Yahoo Found Real Data Breach While Looking into Fake One

Yahoo discovered that 500 million of its user accounts had been compromised while the company was investigating rumors of a different data breach that turned out to be false, unnamed sources told Reuters, The New York Times and IDG News Service in reports yesterday (Sept. 23).

Credit: IB Photography/Shutterstock

(Image credit: IB Photography/Shutterstock)

The investigation reportedly began after an online criminal calling himself "Peace" or "Peace of Mind" contacted media outlets in late July and offered to sell 200 million Yahoo usernames and passwords for about $1,800, a low price for so much data.

Yahoo analyzed some of the 200 million records and concluded they were probably aggregated by sifting data stolen from other online services around 2012. Over the past few months, Peace exposed several other large breaches dating back to 2012.

But even as Yahoo concluded the 2012 data did not result from a breach of its own servers, it discovered evidence of a breach in late 2014 that exposed 500 million Yahoo accounts to what Yahoo described as "state-sponsored" hackers. Unnamed U.S. intelligence sources told Reuters the details of the Yahoo breach resembled earlier hacks blamed on the Russian government.

MORE: What to Do After a Data Breach

Two Democratic senators took Yahoo to task in separate statements yesterday.

"I am perhaps most troubled by news that this breach occurred in 2014, and yet the public is only learning details of it today," Sen. Mark Warner of Virginia said in a statement quoted by the Washington Post. "Action from Congress to create a uniform data breach notification standard so that consumers are notified in a much more timely manner is long overdue."

Sen. Richard Blumenthal of Connecticut called for an investigation into whether Yahoo had delayed notification of the breach in order to "artificially bolster its valuation" ahead of its planned sale to Verizon for $4.8 billion, the Post said.

The notion that there were two separate breaches, one of which turned out to be false, puts Yahoo in somewhat better light as it finalizes the Verizon sale. Now, Yahoo look less like it sat on its hands for two months after reports of the fake breach were first disclosed by VICE Motherboard on Aug. 1.

If the culprits in the real breach truly were agents of the Russian government, they probably wouldn't have advertised the stolen Yahoo data in online cybercrime forums, which is how victims of data breaches often learn they've been hacked.

For its part, Verizon told Computerworld that it had learned of the real breach on Sept. 20, two days before the rest of the world found out. Reuters reported that Yahoo and Verizon stock closed slightly higher yesterday.

"We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities," Verizon said in a statement provided to the Washington Post. "Until then, we are not in position to further comment."

It's not clear why Russian intelligence services would want the information of 500 million Yahoo users. However, some of the political email leaks of the past few months, which Democrats have alleged come from Russian intelligence and are designed to weaken presidential candidate Hillary Clinton's chances against her Republican opponent Donald Trump, have involved Yahoo email addresses.

For his part, Peace told IDG News Service that the two breaches were the same, and denied that the information he was peddling was fake.

"I can say is [sic] the 200 million database wasn't the entire database," he told IDG via instant messenger.

However, there are some mismatches between the two data sets. The samples that Peace provided VICE Motherboard in late July were protected by a weak hashing algorithm called MD5, and Peace himself said most of them dated to 2012. Yesterday, Yahoo said that "the vast majority" of the 500 million compromised accounts were protected by a much stronger hashing mechanism called Bcrypt.

Most websites "hash" user passwords by running them through mathematical algorithms that theoretically can't be reversed, then store the hash instead of the actual password. When a user logs in, the password he or she provides is run through the same algorithm, and the hashes are compared. If they match, the user is granted access.

MD5 dates back to 1991, and its vulnerabilities were well understood by 2007. Bcrypt is designed to protect passwords, is much more difficult to reverse, and has no disclosed vulnerabilities. In March 2014, Yahoo CEO Marissa Mayer hired renowned cryptographic expert Alex Stamos to head up security, and it's likely that the transition from MD5 to Bcrypt happened under his watch.

"Even with substantial resources [cracking Bcrypt passwords is] still slow," password-security specialist Jeremi Gosney told Ars Technica. "Not a fun time, even for nation-states. Super weak (like top50k) passwords will slowly but steadily fall, but any with even a hint of complexity are pretty safe."

It's not clear exactly how many of the 500 million passwords were not hashed with Bcrypt, and even 5 percent would still amount to 25 million crackable passwords. For that reason, anyone with a Yahoo account should change the password to something strong and unique, and either enable two-factor authentication or set up Yahoo's smartphone-app-based Account Key login system.

MORE: How to Create and Remember Super-Strong Passwords

It's also alarming that the hackers got a look at the security questions and answers, such as "What was your mother's maiden name?", that Yahoo uses to verify users' identities. Dispersal of security-question answers would make it easier for hackers to reset passwords on other accounts that used the same security questions.

An ex-Yahoo staffer told Reuters the questions were left unencrypted to make it easier to weed out fake accounts created by spambots, which often reuse answers to standard personal questions.

Yahoo assured Tumblr users that their own accounts were not affected by this new breach, as the two services have not merged their login systems since since Yahoo bought Tumbler in 2013. But Tumblr suffered its own data breach of 65 million accounts in 2013, news of which was disclosed only this year by — you guessed it — Peace.

However, Flickr users are definitely affected, as users of the photo-collection site much use Yahoo passwords to log in. And British independent security blogger Graham Cluley reminded his readers this morning that two large companies in the United Kingdom, BT and Sky, that had used Yahoo login services to their own email services, were probably also affected.

In the meantime, at least one well-known security expert found levity in the situation involving Yahoo, which has been perceived as a company on the decline for more than a decade.

"Yahoo's ad revenue is skyrocketing, as 500 million users log in to Yahoo for the first time in years," F-Secure Chief Research Officer Mikko Hyppönen tweeted, "to change their password and log out."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.