Cybercrime: Yahoo’s big breach helps usher in an age of hacker anxiety – More than a billion user accounts affected

This Tuesday, July 19, 2016 photo shows a Yahoo sign at the company's headquarters in Sunnyvale, Calif. On Wednesday, Dec. 14, 2016, Yahoo said it believes hackers stole data from more than one billion user accounts in August 2013. (AP Photo/Marcio Jose Sanchez)

MICHAEL LIEDTKE, AP Technology Writer SAN FRANCISCO (AP) 12/15 — Yahoo has become the worst-case example of an unnerving but increasingly common phenomenon — massive hacks that steal secrets and other potentially revealing information from our personal digital accounts, or from big organizations that hold sensitive data on our behalf.

On Wednesday, Yahoo disclosed a gargantuan breach affecting more than a billion user accounts, the largest such attack in history. The company said that attack happened in August 2013, although Yahoo only discovered it recently. Worse, the company’s announcement followed a similar announcement last September of a 2014 hack — one Yahoo ascribed to an unnamed foreign government — that affected 500 million accounts.

Neither Yahoo breach has yet been linked to online fraud or any specific repercussions for Yahoo users. But their disclosure closely follows U.S. intelligence concerns about Russian hacking of Democratic emails during the presidential campaign — not to mention other recent attacks on a major health insurer, a medical lab-test company and the government office that manages millions of federal employees.

“The lesson is clear: no organization is immune to compromise,” said Jeff Hill, director of product management for cybersecurity consultant Prevalent. And since most of us are dependent on big organizations that hold our digital lives in their hands, in a broad sense that effectively means no one is safe.

GOVERNMENT ATTACKERS

Of course, it’s not that simple. The most sophisticated break-ins are likely the work of digital burglars working for foreign governments that are mostly interested in manipulating their enemies, not emptying your bank account.

In the past few years, hackers tied to foreign governments are believed to have stolen emails to embarrass celebrities and Hollywood moguls (recall the Sony Pictures break-in during 2014) and possibly even to influence the 2016 presidential election.

“Espionage has gone digital like so many other things our world,” said Steve Grobman, chief technology officer at Intel Security. “We’re increasingly seeing data being used as a weapon, where leaked or fabricated information is being used to intentionally damage individuals and governments.”

Yahoo’s security breakdowns could turn into expensive deal breakers for the Sunnyvale, California, company.

Both lapses occurred during the reign of Yahoo CEO Marissa Mayer, a once-lauded leader who found herself unable to turn around the company in the four years since her arrival. Earlier this year, Yahoo agreed to sell its digital operations to Verizon Communications for $4.8 billion — a deal that may now be imperiled by the hacking revelations.

TWO HACKS, MORE THAN A BILLION ACCOUNTS

Yahoo didn’t say if it believes the same hacker might have pulled off two separate attacks. The Sunnyvale, California, company blamed the late 2014 attack on a hacker affiliated with an unidentified foreign government, but said it hasn’t been able to identify the source behind the 2013 intrusion.

Yahoo has more than a billion monthly active users, although some have multiple accounts and others have none at all. An unknown number of accounts were affected by both hacks.

In both attacks, the stolen information included names, email addresses, phone numbers, birthdates and security questions and answers. The company says it believes bank-account information and payment-card data were not affected.

But hackers also apparently stole passwords in both attacks. Technically, those passwords should be secure; Yahoo said they were scrambled twice — once by encryption and once by another technique called hashing. But hackers have become adept at cracking secured passwords by assembling huge dictionaries of similarly scrambled phrases and matching them against stolen password databases.

That could mean trouble for any users who reused their Yahoo password for other online accounts. Yahoo is requiring users to change their passwords and invalidating security questions so they can’t be used to hack into accounts. (You may get a reprieve if you’ve changed your password since September.)

Security experts said the 2013 attack was likely the work of a foreign government fishing for information about specific people. One big tell: It doesn’t appear that much personal data from Yahoo accounts has been posted for sale online, meaning the hack probably wasn’t the work of ordinary criminals.

That means most Yahoo users probably don’t have anything to worry about, said J.J. Thompson, CEO of Rook Security.

QUESTIONS FOR VERIZON

News of the additional hack further jeopardizes Yahoo’s plans to fall into Verizon’s arms. If the hacks cause a user backlash against Yahoo, the company’s services wouldn’t be as valuable to Verizon, raising the possibility that the sale price might be re-negotiated or the deal may be called off. The telecom giant wants Yahoo and its many users to help it build a digital ad business.

