The Really Scary Detail You Overlooked in Yahoo’s Data Theft Statement
In-brief: Hackers believed to be ‘state sponsored’ penetrated deep into Yahoo!’s networks, stealing sensitive code used to help authenticate users, the company revealed on Wednesday.
You’ve no doubt read the news about the massive theft of data at online search and advertising firm Yahoo! Inc., which on Wednesday disclosed the theft of information on one billion (with a “B”) user accounts. But you may have overlooked the details of an even scarier hack that Yahoo! buried beneath that eye popping number.
In a statement by Yahoo CISO Bob Lord on Tuesday, the company said a forensic investigation of its networks had uncovered evidence that a spate of targeted attacks using forged Yahoo authentication “cookies” was the result of the theft of Yahoo proprietary code, allowing attackers believed to be connected to “state actors” to impersonate any Yahoo user.
“Outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. We are notifying the affected account holders, and have invalidated the forged cookies,” Lord said in the statement, adding that the activity was connected to “the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.”
Yahoo did not directly respond to a request for comment on how many users were targeted in the attacks. A spokesman for a public relations firm working on behalf of Yahoo said that the company was not specifying how many users were affected because of the “ongoing” investigation. Yahoo also is not offering details on what types of users were affected or where they were located in these targeted attacks.
What is known about the attacks suggest that hackers penetrated deeply into the company’s networks, access proprietary code used to secure users interactions with Yahoo’s many online services, noted Jeremiah Grossman of the security firm SentinelOne. That bodes ill for the future, Grossman said.
“Since Yahoo is unable to determine the threat actor, or even perhaps the original source of entry from three years ago, it will be extremely difficult to provide assurance that the system is now ‘safe’,” he said in an email statement.
At issue is the method that Yahoo used to generate authentication “cookies” – small pieces of code that are generated on a user’s system and that would allow them to access their account without a password. Grossman, who was once on the security team at Yahoo, said that the company would generate such cookies using a long, randomly generated string unique to each user and based, in part, on that user’s password, and secret, such as a passphrase, that was universal within Yahoo.
Early on that secret was stored in code, but it was moved out of code early on and stored in a file, access to which was strictly limited, Grossman noted on Twitter.
In the recent hacks, however, attackers were apparently able to get access to that secret value. Then, using the password and other account information stolen from Yahoo, they could create the unique user IDs and, together, create their own, valid authentication cookies for accounts. Those could be used to log in without setting off Yahoo’s security systems, Grossman said.
Yahoo might still have identified such fraudulent log ins by noting where the sessions originated. However, it is unclear whether Yahoo used fraud detection features like that to secure accounts.
Grossman said that users affected by the breach must weigh their response. Given the length of time since the original theft (three years), “the damage has been done,” Grossman said. “Whatever data the threat actor wanted to steal is now gone – and there is no going back.”
Grossman said that many users may be tempted to simply delete their Yahoo account, but should move deliberately: not simply deleting their account, but assessing what data they have stored on Yahoo’s servers and whether some might be copied to local stores and then deleted. “Many people, including security experts, routinely purge private messages that are more than a couple of months old from social and email accounts. This limits the amount of sensitive data lost, should their accounts be compromised,” Grossman advised.