“State sponsored actor” Steals 500 Million Yahoo Accounts

Douglas Crawford

Douglas Crawford

September 23, 2016

Yahoo yesterday announced that in 2014 account details belonging to a huge number of its users were stolen by hackers,

We have confirmed, based on a recent investigation, that a copy of certain user account information was stolen from our network in late 2014 by what we believe is a state-sponsored actor.

The breach initially came to light in August, when a well-known hacker named “Peace” tried to sell information belonging to 200 million Yahoo accounts on the dark web. The asking price was a fairly modest $1,800.

It is now understood that some 500 million accounts have been compromised.

What was stolen?

The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”

Most of this information is fairly pedestrian, and should not present any major threat to affected Yahoo customers. Importantly,

The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.”

What does hashed with bcrypt mean?

The biggest potential worry is that passwords were stolen. This means that criminal hackers might gain access to your Yahoo account. Worse, however, is that the widespread practice of reusing passwords across multiple accounts means these passwords could be used to compromise more valuable accounts (such as online bank accounts).

It is fortunate, then, that the stolen passwords appear to have been hashed using the bcrypt password hashing function.

Hashing is a one-way mathematical function that converts an original string of data into a seemingly random string of characters. As such, passwords that have been hashed can’t be converted into the original plain text password.”

This last statement may be a little optimistic, however. bcrypt is extremely well-regarded in the security community. It is a very slow hashing function that uses random salt to increase the difficulty of reversing the hash in order to obtain passwords in cleartext.

SHA-1 encryption

This means that it is very unlikely (to the point being impossible) that hackers could mass convert the hashed passwords into plaintext ones. It may still be possible, however, to crack individual password hashes.

So what is Yahoo doing about it?

As a precaution, Yahoo is advising all customers who have not changed their passwords since 2014 to do so… now! It has also invalidated any unencrypted security questions and answers used to recover account details.

Yahoo says that an investigation is ongoing, but that it has “found no evidence that the state-sponsored actor is currently in Yahoo’s network.”

In addition to this “ongoing investigation,” Yahoo is cooperating with unspecified law enforcement authorities. The FBI has confirmed that it is involved in this procces.

A state sponsored actor?

Yahoo has not explained why it believes the hack was performed “by what we believe is a state-sponsored actor”. That is, an individual acting for political, rather than financial motives. Indeed, the fact that “Peace” tried to sell the data online seems to rather undermine this notion.

Reuters, however, reports that,

Three U.S. intelligence officials, who declined to be identified by name, said they believed the attack was state-sponsored because of its resemblance to previous hacks traced to Russian intelligence agencies or hackers acting at their direction.”

So who knows?

A bad time for Yahoo

Questions are also being asked about why it took Yahoo so long to report the crime. It may well be that it was unaware of the hack until Peace began to sell the information in July this year.

Others, however, have noted that Yahoo was sold to US telecoms giant Version in July for $4.8bn. This may have forced Yahoo’s hand. As Nikki Parker, vice-president at security company Covata, told the BBC,

Yahoo is likely to come under intense scrutiny from regulators, the media and public and rightly so. Corporations can’t shy away from data breaches and they must hold their hands up and show that they are committed to resolving the problem. Let’s hope the ink is dry on the contract with Verizon.”

So what can you do to protect your data?

If you are a Yahoo user, then you should change your old password, as advised.  Yahoo also advises users to setup a Yahoo Account Key, which removes the need for passwords altogether.

Use a password manager

As already noted, however, the biggest danger with such data breeches is that far too many people reuse passwords across multiple accounts. This means that if a password is stolen from one account, it can be used to access all your other ones. Needless to say, this is not good.

The solution is to use a different password for each account. This should be a strong password which uses a long random string of mixed capital and non-capital alphanumerics and symbols.

Of course, remembering just one such password is almost impossible, let alone one for each account you use! This is where a good password manager cones in. These can generate strong unique passwords for every service you use, and automate entering enter them as required.

Passwords can also be synced across devices, so you need never remember more than just one (your master password). Just make sure to make your master password (or better yes, passphrase) a good one, but one that you won’t forget!

Please check out my list of 5 Best Password Managers for some of the best password manager options available.

Use 2-factor authentication

One factor authentication requires a single step to verify your identity, such as knowing your username and password. 2FA provides another layer of protection against hackers by also requiring you to have something as well.

A common example of this something is your smart phone. In addition to entering your login details, you must also enter a code that is sent by text to a phone number that has been verified as belonging to you. A more mundane example of 2FA that most of are familiar with is visiting a cash-point. In order to withdraw cash you need something you know (your PIN number) and something you have (your card).

By requiring proof of “what you know” and “what you have”, two-factor authentication greatly improves security. If 2FA is available, then you should always take advantage of it, and going forward, hopefully more services will start supporting 2FA.

Exclusive Offer
Get NordVPN for only
Get NordVPN for only