What to Do about Latest Yahoo Data Breach

On Wednesday Yahoo disclosed a data breach that affected one billion accounts. Yahoo said that it believes an "unauthorized third party accessed the company's proprietary code to learn how to forge cookies." It was not clear which incident the forged cookies related to, but Yahoo said that "the company has connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016."

Yahoo also said it has not been able to identify the intrusion associated with the theft, but the stolen user account information may have included names, e-mail addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.
Read more about the breach here in an article published by the Wall Street Journal called "Yahoo discloses New Breach of 1 Billion User Accounts >>

Jeff Williams, Co-founder and CTO of Contrast Security, was asked to respond to the breaking story by The San Diego Union Tribune and was thoughts were printed in the article "What to Do about Latest Yahoo Data Breach." 

Jeff Williams' response to the Yahoo breach is printed below.

This is the Exxon Valdez of security breaches. 1 billion accounts compromised, when there are only 3 billion people with Internet access in the world. Many people use Yahoo email as their primary account. That means the attackers could reset passwords for bank accounts, medical providers, credit card accounts, etc… and retrieve the password reset email from the Yahoo victims.

Some of the practices that Yahoo has disclosed as part of this breach, such as using MD5 for hashing passwords and using a forgeable cookie algorithm, are just reckless. I’ve taught my secure coding students not to do these things for over 15 years.  Attempting to blame a nameless state-sponsored actor to make it seem as though you are helpless against a super-genius criminal syndicate is a little pathetic.  You left the door unlocked. 

The fact that the attacker seems to have had access to Yahoo proprietary source code is extremely concerning for two reasons.  First, they can use that code to identify more weaknesses to exploit in the future.  But second, and more importantly, the attacker must have had access to systems storing that code.  Were they able to plant backdoors and other trojans?  No way to tell.  What other internal Yahoo systems were compromised?

But the most concerning part of this disclosure is that the attack seems to have happened in August 2013.  So for over three years, Yahoo has either been entirely compromised without knowing it, or has been unwilling to share the fact that they were hacked with the billion people whose accounts were compromised. Look, I can understand getting hacked.  But not letting me know prevents me from taking action to protect myself.  You don’t know what risk I’m willing to take – that’s my decision.

It’s not enough for Yahoo to say that they’ve cleaned up this mess.  They haven’t.  They can’t.  I need to trust my email provider to be certain that appropriate precautions are in place, that the defenses actually work, monitor those defenses to make sure they’re working, and to let me know immediately if there’s a problem.

– Jeff