Yahoo’s billion user breach could represent the new norm in data security

Yahoo CEO Marissa Mayer. ROBYN BECK / AFP

Today, everything is online. The internet is where people go to book flights, go shopping, complete banking transactions, socialize, and so much more. It has provided a world of profound convenience and happiness for people. The only downside is that we’ve become too comfortable with uploading sensitive information which has created a field day for data theft and identity hackers. For instance, Yahoo announced in September 2016 that a massive hack on its network in 2014 saw 500 million of its user’s data breached. Yahoo then announced in December 2016 another breach of more than one billion user accounts that occurred in August 2013, separate and distinct from the previous hack.

"Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry," California-based Yahoo said in a release after the announcement of its 500 million user breach. "Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account.”

What’s so troubling about Yahoo’s recent announcement is that the company’s chief information security officer, Bob Lord, said the company hasn’t been able to determine how the data from the one billion accounts was stolen. Lord wrote in a post: “We have not been able to identify the intrusion associated with this theft. The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”

The Yahoo incident highlights the vulnerability facing even the largest and seemingly most secure organizations around the world. Yahoo was reportedly alerted to the massive breach of accounts by law enforcement and is said to have examined the data with the assistance of outside forensic experts. The hacked data does not appear to include payment details or plaintext passwords, but it’s been reported that the hashing algorithm MD5 is no longer considered to be secured which is bad news for account holders.

The MD5 algorithm is a widely used hash function. The algorithm was designed to be used as a cryptographic hash function, but it has been found to suffer from “extensive vulnerabilities”. Some sources say the security of the MD5 has been “severely compromised” with its weaknesses having been exploited in the field.

The Yahoo hack shows just how seemingly innocuous bits of data obtained by cyber-attacks can be leveraged for profit and even potentially for espionage and information warfare. Yahoo’s breach is reportedly the largest on record.

John Dickson, from the security consultancy firm Denim Group, says while the Yahoo data breached by the cybercriminals is “a bunch of junk,” it still provides the opportunity to create a searchable database with information such as birth dates and phone numbers. For hackers seeking to make profit or commit industrial or state espionage, the personal data provides a world of opportunity.

Just look at the recent US presidential election hack for proof. One of the hacks was the Gmail account of Clinton campaign chairman John Podesta. Media reports said Podesta was tricked into revealing his password when he received a fake email. These kinds of attacks, according to security analysts, are often well-planned, and executed by gathering personal information from individuals, such as birth dates, passwords, etc – the very same information that was hacked from Yahoo’s users.

“If you’re trying to research and get information about a target, you’re going to use everything you can find,” says Dickson, who once was an officer at the Air Force Information Warfare Center. But what was the target of the Yahoo attack? Some believe that the Yahoo hack wasn’t necessarily financially focused. For instance, the Yahoo hackers did not collect credit card or social security numbers, which has led some analysts to the conclusion that there might’ve been motives other than money.

To make things worse, Yahoo is under intense scrutiny after admitting recently that some of its employees were aware of the theft of 500 million users’ data as early as 2014 – years before the company publicly acknowledged what had happened. In response to the breach, Yahoo reported that 23 consumer class action lawsuits have been filed in response to the breach. It is too early for the company to estimate monetary damages, but reports suggest that the hack has led to a loss of about $1 million so far.

Yahoo went into more detail about the hack in a filing in which it wrote, “In late July 2016, a hacker claimed to have obtained certain Yahoo user data. After investigating this claim with the assistance of an outside forensic expert, the company could not substantiate the hacker’s claim. Following this investigation, the company intensified an ongoing broader review of the company’s network and data security, including a review of prior access to the company’s network by a state-sponsored actor that the company had identified in late 2014.”

News of Yahoo’s breach has been tough for American telecom operator Verizon to swallow. Verizon officially agreed to purchase Yahoo Inc's core internet business for $4.8 billion in July 2016. Purchasing Yahoo's operations was expected to boost Verizon's AOL internet business, which it bought in 2015 for $4.4 billion, by giving it access to Yahoo's advertising technology tools as well as other assets such as search, mail and messenger.

But when news broke that Yahoo’s user information had been breached, Verizon reportedly asked for a $1 billion discount, which wasn’t disclosed until after the September sale even though Yahoo CEO Marissa Mayer allegedly learned of the breach in July. In a filing by Yahoo, it said it has formed an independent committee to review “the scope of knowledge within the company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed.”

The controversy surrounding Yahoo’s data breach plays directly into the paranoia inflicting the United States right now over cybersecurity concerns in the US election campaign and the potential impact of hacked email accounts from people close to Democratic presidential candidate Hillary Clinton. On October 7, 2016, the U.S. government formally accused Russia of trying to “interfere” with the American presidential election, and promised to respond at an undisclosed time and place.

Could data be weaponized as a new tool used by governments to execute specific foreign policy agendas? James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, a cybersecurity think-tank, said in a blog post, “Espionage and geopolitical manipulation can now be easily achieved through cyber and information warfare from any adversary.”

Scott added: "Now, at least China, Iran, Russia, and Venezuela have funded political propaganda campaigns that digitally weaponized information by spreading disinformation and polarizing content throughout Western nations.” Scott further noted that the breaches affecting Clinton and the Democratic National Committee were "dangerous because they provide a context-less release of information to the public that breeds distrust and resentment."

There are fears among experts that attackers could mix real data with manipulated information to distort facts, creating further confusion and mistrust. Security firm InfoArmor came forward in September to say its analysis of the first Yahoo breach indicated that “professional” hackers had stolen the data, and had later sold it to a “state entity”. The firm said that the breach “opens the door to significant opportunities for cyber espionage and targeted attacks to occur.”

With data breaches becoming more common around the world, leaders are stepping up to protect their nations from cyber-attacks. Outgoing US President Barack Obama recently called for a broad review to be conducted into the Russian hacking scandal. Meanwhile, Russian President, Vladimir Putin has approved a broad-ranging cybersecurity plan which is specifically aimed at bolstering the country’s defenses against cyber-attacks from abroad, while it will also be utilized for cracking down on perceived foreign influence.