Yahoo says a foreign nation may have played a role in its gargantuan and humiliating data breach but some experts suggest Yahoo’s staff and leadership were simply negligent at detecting intrusions.
These experts say the breach, affecting an estimated one billion accounts, was not technically sophisticated and possibly the work of a cybercrime gang operating in Eastern Europe.
“I just think the capabilities weren’t there and now they are scrambling to provide some sort of explanation other than, ‘We were asleep at the wheel,’ ” said Christopher Pogue, chief information security officer at Nuix, an Australian security and intelligence company.
Yahoo’s stock plunged 6 percent Thursday following the company’s announcement that data from more than one billion user accounts was lost in a hack that began in 2013. The announcement cast new doubt on Verizon’s pending $4.2 billion takeover of Yahoo.
Verizon executives, aware of the potential class-action lawsuits and shareholder actions that may result from Yahoo’s announcement of a breach, the second in three months, are likely to lower their bid for Yahoo.
“They are going to say, ‘Hey, I’ve got a hot dog and some pocket lint. Take it or we’re walking away from the deal,’ ” said Pogue, who is based in Oklahoma.
Just three months ago, Yahoo said a breach in 2014 resulted in the loss of data from 500 million accounts. The combined breaches are the largest ever recorded by any company in the world, and have turned a once-pioneering Sunnyvale, Calif., company on its head.
On Thursday, it faced satiric, even wicked, humor on social media.
On its website, Yahoo said the company did not know precisely who was behind the latest reported attack, which came to its attention through law enforcement agents in November. That revelation underscored the role federal agents play in notifying private corporations of major breaches.
Using that information, Yahoo raised the specter that a foreign country was involved.
“We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on Sept. 22, 2016,” Yahoo said.
Three experts consulted by McClatchy suggested that Yahoo may be exaggerating the role of a foreign government in the hack.
“Eighty percent of the time, the use of ‘advanced’ and ‘sophisticated’ and ‘nation state’ is overstated,” said Paul Calatayud, chief technology officer at FireMon, a Kansas City, Mo., company that offers cyber intelligence and compliance services. “It just kind of glorifies the situation more rather than the onus being on, ‘What happened?’ It’s more defensible.”
Yahoo said it believes the hackers obtained “names, email addresses, telephone numbers, dates of birth, hashed passwords ... and, in some cases, encrypted or unencrypted security questions and answers.” It said payment card data and bank account information were stored on a separate system.
The hack appears to have occurred in August 2013, the company said.
Hackers used “forged cookies” to break into accounts, bypassing the need for a password, the company said. “Cookies” are bits of data stored on a user’s computer that allow a website such as Yahoo to recognize unique visitors and respond to their website preferences.
“This is not a complex attack,” Pogue said. “It really has more to do with the session management of the website than it does a super-skilled attacker. ... These are not ninjas. These are not super deeply technical people.”
Cybersecurity experts accustomed to the growing frequency and magnitude of hacks appeared startled at the size of the newest Yahoo penetration.
“I’ve heard of millions. But a billion?” said Michael Patterson, chief executive of Plixer, a cybersecurity company in Kennebunk, Maine. “It’s crazy.”
Patterson noted that hackers are getting “so good at staying stealthy” but uploading information from a billion accounts “would have caused tremendous amounts of traffic leaving the company.” Such an upload probably should have raised alarms, he added.
“There are points in cybersecurity history that are turning points,” said Pogue, referring specifically to a 2013 breach of customer payment card information at Target that affected 40 million consumers. “I think it’s going to be one of those turning points. It’s going to get the attention of CFOs (chief financial officers), of board members, investors and shareholders.”
User data from the previous Yahoo hack turned up on a cybercrime marketplace site called “The Real Deal Market” that is on what is known as the dark net, a vast sphere of the internet favored by hackers and criminals using an anonymizing Tor browser, said Andrew Komarov, chief intelligence officer at InfoArmor, a Scottsdale, Arizona, cybersecurity firm.
“We are aware that the group is Russian-speaking but that doesn’t mean they are in Russia,” Komarov said. “They are located in different countries in Eastern Europe.”
Despite the new Yahoo breach announced this week, Komarov said that “there is still high interest from cybercriminals about the Yahoo dump.” Even if users change their passwords, other metadata captured can make it easy to hack other accounts maintained by the users. The stolen information “is still very relevant and very valuable,” he said.
Patterson, the chief of Plixer, said many companies never detect major breaches.
“It’s federal authorities knocking on the door and saying, ‘Hey, I’ve got some bad news for you. We think you’ve been compromised,’ ” Patterson said.
The FBI cybercrimes division includes people who “are getting on the dark web. They are asking for samples of data that’s for sale, trying to get at what information is it that you are selling. Where did you get it, if possible,” Patterson said.
It is then that they go calling on companies like Yahoo.