Yesterday afternoon Yahoo Inc. (Yahoo) announced that user information was stolen from more than one billion accounts in August 2013. Yahoo said that the stolen information includes, “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers” but does not include bank account information.
Yahoo’s chief information security officer, Bob Lord, said in a statement yesterday that Yahoo believes the August 2013 incident is “likely distinct” from the incident that was disclosed in September 2016 that affected 500 million users (the September 2016 disclosure involved an attack from 2014). Yahoo also stated it has connected this newly announced August 2013 activity to the same state-sponsored actor responsible for the 2014 attack. Yahoo is currently notifying affected account holders and recommending users change their passwords and monitor accounts for suspicious activity.
This hack is particularly troubling because Yahoo believes a third party stole proprietary code from Yahoo that allows a hacker to access users’ accounts without a password. Specifically, the code forges authentication “cookies.” A cookie is data sent from a website and stored in the user’s web browser. Authentication cookies tell the browser that the user has previously authenticated the website. A forged authentication cookie thus allows an unauthorized user to log on to an account without using a password, potentially repeatedly and indefinitely. Yahoo has since invalidated the forged authentication cookies so they cannot be used to access accounts.
Passwords have recently come under scrutiny as an inadequate way to protect information. During a hearing held on November 16, 2016 by members of the House Energy and Commerce Committee, one expert, Dr. Kevin Fu testified that, “passwords are just intrinsically insecure” and “encourage unwise security behavior.” Dr. Fu continues, “the fact that we are relying on passwords at all is a big problem” and that “we need to retire passwords.” The disturbing reality of his testimony came to life with this most recent Yahoo attack, made possible by circumventing passwords to hack accounts. This unfortunate event may mark the beginning of a transition away from passwords as a security measure.
Yahoo is already battling several proposed class actions alleging violations of federal and state consumer protection and privacy laws from the September disclosure. The company will now face additional inquiries about the 2013 incident and the nearly three year reporting delay about the hack.