After the news of the first hack broke, Verizon said it would re-evaluate its Yahoo deal and in a Wednesday statement said it will review the “new development before reaching any final conclusions.” Spokesman Bob Varettoni declined to answer further questions.

At the very least, the security lapses “definitely will help Verizon in its negotiations to lower the price,” Gartner analyst Avivah Litan predicted. Yahoo has argued that news of the 2014 hack didn’t negatively affect traffic to its services, strengthening its contention that the Verizon deal should be completed under the original terms.

“We are confident in Yahoo’s value and we continue to work toward integration with Verizon,” the company said.

Investors appeared worried about the Verizon deal. Yahoo’s shares fell 96 cents, or 2 percent, to $39.95 after the disclosure of the latest hack.

https://www.apnews.com/674fba78245146c0871ee1b31bbe68bb/Yahoo’s-big-breach-helps-usher-in-an-age-of-hacker-anxiety

Posted in: Cybersecurity/Cybercrime, Data Security/Data Privacy

Leave a Reply

Your email address will not be published. Required fields are marked *

two + ten =

Terms of Use for Posting Comments

Terms of Use

This site (the “Site”) is operated and maintained by Law Enforcement Education Foundation, Corporation (“Company”). Throughout the Site, the terms “we”, “us” and “our” refer to Company.  The words “user,” “you” and “your” as used herein refer to you.

Please read these terms and conditions of use (“Terms of Use”) carefully before contributing content. If you do not agree to these Terms of Use, please do not contribute content. Your use of the Site is subject to the Terms and Conditions found here .

By contributing content to the Site, you represent and warrant that you are at least eighteen (18) years old and that you have read and understand these Terms of Use and any amendments thereto and agree to be bound by them. If you are not at least eighteen (18) years old or you do not agree and accept these Terms of Use, you are prohibited from contributing content.

From time to time, we may permit users to submit content to the Site.  You hereby acknowledge and agree that by submitting remarks, comments, suggestions, ideas, graphics, feedback, edits, concepts, comments, photographs, illustrations and other materials (other than personal information and/or registration information) through the Site (individually and collectively, “Submissions”), you (i) grant us a nonexclusive, royalty-free, perpetual, transferable, irrevocable and fully sub-licensable right to use, reproduce, modify, adapt, translate, distribute, publish, create derivative works from and publicly display and perform such Submissions throughout the world in any media, now known or hereafter created, without attribution to you; (ii) grant us the right to pursue at law any person or entity that violates your and/or our rights in your Submissions; and (iii) forever waive any and all of your rights, including but not limited to moral rights, if any, in and to your Submissions, including, without limitation, any all rights or requirements of attribution or identification of you as the author of the Submission or any derivative thereof.  We reserve the right to remove any of your Submissions from the Site, in whole or in part, without notice to you, for any reason or no reason.

Submissions are made voluntarily. Any submissions which include personally identifiable information are subject to our Privacy Policy found here .  You may not upload or otherwise publish content on the Site that (i) is confidential to you or any third party; (ii) is untrue, inaccurate, false or other than an original work of your authorship; (iii) that relates to or impersonates any other person; (iv) violates the copyright, trademark, patent or other intellectual property rights of any person or entity; (v) contains any content, personally identifiable information or other information, or materials of any kind that relate or refer to any other person or entity other than the provider of the products, goods or services to which the Submission relates; or (vi) violates any law, or in any manner infringes or interferes with the rights of others, including but not limited to the use of names, information, or materials that (A) libel, defame, or invade the privacy of any third party, (B) are obscene or pornographic, (C) are harmful, threatening, offensive, abusive, harassing, vulgar, false or inaccurate, racially, sexually, ethnically or are otherwise objectionable or otherwise contrary to the laws of any place where such Submissions may be accessed; (D) constitute personal attacks on other individuals; (E) promote criminal, immoral or illegal activity; (F) promote or advertise any person, product or service or solicit funds; or (G) are deemed confidential by any contract or policy.

You are solely responsible for any Submissions you make and their accuracy. We take no responsibility and assume no liability for any Submissions posted by you or any third party.

Unless approved by us in writing in advance, you agree not to: (i) provide or create a link to the Site; or (ii) create any frames at any other sites pertaining to any of the content located on the Site.

We reserve the right, in our discretion, to update, change or replace any part of these Terms of Use for Posting Comments by posting updates and/or changes to our Site.  It is your responsibility to check this page periodically for changes.  Your continued use of, and/or access to the Site, following the posting of any changes to these Terms of Use for Posting Comments, constitutes your acceptance of those changes.