The records of more than one billion Yahoo users, secretly stolen from the site in 2013 but only brought to the world’s attention this month, have reportedly been sold on the computer underground.
InfoArmor’s Andrew Komarov told the New York Times that his firm has uncovered that the valuable data has been sold to three buyers – “two known spammers and an entity that appeared more interested in espionage”, the paper reports – for about US $300,000 each.
That means, if you are an affected Yahoo user, that personal information (including your backup email addresses, security questions & answers, and – potentially – passwords) are in the hands of criminals.
At the very least, the information could be used by online criminals to distribute spam messages, launch phishing attacks designed to steal credentials from users, or infect recipients’ computers with malware.
If the data fell into the wrong hands it could also be used for targeted attacks against specific individuals or organisations, potentially for covert surveillance.
The fact that many users also had their security questions stolen is a point that many commentators have ignored, but is potentially a significant threat. We often talk about the importance of using different passwords on different websites, but it’s just as important to have different security answers for those sites which offer the ability to grant access to users who forget their passwords.
The common problem with security questions and answers (“What was your mother’s maiden name?” etc) are that they’re often easy to determine, particularly if you know the individual whose account you are trying to crack into. However, if you are also in the habit of reusing security answers then the problem is compounded – as details stolen from one site might help online criminals break in elsewhere.
For this reason I recommend that you use a password manager to not only remember your login credentials, but also to generate and store securely random and unique answers to security questions. So, for instance, my mother’s maiden name on one site might be dYMqizwmFYdP,dwygoKx and on another HANwtXfafYEaxHqks/j?.
You can see why she took my father’s name now. ;-)
The New York Times report says that InfoArmor first spotted the stolen data months ago, but did not contact Yahoo directly when it first discovered that the tech company’s data was being sold online:
“InfoArmor did not go to Yahoo directly, Mr. Komarov said, because the internet giant was dismissive of the security firm when approached by an intermediary. He also said he did not trust Yahoo to thoroughly investigate the breach since it could threaten the sale to Verizon.”
Instead, the security firm alerted law enforcement and military agencies in the United States, Australia, Canada, Britain and European Union. Yahoo itself only seems to have realised it had another security crisis on its hands when contacted by the authorities.
Separately, Yahoo has been strongly criticised for failing to follow best practices when it comes to the way in which it was securing the compromised passwords.
The site was the easy-to-crack MD5 hashing rather than the superior bcrypt algorithm preferred by security-savvy professionals. Worryingly, in its breach statement the Yahoo’s CISO failed to mention whether any salting was being used.
According to reports, the price of Yahoo’s data has dropped dramatically to US $20,000 since the company became aware of the breach and started resetting users’ passwords.