Skip to main content

Yahoo: What happens next?

(Image credit: Image Credit: Ken Wolter / Shutterstock)

Last week Yahoo suffered yet another catastrophic blow as it revealed it had been the victim of the biggest data breach in history. The names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions associated with over one billion accounts made for a potent package for identity theft. But why has Yahoo had such a poor track record of security and what do consumers need to do to protect themselves in the future?  

The breach was undetected for three years and, to make matters worse, it was only brought to Yahoo’s attention by a third party. The type of information stolen was likely sold on the dark web for criminals to commit further identity fraud, which they’ve had plenty of time to do. While it’s not clear who was behind the initial breach, it was confirmed as separate to the one Yahoo suffered earlier this year. The fact that Yahoo wasn't aware of any of the breaches it had suffered is a huge red flag. Third parties brought the information to them each time and the likelihood is that there are more data breaches on its network that Yahoo is unware of.  

A key element of the breach was the outdated hashing method that Yahoo was still using as part of its security process. MD5 is an inferior password storage method which has been long-considered unsecure. It’s computed by taking the plain text password and running it against an algorithm that is supposed to make the output impossible to reverse. However, as computing power has got cheaper and cheaper MD5 has become easier and easier to crack through brute-force attacks. 

As a result, there are online indexes of these pre-computed hashes freely available and can crack a large amount of MD5 password lists. Despite this, Yahoo continued to use the method to hash its users’ passwords.  It's been almost a decade since the security of MD5 was brought into question and Yahoo’s CEO, Marissa Mayer, needs to be held accountable. She was with the company well before the breach and made the decision to keep with outdated, poor security methods which has put her customers at risk.   

The breach involved forged authentication cookies, which would have granted the hackers access to targeted accounts without needing to supply the account’s password. As well as this, the forged cookies would have allowed the attackers to remain logged into the hacked accounts for weeks, months or even years. Authentication cookies are text files that contain information about the user’s session with a website. As demonstrated in the Yahoo breach, this data can then be exploited by cybercriminals. This is a major flaw and it’s highly likely that other sites have made the same mistake, but not every site that uses cookies will be vulnerable. 

What should Yahoo users do? 

Following the breach there are several things that Yahoo users need to do. Firstly, if you have a Yahoo account, move provider immediately. Switching to a more secure email service with robust authentication processes should be a priority. Many users might be unware that their email account is managed by Yahoo thanks to historical partnerships and mergers. Companies like BT and many US telcos use, or have used, Yahoo for their customers’ email addresses which means some people will be completely oblivious to the fact that they’ve been affected.   

Those Yahoo users that do know might be tempted to delete their account. However, part of Yahoo’s Terms & Conditions is that the company may “allow other users to sign up for and use your current Yahoo! ID and profile names after your account has been deleted." This means that the person re-assigned your email account could take ownership of social media profiles connected to that email and read any personal correspondence with people still contacting that address.   

Instead all Yahoo accounts should be purged. The first step should be changing the password of the account to something that is not used for any other online service, then switching two factor authentication on immediately. Once a new email account with a different provider is created, the Yahoo account must be cleared of everything. Trash, calendar appointments, notes all have to go, then automatic responses should be switched on to divert senders to the new address. Users need to finally change all the web logins for other services to their new email addresses. Once this is done they’ll be free of the Yahoo account and its sub-par security. While it will be a lengthy process, delaying it will only increase the risk of suffering yet another breach, which with Yahoo’s track record will likely be sooner rather than later.   

What does this mean for Verizon?

Verizon should probably reconsider the purchase of Yahoo, but the reality is that the hack will not stop it. After the breach earlier this year Verizon looked to knock $1 billion of the original price and it is currently evaluating the next steps in the aftermath of the latest one too. But the fact is, shoddy security aside, there is more to Yahoo that just email. The company has valuable IP and an active monthly user base of over one billion – showing that there is still value there. However, it’s clear that both companies will need to work hard on aligning and re-evaluating security processes to start preventing breaches like this occurring in the future.   

This year has been a momentous one for cyber security, with hacks getting larger and more complex, but it’s time that organisations start learning from these attacks. Consumers use a service in good faith that their private data will be secure, but time and time again organisations are allowing hackers into their networks. Yahoo isn’t the first company to suffer a breach, and it certainly won’t be the last. Yahoo has certainly been the poster child for cyber security fails, but it’s time that organisations start taking the security of their customers’ data seriously.     

Image Credit: Ken Wolter / Shutterstock

Tyler Moffitt
Tyler Moffitt is a Senior Threat Research Analyst with Webroot, Inc. A key member of the Threat Research team, immersed deep within the world of malware and antimalware. He works directly with malware samples, creating antimalware intelligence, and testing in-house tools.