A day after Yahoo announced that login credentials for at least 500 million accounts had been stolen in one of the biggest known data breaches in history, questions still remain about who orchestrated the attack and why it took so long for the internet giant to inform users.
Yahoo, which is in the midst of selling its core business to Verizon, attributed the attack to a "state-sponsored actor," saying data, including usernames, passwords, dates of birth, security questions, and contact information was stolen around late 2014. It’s unclear when the company learned of the compromise, and members of Congress have already called for stricter data-breach notification rules and, potentially, an investigation as to whether Yahoo knew of the hack and failed to disclose it in negotiating the $4.8 billion Verizon deal.
"This breach demonstrates the urgent need for Congress to enact data breach and security legislation—only stiffer enforcement and stringent penalties will make sure companies are properly and promptly notifying consumers when their data has been compromised," said Connecticut Sen. Richard Blumenthal in a statement. "As law enforcement and regulators examine this incident, they should investigate whether Yahoo may have concealed its knowledge of this breach in order to artificially bolster its valuation in its pending acquisition by Verizon."
One possibility, says Neill Feather, the president of Scottsdale-based security firm SiteLock, is that the breach was discovered in preparation for the acquisition. While reports surfaced over the summer of an anonymous dark web vendor offering to sell the credentials to hundreds of millions of Yahoo accounts, it’s not clear whether that offer was legitimate or linked to the same breach.
To Chris Finan, former director for cybersecurity legislation and policy on the National Security Council staff, it’s more likely that the just-announced hack was the work of China, which was heavily involved in hacking public networks to track political enemies around the time of the breach.
"Back in that 2013/2014 time period, there was quite a bit of state-sponsored, or at least state-aligned group activity targeting credentials, and the theory at least was that it was a means of monitoring dissidents in China and abroad," he says, before talks between President Barack Obama and Chinese President Xi Jinping reduced the number of hacks.
Under that theory, it’s more likely that the attackers would have only been interested in a small number of accounts connected to political targets, perhaps even harnessing reused Yahoo credentials or cross-site login features to access their accounts on other sites as well.
"When I'm talking to individual companies around the globe, you’d be shocked how many people use the same two or three or four passwords," says Miller Newton, CEO of security firm PKWare.
If only a few accounts were actually accessed, that could explain why Yahoo took so long to notice its servers had been breached, says Finan, who is now CEO of blockchain-powered security startup Manifold Technology.
"If the credentials weren’t used en masse, it would make it more difficult to realize they had been stolen," he says. "Still, to go two years, that seems a little surprising."
Yahoo credentials have long been relatively inexpensive on the black market, he says—the 200 million listed earlier this year were reportedly offered for under $2,000—which could be a reflection of the ease with which hackers can obtain them, Finan says.
But aside from its size, which seems to dwarf even other large-scale data breaches—MySpace saw data on 360 million accounts stolen earlier this year, and about 167 million LinkedIn account logins were reportedly offered for sale in May as the result of a 2012 breach—the Yahoo attack is also unusual in that it compromised additional credentials like dates of birth and security questions and answers, which may be hard for users to change or even recall where else they were used, says Feather.
"I don’t know where I’ve used the same security questions," he says.
For Yahoo’s users, security firms are offering the advice that’s become almost routine to hear alongside reports of major data breaches: Pick strong passwords and don’t reuse them, store them in a password manager if possible and enable two-factor authentication with services that support it.
"Also, everyone should be aware of what’s going on," said Comodo Enterprise vice president and general manager John Peterson in a statement. "If an organization that you interact with reports a breach, don’t wait to update your password. Do it immediately."
And for Yahoo and its shareholders, it’s still uncertain what the hack could mean for the pending Verizon acquisition. In a statement emailed to Fast Company Thursday, the telecom giant indicated it was still seeking to learn more details about the breach.
"We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact," a company spokesman said in the statement. "We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders, and related communities."