neither anything mandatory to do.

3) Knowing about this violation, they didn't report it to the authorities violationg the "Security breach notification law" of the 2002.

4) When the analysts entered into the systems of Yahoo, in September 2016, to evaluate the impact done by the hackers, Yahoo always announced that the password were not compromised because they were protected using bcrypt, but they never mentioned that hackers already had access to their systems where the password where not encrypted, but simply hashed with a MD5.

5) Because Yahoo didn't public announce that the password where compromised and they didn't neither forced their user to change their passwords, probably these hackers for at least 3 years and a half with the possibility to access to private information of many Yahoo customers, and today this could still happen.

After 3 years and a half of delay, a simple notification to ask to their customers to update a password it's not enough.

Last week arrived the first confirmation that three different people from East Europe had access to the 1 billion record database paying 300.000 Euro each of them. It's impredictable what these people might do now with such amount of confidencial information.

The customers don't have control on their data and maybe the GDPR (General Data Protection Regulation) the will be active from May 2018 will motivate the companies to take more care about the data and the privacy of their customers and to inform quicker the customers about the risks that they might occur regarding their data.

Apart from changing the password to all their services, there is not so much that the Yahoo customers could do, except thinking about what consequences could bring us this new informatic era where all data are doomed to be stored in the cloud.

[1]: "Yahoo: the breach still echos"

