Yahoo! knew it had been compromised by a state-sponsored hackers in 2014 despite not publicly disclosing this crucial information until 2016.
The disclosure of some internal knowledge prior to public admission of a problem in September 2016 comes from a recent SEC filling, in paragraphs covering the investigation of the security breach (extract below).
In late July 2016, a hacker claimed to have obtained certain Yahoo user data. After investigating this claim with the assistance of an outside forensic expert, the company could not substantiate the hacker's claim. Following this investigation, the company intensified an ongoing broader review of the company's network and data security, including a review of prior access to the company's network by a state-sponsored actor that the company had identified in late 2014. Based on further investigation with an outside forensic expert, the company disclosed the security incident on September 22, 2016, and began notifying potentially affected users, regulators, and other stakeholders.
User account information taken included "names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers" related to at least 500 million accounts was stolen from Yahoo! in late 2014. "We believe the user account information was stolen by a state-sponsored actor," the internet giant said in its SEC filling. Payment card information was not held on the affected system.
It's unclear how many in Yahoo! know about problems in late 2014.
Neil Fraser, UK Manager at ViaSat, commented: "For whatever reason, it seems Yahoo! has deliberately delayed sharing critical information. It is this which will have the greatest effect not only on customer trust, but ultimately its reputation."
Failure to act when problems first surfaced two years ago have left Yahoo! with problems on multiple fronts. The company faces 23 lawsuits over the security breach. In addition, the breach has cast a shadow over Yahoo's plans to sell itself to Verizon for $4.8 billion.
Yahoo! chief exec Marissa Mayer reportedly clashed with Yahoo! CISO Alex Stamos (who left to become Facebook's security chief in mid-2015) over investment in improved security controls and even about resetting users passwords. It's easy to be wise after the fact but what makes this stance even harder to understand is that the 2014 breach was far from unprecedented. Yahoo! also suffered breaches in 2012 and 2009, veteran security watcher Graham Cluley notes. The latter incident was also blamed on state-sponsored hackers from China who also hit Google as part of "Operation Aurora".
Yahoo!, with the help of outside forensic experts and under the watch of US law enforcement agencies, is continuing to investigate its latest and most high-profile breach. This investigation is continuing to throw up findings of interest to the wider security community, as disclosed in its quarterly 10-Q filling to the SEC.
The forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the security incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users' accounts or account information.
Separately, on November 7, 2016, law enforcement authorities began sharing certain data that they indicated was provided by a hacker who claimed the information was Yahoo! user account data. Yahoo! will, with the assistance of its forensic experts, analyze and investigate the hacker's claim that the data is Yahoo! user account data.
Making a hash of security
Independent security vendors are already asking pointed questions about Yahoo's security response.
Yahoo! was still using cryptography (MD5 hashes) known to be vulnerable for years beforehand, according to an analysis by Venafi Labs in September 2016 of data held on TrustNet, a global database of certificate intelligence. This data showed that 27 per cent of the certificates on external Yahoo! websites had not been reissued since January 2015, months after hackers were known to have breached its systems.
"Replacing certificates after a breach is a critical mitigation practice; unless certificates are replaced, breached organisations cannot be certain that attackers do not have ongoing access to encrypted communications," Venafi Labs argues. ®