The biggest breach in history: questions for Yahoo

October 4, 2016

    The biggest breach in history: questions for Yahoo

    What could be the largest publicly disclosed cyber-breach in history was exposed last week, as Yahoo revealed ‘state’ hackers stole data from 500 million users.[1] This included swathes of personal information, including names and emails, as well as ‘unencrypted security questions and answers,’. While the hack took place in 2014, it has only now been made public, with data on about 8 million UK user accounts believed to have been taken.[2]

    According to security firm Venafi, Yahoo is likely to have been a victim of its own encryption, and security is still poor despite the huge breach that hit the company in 2014.[3] After the breach news, the Labs team researched the ‘cryptographic posture’ of the external Yahoo website. Alex Kaplunov, vice president of engineering, stated:

    “In our experience major breaches, such as the one suffered by Yahoo, are often accompanied by relatively weak cryptographic controls. To confirm our suspicion, we took an in-depth look at externally facing Yahoo web properties and the details of how these sites use cryptography. We were not surprised to find the encryption practices on these properties to be relatively weak.”[4]

    27% of the certificates on external Yahoo websites were found to have not been reissued since January 2015, a ‘critical mitigation practice’ to ensure hackers do not have ongoing access to encrypted communications following a breach.[5] Moreover, a surprising number of Yahoo digital certificates use MD5, cryptography that has been found to be reversible.[6]

    Questions for Yahoo abound: how did the hack happen? How long did it take after the hack for Yahoo to investigate it? How much did it know when in discussions with Verizon? However, this is far from the only data breach to hit a major company. The list of cyber victims among large companies in the last 12 months alone is staggering – TalkTalk, Ashley Madison, LinkedIn, Dropbox.

    A reasonable assumption consumers make is that large companies will have invested heavily in the most cutting-edge technology to protect their privacy and data security. The failure of flagship tech companies to meet such standards is concerning. The Yahoo hack does not just erode confidence among its customers, but undermines trust in large tech companies overall.

    [1] ‘Yahoo ‘state’ hackers stole data from 500 million users,’ BBC news website, 23rd September 2016 http://www.bbc.co.uk/news/world-us-canada-37447016

    [2] Ibid

    [3] Venafi Blog, Venafi website, 25th September 2016 https://www.venafi.com/blog/yahoo-data-breach-and-weak-cryptographic-controls

    [4] Ibid

    [5] Ibid

    [6] Ibid