This post was originally published here: post

 

In a securities filing on Wednesday, Yahoo said some of its employees knew that a “state-sponsored actor” had broken into its network two years ago.

This was the attack that led to theft of data such as names, dates of birth and passwords associated with more than 500 accounts. It’s considered to be one of the largest ever data breaches affecting a private company.

The company did not state whether, at the time, this attack was disclosed to senior management.

Yahoo first revealed a data breach had taken place on 22 September this year. It said the hack was discovered while investigating a hacker’s claim of possessing some Yahoo user data.

The Yahoo filing also said that the company was investigating “certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the security incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information.”

The company plans to sell its internet operations to Verizon for $4.8 billion. Pinning down whether employees knew or when they found out about the attack has therefore become a priority for the deal to be carried through.

The deal with Verizon had been decided a couple of months before the data breach was made public, and the company could be wanting to learn more about how it happened and was dealt with.

31/10/2016: EU data watchdogs demand answers about Yahoo hack

Europe’s data watchdogs have expressed concerns over Yahoo’s alleged systematic email surveillance and the leak of 500 million user credentials.

In a letter delivered to the US email provider last Thursday, the Article 29 Data Protection Working Party (WP29) described the 2014 data breach, which only emerged in September, as “deeply concerning”, and said it is duty-bound to protect “the significant number of EU data subjects” who may have been affected.

“It is of the utmost importance that Yahoo devote significant resources to understand, communicate and address all aspects of this unprecedented data breach and notify the adverse effects to the data subjects using the services that your company provides,” said the letter from the WP29, which comprises all 29 EU member states’ data protection regulators.

“This must be carried out in a quick, comprehensive and easily understood manner, so that Yahoo users across Europe will understand any action they need to take as a result of the breach,” added the WP29.

It urged Yahoo to cooperate fully with any investigations and queries, and deliver specific information which is “of interest” to the authority. This includes the content of the data, consequences of the 2014 breach and the number of people affected in each European country.

The letter, signed by chairwoman Isabelle Falque-Pierrotin, also addressed the “concerning” mass surveillance Yahoo allegedly conducted, with the firm accused of using a systematic search of all incoming user emails at the request of the US government.

“It will be important to understand the legal basis and justification for any such surveillance activity,” said the letter, “…including an explanation of how this is compatible with EU law and the protection of EU citizens.”

“We are aware of the letter from the Article 29 Data Protection Working Party and will work to respond as appropriate,” said a Yahoo spokesperson, in an email to IT Pro.

The EU privacy group also delivered a letter to WhatsApp on Friday, expressing “serious concerns” over the way the messaging app handles its users’ private data. The letter urged WhatsApp to halt all plans to share data with its parent company Facebook, until “appropriate legal protections can be assured.”

19/10/2016: Yahoo profits bloom despite hack

Yahoo’s quarterly profits were better than analysts had anticipated, despite the company’s recently-revealed hack of 500 million people’s account details.

The data breached during the hack included customers’ names, email addresses, telephone numbers, personal details and passwords, according to Yahoo CISO Bob Lord.

Verizon, who was looking to buy Yahoo for $4.83, displayed concerns last week, saying that the hack could have a material impact on the deal.

However, Tuesday’s stock market results showed that the hack had no major effect on the number of Yahoo customers. Yahoo said results actually showed a growth in page-views and email account usage.

Contrary to expectations, Yahoo’s quarterly profits more than doubled, reaching $163 million. Yahoo CEO Marissa Mayer said: “We launched several new products and showed solid financial performance across the board.”

As Yahoo continues to lose share within the digital advertising market, these positive financial results could be due to a good cost management strategy.

Analysts are still unsure as to whether Verizon’s acquisition of Yahoo will still go ahead. Although most don’t expect the deal to be entirely cancelled due to the hack, the price and contract terms of it could be renegotiated.

Mayer said: “In addition to our continued efforts to strengthen our business, we are busy preparing for integration with Verizon. To that end, we take deep responsibility in protecting our users and the security of their information. We’re working hard to retain their trust and are heartened by their continued loyalty as seen in our user engagement trends.“

11/10/2016: Yahoo disables email forwarding

Users of Yahoo mail are unable to forward emails to external accounts, as the feature has been “temporarily disabled”.

According to a brief post on its support forums, Yahoo has blocked users from using the ‘automatic forwarding’ function as they work to develop the feature further.

Users would normally be able to create copies of their incoming messages using automatic forwarding, which would be sent to other accounts such as Hotmail or Gmail. However users began complaining at the beginning of the month that this feature had been blocked, according to the Associated Press.

Yahoo said in the post: “This feature is under development. While we work to improve it, we’ve temporarily disabled the ability to turn on Mail Forwarding for new forwarding addresses.”

Yahoo user Brian McIntosh said forwarding has been “a basic concept for 15 years for just about every email provider out there. All of a sudden it’s under development, and only at Yahoo”, speaking to the Associated Press.

“That all this has ceased to function when they have been getting a lot of press seems extremely dubious to me,” added McIntosh.

In September Yahoo revealed a record-breaking hack of personal information, affecting at least 500 million customers in 2014.

More recently the company was found to have secretly built custom software to scan emails, allowing the US government to conduct surveillance on its users’ emails.

IT Pro approached Yahoo to ask why it has disabled this function and if it was related to the data breach, but we have yet to receive a reply.

What is certainly true is that this move makes it more difficult to users to move to other email accounts, which is likely happening on a mass scale right now.
27/09/2016: Yahoo ‘using unsecure certificates’

Yahoo hasn’t taken the necessary steps to patch security holes that could leave customers open to further hacks, it has been claimed.

Security firm Venafi Labs carried out research on Yahoo’s use of cryptographic systems and security certificates and found some troubling results.

According to the firm, which used a combination of its own data and data from global certificate intelligence database TrustNet, 27% of certificates on external Yahoo sites haven’t been reissued since the beginning of last year.

This is despite the reissuing of certificates being a common and critical practice to mitigate a breach, to ensure that hackers no longer have access to encrypted communications.

Venafi has also claimed that, based on its research, Yahoo may not have the ability to find and replace digital certificates quickly, as only 2.5% of those in use have been issued within the past three months.

The company has also accused Yahoo of using outdated and unsecure encryption methods, in particular MD5 and SHA-1. MD5 is, for example, vulnerable to the Flame family of malware. SHA-1 certificates, meanwhile, will no longer be accepted by most major browser vendors as of January 2017.

Hari Nair, director of product management and cryptographic researcher for Venafi, said: “Any one of these cryptographic issues would leave an organization extremely vulnerable to attacks on encrypted communication and authentication.Collectively, they pose serious questions about whether Yahoo has the visibility and technology necessary to protect encrypted communications and ensure its customers privacy.

“Our research has led us to believe that there is usually a high degree of correlation between weak cryptographic controls and overall cybersecurity posture.”

A source familiar with the matter told IT Pro: “The vast majority of hashed passwords stolen by what we believe was a state-sponsored actor are bcrypt protected, and only a small percentage of passwords are protected with MD5.

“As we said, we’re notifying potentially affected users and we’ve taken steps to secure their accounts, including recommending that users who haven’t changed their passwords since 2014 do so.”

23/09/2016: Yahoo hack: 500 million people’s account details stolen ‘by nation state hacker’

Yahoo has confirmed that at least 500 million people’s account details were stolen by a state-sponsored hacker.

The data breach included people’s names, email addresses, telephone numbers, dates of birth, hashed passwords and even security questions and answers, Yahoo CISO Bob Lord explained.

The search giant, which said the hack took place in late 2014, does not believe the stolen data included any credit card details, unprotected passwords or bank account information.

“Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network,” Lord said in a post on Tumblr. “Yahoo is working closely with law enforcement on this matter.”

News of the hack first emerged yesterday from Recode, but it is not yet clear whether the stolen account details is related to a data dump of 200 million Yahoo accounts made available on the dark web last month.

The hacker who collated them and put them up for sale online, going by the moniker Peace, said those details were from “2012, most likely”.

Yahoo is now in the process of notifying customers who may be affected, and asking them to change their passwords, or use different methods of confirming their identity.

It has invalidated any unencrypted security Q&As and urged customers to use its Yahoo Account Key, a two-factor sign-in method it first rolled out in March this year, that sends a push notification to a user’s smartphone when they need to log into their email. 

The huge batch of exposed passwords beats Dropbox’s 61 million credentials that were leaked online in August after a hack in 2012, leading to Dropbox also urging users to change their passwords.

Lord added: “An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries. Through strategic proactive detection initiatives and active response to unauthorized access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure.”

22/09/2016: Yahoo expected to confirm massive data breach

Yahoo has been hit by a massive data breach, according to leaked reports, which the company is expected to confirm later today.

Sources told Recode‘s Kara Swisher – long a top source for Yahoo news – that the hack affects several hundred million users, calling it “widespread and serious”.

The hack comes at an awkward time for Yahoo, which is selling much of its business – including customer data – to Verizon as part of a $4.8 billion deal.

Details are scarce as Yahoo has yet to confirm the attack, but it appears the security breach is related to the apparent leak of 200 million accounts earlier this year by a hacker known as “Peace”.  Yahoo at the time didn’t confirm if that hack was legitimate, merely stating it was “aware” of the incident.  

IT Pro asked Yahoo for confirmation of the attack, but has yet to hear back. However, users have started to see messages to change their passwords

Nikki Parker, vice president at security firm Covata, criticised Yahoo’s security measures. “In this case, last month, the hacker claimed that the data was hashed with a MD5 algorithm, coding that simply isn’t robust enough to secure data,” Parker said in a statement. “You’d hope that Yahoo would’ve since thought about adopting more advanced encryption technology that secures data in individual pieces rather than in large sets, as well as empowering it to rigorously control access.”

Parker claimed that Yahoo’s slow response was “surprising”, adding: “It should have encouraged customers to change their passwords and now, potentially, more than 200 million people are at risk and have been for some time.”

If the hack is indeed confirmed, CensorNet’s CEO Ed Macnair said the usual advice applies. “Change your username and passwords across sites and with business accounts,” he said in a statement.

“Not only is personal data at risk here, but people often use such logins at work. That is always a huge issue for companies. Everyone should stay vigilant to suspicious activity and, it would be advisable to get some new passwords ready – just in case.”