Peace_of_mind@yahoo.com is probably the most despised email address to date. Yahoo! recently disclosed a massive data breach of 500 million accounts that happened over the last 2 years, which went undetected and un-responded. Everything went wrong with Yahoo! in this case.
First, let’s look at the timeline of what happened and why:
- State-sponsored actor “Peace” attacks Yahoo! in 2004
- It is possible that Peace may have exploited a SQL injection vulnerability
- Various Yahoo! sites had an unpatched Blind SQLi vulnerability that was reported back in 2004. This matches the timeline of the attack as reported by Behrouz Sadeghipour.
- This vulnerability allowed remote attackers to inject their own SQL commands to breach the database into URLs and gain access to users’ personal data
- As pointed out in a Veracode report from 2014, one-third of all applications were attacked using a SQL injection at that time
- The passwords were encrypted with a simple MD5-hashed password that could be decrypted using online tools
- For 2 years, this attack remains undetected by Yahoo!
- 2 months ago, Peace_of_mind uploads 200 Million accounts featuring personal data for 3 bitcoins (~$1,800)
- 3 Bitcoins gets you names, emails, telephone numbers, DOB, bcrypt passwords, and unencrypted security questions
- Yahoo! could not confirm or deny the attack for 2 months
- Finally, 2 years after attack and 2 months after detection, Yahoo! responds with a disclosure of a full data breach
- Yahoo! finally became the largest in something: Data breach of 500 million accounts
What does the Yahoo! data breach mean to you?
If you are a Yahoo! user, your information is up for sale as part of a package costing just $9 per one-million accounts. You should immediately change your Yahoo! password and change all the other passwords relating to your Yahoo! account. Make sure to not use the same passwords for other accounts because users can access your email and see what other accounts you use. It’s also just as easy to use your Yahoo! email ID and Yahoo! password to gain access to your bank account or health records.
What does the 500-million-account data breach of Yahoo! mean to your business?
Depending on the nature of your business, your customers may be accessing your portal using their Yahoo! email. Alternatively, they may be communicating with your sales, marketing, or customer support teams using their Yahoo! accounts. Your employees may also be using their Yahoo! password to access your critical infrastructure. A simple email scan can tell attackers where else they could use their newly acquired Yahoo! emails and passwords to access your network and critical infrastructure and cause harm to your business.
Again, ask your employees and admins to change their passwords immediately and make sure they understand that their passwords should be different than the ones they use for their Yahoo! accounts.
This is a classic detection and response problem. Yahoo! is a world class technology company that got sold to Verizon for almost $5 Billion. They have the best of toys, tools, and tech and yet they never realized that they had a vulnerability or that they got attacked 2 years ago. They didn’t even respond immediately after their data was up for sale in the dark web for just 3 Bitcoins. It took an additional 2 months to confirm that they were attacked and now this will be a long battle for them to close the issue. In the end, Yahoo! never detected or had a chance to respond to the largest security breach in history.
Don’t buy security tools, tech, or toys… what you need is a threat detection and response service – not just another appliance. Come talk to Arctic Wolf to see how you can get a managed detection and response solution from us.
by SRIDHAR KARNAM