Breaking Down Yahoo’s Breach of 500 Million Users

(Former information security officer at Yahoo, 2000–2001)

I’ve spent the past two days closely following my former employer as they manage the process of disclosing one of the largest breaches — if not the largest — in history.

We’re talking names, email addresses, telephone numbers, dates of birth, passwords, plus security questions and answers of more than 500 million people. Let’s let that magnitude burn in…. 500 million people — more than the entire U.S. population.

Whenever a mega-breach is disclosed, everyone is going to have opinions — often based entirely on speculation. And I’ll admit to having a healthy dose of that, based on my industry experience and the information we have at this point. One thing we do know for sure: the impact of this breach will be felt far and wide and is likely to continue for months, or even years, to come. This breach also speaks loudly to the increasing threats around cyber espionage and state-sponsored attacks, and the role that technology giants play in the security and privacy of our daily lives.

What Went Wrong

Let’s start by discussing a big piece of the security challenge. Based on my experience at Yahoo, a significant factor in this breach is the sheer size of its networks. Like many large companies, Yahoo has sprawling networks with hundreds of thousands of hosts in distributed locations around the world — along with thousands of employees and contractors, with an untold number of devices. All this makes for a massive attack surface that is difficult for anyone to effectively protect. As always with cybersecurity, the bad guy just needs to find and exploit a single point of vulnerability to win, while the defenders must be perfect all the time.

Another factor at play is that big organizations with vast technology infrastructures often rely on homegrown security solutions because most off-the-shelf products and services are not capable of operating at their scale. It could be that this issue created gaps in their security program because they’re unable to use cutting-edge security products designed to thwart modern threats that most everyone else can.

There are too many users, too much network traffic, and too much data for most security products on the market to handle, so these companies are forced to forge their own way for scalability reasons. I remember encountering this issue a number of times during my tenure at Yahoo. It’s a common complaint by many information security professionals, well beyond Yahoo, to this day. The only real option available is building custom controls and putting them in place.

While it’s easy to infer contributing issues that may have ultimately allowed an attack of this magnitude, there are a number of unanswered questions. Getting the full picture, or at least as much as we’re able, is a good learning experience for all of us.

The Missing Information

Sources close to the matter at Yahoo recently answered one of the most important questions: when did Yahoo learn of the breach? Reports state that after a profiteer hacker by the name of “Peace of Mind” publicly advertised that he had 200 million Yahoo credentials for sale, Yahoo launched an investigation into the claim. The investigation apparently was unable to confirm the breach or the validity of the data, but Yahoo subsequently launched a separate investigation to dig deeper. All this is said to have transpired roughly 2 months ago in early August.

What the investigation found roughly two months ago was the 500 million user breach, which they credited to a state-sponsored actor. If that’s the case, it’s possible we’re looking at two different breaches — if, of course, the claims by Peace of Mind are factual. It sounds strange to say, but the discovery of this more recent breach may be thanks to the hacker behind the first scandal.

While we’re on the topic of timing, Yahoo stated the breach originated back in late 2014. This begs the question of why it took so long for Yahoo to detect a breach of 500 million users. Were there no other indicators of compromise that triggered alarms, or maybe no one was looking at the alarms, or some combination thereof? Again, we don’t know.

Regardless, this lack of rapid breach detection is sadly consistent with industry norms. Many corporate victims of cybercrime go months or even years before noticing a breach. And when they do find out, they’re often tipped off by a third-party. Check and check.

The timing of the events is a particularly important detail in the story: not only because of what it says about companies’ transparency with users, but also because it determines what information was accessed, and for what purpose. This importance is heightened by the claim that the attack was perpetrated by a state-sponsored hacker — some saying Russia, according to sources close to the issue — which wouldn’t be surprising to most anyone in the industry, though it does bring up several more questions about what we can expect from the investigation.

The motivation for state-sponsored hacking is definitely present in this breach. We’re seeing some parallels between this and the Google Aurora attacks in 2010, pointing to the idea that state-sponsored hacking activity is playing out on networks like Yahoo’s because they’re a valuable source of information on their enemy’s or ally’s strategy. These networks are where the espionage activity is happening. If you are a nation-state and want to determine if any of your domestic spies have been discovered, you put taps on Google, Yahoo, Microsoft etc., rather than just hacking government systems to find out. Beyond spy activity, there is also the motivation to deanonymize political dissidents. Instantly China and other countries comes to mind.

One of the most interesting aspects of this case, in my opinion, is the involvement of Peace of Mind. State-sponsored adversaries don’t publicly share stolen data or sell it — Peace of Mind has been all about selling stolen Yahoo account data since he raised the issue in August, leading me to believe it’s unlikely he is state-sponsored or affiliated with this week’s breach disclosure. Again, this is only if his claims are indeed true, which we may never know. If they are, though, it looks like there’s at least two different Yahoo breaches by two different hacking groups.

Why Do We Care?

As the rumor mill keeps churning, it’s impossible to ignore how this breach will impact Yahoo’s sale to Verizon. During an acquisition, it’s common for acquirers to conduct a full security audit of the organization. They want to know what risks, whether simply system vulnerabilities or full breaches, ahead of the deal closing. In the case of the Yahoo breach, now that it’s public, Verizon must consider the risks and costs associated with potential lawsuits in the price of the deal. And of course, any impact on share price will be closely monitored.

For affected Yahoo users, there’s a lot of bad advice making the rounds right now. Please be mindful. While Yahoo has said there is no evidence that attackers are currently in the network, as a precaution I recommend immediately changing not only your Yahoo password (and enabling two-factor authentication), but more importantly, any other accounts for which you might have used the same credentials. Attackers will most certainly leverage these set of credentials and try them against multiple accounts on other systems (i.e. Google, LinkedIn, Facebook, etc) until they are successful. And, take the time to change your secret questions and answers too, as those pieces of information can be used to get into your account as well.

With 500 million users waiting on further information, I’m very interested to see how Yahoo handles the “breach of the year” spotlight. More importantly, I hope we’ll learn some good lessons from this breach that will make a difference in the wider business world. This story is an opportunity to light a fire of urgency under major corporations to protect their users’ information from a more modern (and therefore realistic) standpoint.

If we look back through the history of breaches, for the vast majority, we knew ahead of time how to prevent these issues, detect them and fix them. What we’re lacking most is not so much awareness, but motivation to act with the right response, at the right time.

Yahoo wasn’t the first to experience a mega-breach, and it certainly won’t be the last. This is the modern world’s new normal.