Uh oh, Yahoo May Have Been COMPLETELY Pwned

We predicted that this would happen on September 23rd when the news broke that Yahoo lost "at least" 500 Million credentials. Just for a change I'm quoting myself here:   :-D

"Right, that is how it usually goes. This whole disclosure smells like a professional crisis-handling exercise.  Later, after more breach-investigation, they disclose that more credentials were stolen and that more data (credit cards) was exfiltrated than was known at the time of the discovery."

Well, as expected it's worse. Much worse. 

Business Insider reported: "The actual tally of stolen user accounts from the hack Yahoo experienced could be much larger than 500 million, according to a former Yahoo executive familiar with its security practices.

'I believe it to be bigger than what's being reported,' the executive, who no longer works for the company but claims to be in frequent contact with employees still there, including those investigating the breach, told Business Insider. 'How they came up with 500 is a mystery.'

To be sure, Yahoo has said that the breach affected at least 500 million users. But the former Yahoo exec estimated the number of accounts that could have potentially been stolen could be anywhere between 1 billion and 3 billion.

According to this executive, all of Yahoo's products use one main user database, or UDB, to authenticate users. So people who log into products such as Yahoo Mail, Finance, or Sports all enter their usernames and passwords, which then goes to this one central place to ensure they are legitimate, allowing them access.

In late 2013, Yahoo CEO Marissa Mayer said the company had 800 million monthly active users globally. It currently has more than 1 billion. 'That is what got compromised,' the executive said. 'The core crown jewels of Yahoo customer credentials.'"

Yahoo could have reset passwords years ago, but decided not to

A report published by the New York Times goes into detail that the company did not reset the passwords of its users after the breach due to the decisions made by CEO Marissa Mayer, who prioritized developing new products over making security improvements.  Here is a quote:

"The 'Paranoids,' the internal name for Yahoo's security team, often clashed with other parts of the business over security costs. And their requests were often overridden because of concerns that the inconvenience of added protection would make people stop using the company's products."

If Yahoo had reset the passwords of the affected (or all) accounts, security measures could have been taken to better protect them against phishing attacks by Eastern European criminal hackers

Epic Fail.

And then I was sent these excellent recommendations written by Chief Inspector Rudolf Friederich, who retired from the U.S. Marshals Service after a 25-year federal law enforcement career.  At the moment he is a domestic and international security consultant. What he wrote is excellent advice! 

"Hopefully as security professionals you have been generally monitoring the Yahoo! breach situation. 500,000,000 records. And that's what's being reported now. My experience is that this base number of records breached always rises over time.

Many of us have had a Yahoo! account in the past - in fact, some folks still do. I have several friends in [a European country], for example, who use Yahoo! e-mail. Yahoo! was out there before Gmail, and years ago was one of the main 'go to' free e-mail service providers. We may have closed out our account - or even left it sort of just hanging out there unused - but we had that account.

If you are a security professional with clients / protectees - not to mention any personal effect this breach could have on you - and if you send out security communiques to your clients / protectees, there are some things to keep in mind:

- There is no indication that this breach does not affect closed accounts. It would be unwise to assume that your closed account was still not able to be accessed. So assume you are affected if you have ever 'Yahooed.'

- If you maintain an active Yahoo! account, immediately change your password AND your security questions as the case may be. The compromise of the security questions may be the long term biggest negative effect of this breach. (Obviously if you have a closed account, you will not be able to change either the password or the security questions.)

- If you are one of those people who uses the same password over multiple accounts then, aside from already knowing you are wrong for doing so, you need to immediately change the passwords and security related questions / data for those other accounts - even if your Yahoo! account has not been active for years. Obviously some security questions require a fixed answer - such as mother's maiden name - unless you have been savvy enough to have created faux names. I have done so for certain accounts over the years. You can pick the name of a street perpendicular to one you lived on, or the last name of your best childhood friend, or the last name of a school you went to or whatever. Although not perfect, any of those are probably safer nowadays than using the real maiden name of your mom if any organization still uses such as a mandatory security question.

- Another issue is that any phone numbers or other e-mail addresses you associated your Yahoo! account with are likely also compromised. That gives hackers other avenues to try and get at you via, even if your Yahoo! account has been closed.

- A smart hacker will try to send out phishing e-mails to other e-mail service providers using the same ID you had for Yahoo!. The same e-mail address characters I have for Gmail and Hotmail is the same one I used for Yahoo! If my Yahoo! account has been compromised - which I assume it has been - has the same e-mail address characters as my current Gmail and Hotmail e-mail addresses. So the risk of very targeted phishing e-mails to these other addresses has increased.

- If you used a mobile phone number in association with your Yahoo! account, and you still use that mobile phone number, then SMS phishing (a.k.a. Smishing) is now an enhanced possibility. And if you, unfortunately for you, use an Android device then you better be very wary of Smishes.

- If you have an active Yahoo! account and hackers control the account, and if you have used that account as your signup account for banking, Amazon, 401K, credit card issuers, Zappos, whatever, then hackers can use that information to reset the password to those accounts to whatever they want it to be. And then go to work on your account.

- In fact if you have an active Yahoo! account you should get rid of it. But not before you clean it out. If you have used it for business or questionable personal activity, you better clean out all the folders. They may be compromised or they may not be. The contents may have already been accessed or they may not have. Speed in damage minimization may put you on the positive side of the fence. But if a hacker has accessed your Yahoo! account and you have damaging e-mails inside it, you could now be an extortion target. You will also want to check the account settings to ensure associated e-mail addresses and phone numbers have not been changed. That could potentially give a hacker a continuous route into your Yahoo! account.

- If business associates are accustomed to receiving e-mails from you using your Yahoo! account, then they are at risk of being phished. If they are communicating with your Yahoo! account against agency or company policy, and a breach occurs, they can expect to get fired or otherwise 'jammed up.'

- Even your contacts info is of value to a hacker as they can then add all those people to their list of potential phishing or extortion victims. This includes their mobile device phone numbers.

- If you don't change the password of an active Yahoo! account, then you must assume there is going to be dual access going on. You and a hacker. Modern detection techniques may alleviate this concern but I would not want to risk a lot on such an assumption. Some e-mail services will tell you when you last logged on. If you haven't used your yahoo! account in 6-months, but when you log in you see the last log-in was 2-weeks ago, then you know you have a problem.

- We can all imagine other scenarios that the contents of a compromised Yahoo! account can lead to."

Courtesy Marshal Security Concepts LLC



Topics: Hacking

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews