DCL Connecting talent
  • Virgin
  • SingTel
  • Tata
  • Nebulas
  • CNS
  • Secure Data
  • Telstra Global
  • Telecity
  • KCOM
Comments Off on US Senator Calls for Probe of Yahoo Security Following Hack

US Senator Calls for Probe of Yahoo Security Following Hack

Posted by Admin | December 16, 2016 | IT Security

Senator Mark Warner seeks an investigation into Yahoo’s cybersecurity practices

A senior Democratic senator has said he would launch an investigation into Yahoo’s security practices after a second massive data breach was reported on Thursday affecting over 1 billion user accounts.


The hack, which is now the largest on record, was reportedly carried out in 2013 when an unauthorised third party accessed data containing over 1 billion user details, potentially including names, telephone numbers and hashed passwords.

Following Thursday’s news of another data breach, Senator Mark Warner of Virginia announced he would be seeking to probe Yahoo security protocols to establish how such a significant amount of user data could have been stolen.

“This most recent revelation warrants a separate follow-up and I plan to press the company on why its cyber defences have been so weak as to have compromised over a billion users,” said Warner, in a statement to Reuters.

Warner, who is set to become the leading Democrat on the Senate Intelligence Committee in 2017, said he had also made repeated attempts to contact Yahoo for a briefing covering the first reported hack in 2014, which affected 500 million accounts, but failed to get a reply.
“If a breach occurs, consumers should not be first learning of it three years later,” added Warner. “Prompt notification enables users to potentially limit the harm of a breach of this kind, particularly when it may have exposed authentication information such as security question answers they may have used on other sites.”

Following the hack in 2014, the senator approached US security services to investigate Yahoo’s actions and whether it sufficiently met obligations to inform the public of the breach.

Yahoo has claimed that the stolen information did not include passwords in clear text, or any financial details, however users have been urged to take steps to secure their accounts, and replace security questions and answers.

15/12/2016: Yahoo hack: More than one billion Yahoo accounts hacked

Yahoo has confirmed that more than a billion user accounts have been hacked in a security breach back in 2013. The breach could scupper its acquisition by Verizon.


The internet firm said in a statement that it believed an unauthorised third party stole data associated with more than one billion user accounts in August 2013. It said it has not been able to identify the intrusion associated with this theft.

It added that this was “distinct from the incident the company disclosed on September 22, 2016″, when it revealed 500 million email addresses had been hacked back in 2014.

For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.

Yahoo said that its investigations indicated that the stolen information did not include passwords in clear text, payment card data, or bank account information. “Payment card data and bank account information are not stored in the system the company believes was affected,” the firm said.

It has notified affected users and taken steps to secure their accounts. It has also invalidated unencrypted security questions and answers so that they cannot be used to access an account.

In a separate issue, Yahoo said that outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password.

“Based on the ongoing investigation, the company believes an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used,” said the firm.

It said that it had connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September this year.

The latest breach could threaten to derail its impending sale to Verizon, because the acquisition would mean that Verizon may become liable for these breaches. This could result in Verizon offering less for the purchase of the troubled web giant.

Ilia Kolochenko, CEO of web security firm High-Tech Bridge, said: “Such disclosure, taking into consideration the unclear and even suspicious disclosure timeline – just before the buyout, may provide a valid reason for Yahoo’s shareholders to sue Yahoo’s top management if the deal fails or brings less money than expected.”

Paul German, CEO at encryption firm Certes, told IT Pro in a written statement that with Yahoo suffering two of the largest hacks in history, its attitude to cyber security is seriously into question.

“Yahoo is relying on an outdated cybersecurity model which takes a, ‘protect’, ‘detect’, ‘react’ approach which simply does not work. The problem lies in the fact that once inside a network, there is a significant delay before a hacker is detected, leaving them free to move uninhibited, accessing vast quantities of sensitive data and wreaking havoc,” he said.

Brian Laing, vice president at malware detection firm Lastline, added that firms too often fail to account for the magnitude of potential losses when resourcing preventative measures.

“Perhaps a Yahoo – Verizon deal adjustment may stand as a sober reminder how important it is to get a state-of-art cyber defence strategy in place,” he said.

10/11/2016: Yahoo says its employees knew about the hack in 2014

In a securities filing on Wednesday, Yahoo said some of its employees knew that a “state-sponsored actor” had broken into its network two years ago.


This was the attack that led to theft of data such as names, dates of birth and passwords associated with more than 500 accounts. It’s considered to be one of the largest-ever data breaches affecting a private company.

The company did not state whether, at the time, this attack was disclosed to senior management.

Yahoo first revealed a data breach had taken place on 22 September this year. It said the hack was discovered while investigating a hacker’s claim of possessing some Yahoo user data.

The Yahoo filing also said that the company was investigating “certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the security incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information.”

The company plans to sell its internet operations to Verizon for $4.8 billion. Pinning down whether employees knew or when they found out about the attack has therefore become a priority for the deal to be carried through.

The deal with Verizon had been decided a couple of months before the data breach was made public, and the company could be wanting to learn more about how it happened and was dealt with.

31/10/2016: EU data watchdogs demand answers about Yahoo hack

Europe’s data watchdogs have expressed concerns over Yahoo’s alleged systematic email surveillance and the leak of 500 million user credentials.


In a letter delivered to the US email provider last Thursday, the Article 29 Data Protection Working Party (WP29) described the 2014 data breach, which only emerged in September, as “deeply concerning”, and said it is duty-bound to protect “the significant number of EU data subjects” who may have been affected.

“It is of the utmost importance that Yahoo devote significant resources to understand, communicate and address all aspects of this unprecedented data breach and notify the adverse effects to the data subjects using the services that your company provides,” said the letter from the WP29, which comprises all 29 EU member states’ data protection regulators.

“This must be carried out in a quick, comprehensive and easily understood manner, so that Yahoo users across Europe will understand any action they need to take as a result of the breach,” added the WP29.

It urged Yahoo to cooperate fully with any investigations and queries, and deliver specific information which is “of interest” to the authority. This includes the content of the data, consequences of the 2014 breach and the number of people affected in each European country.

The letter, signed by chairwoman Isabelle Falque-Pierrotin, also addressed the “concerning” mass surveillance Yahoo allegedly conducted, with the firm accused of using a systematic search of all incoming user emails at the request of the US government.

“It will be important to understand the legal basis and justification for any such surveillance activity,” said the letter, “…including an explanation of how this is compatible with EU law and the protection of EU citizens.”

“We are aware of the letter from the Article 29 Data Protection Working Party and will work to respond as appropriate,” said a Yahoo spokesperson, in an email to IT Pro.

The EU privacy group also delivered a letter to WhatsApp on Friday, expressing “serious concerns” over the way the messaging app handles its users’ private data. The letter urged WhatsApp to halt all plans to share data with its parent company Facebook, until “appropriate legal protections can be assured.”

19/10/2016: Yahoo profits bloom despite hack

Yahoo’s quarterly profits were better than analysts had anticipated, despite the company’s recently revealed hack of 500 million people’s account details.


The data breached during the hack included customers’ names, email addresses, telephone numbers, personal details and passwords, according to Yahoo CISO Bob Lord.

Verizon, who was looking to buy Yahoo for $4.83, displayed concerns last week, saying that the hack could have a material impact on the deal.

However, Tuesday’s stock market results showed that the hack had no major effect on the number of Yahoo customers. Yahoo said results actually showed a growth in page views and email account usage.

Contrary to expectations, Yahoo’s quarterly profits more than doubled, reaching $163 million. Yahoo CEO Marissa Mayer said: “We launched several new products and showed solid financial performance across the board.”

As Yahoo continues to lose share within the digital advertising market, these positive financial results could be due to a good cost management strategy.

Analysts are still unsure as to whether Verizon’s acquisition of Yahoo will still go ahead. Although most don’t expect the deal to be entirely cancelled due to the hack, the price and contract terms of it could be renegotiated.

Mayer said: “In addition to our continued efforts to strengthen our business, we are busy preparing for integration with Verizon. To that end, we take deep responsibility in protecting our users and the security of their information. We’re working hard to retain their trust and are heartened by their continued loyalty as seen in our user engagement trends.“

11/10/2016: Yahoo disables email forwarding

Users of Yahoo mail are unable to forward emails to external accounts, as the feature has been “temporarily disabled”.


According to a brief post on its support forums, Yahoo has blocked users from using the ‘automatic forwarding’ function as they work to develop the feature further.

Users would normally be able to create copies of their incoming messages using automatic forwarding, which would be sent to other accounts such as Hotmail or Gmail. However, users began complaining at the beginning of the month that this feature had been blocked, according to the Associated Press.

Yahoo said in the post: “This feature is under development. While we work to improve it, we’ve temporarily disabled the ability to turn on Mail Forwarding for new forwarding addresses.”

Yahoo user Brian McIntosh said forwarding has been “a basic concept for 15 years for just about every email provider out there. All of a sudden it’s under development, and only at Yahoo”, speaking to the Associated Press.

“That all this has ceased to function when they have been getting a lot of press seems extremely dubious to me,” added McIntosh.

In September Yahoo revealed a record-breaking hack of personal information, affecting at least 500 million customers in 2014.

More recently the company was found to have secretly built custom software to scan emails, allowing the US government to conduct surveillance on its users’ emails.

IT Pro approached Yahoo to ask why it has disabled this function and if it was related to the data breach, but we have yet to receive a reply.

What is certainly true is that this move makes it more difficult to users to move to other email accounts, which is likely happening on a mass scale right now.

27/09/2016: Yahoo ‘using unsecured certificates’

Yahoo hasn’t taken the necessary steps to patch security holes that could leave customers open to further hacks, it has been claimed.


Security firm Venafi Labs carried out research on Yahoo’s use of cryptographic systems and security certificates and found some troubling results.

According to the firm, which used a combination of its own data and data from global certificate intelligence database TrustNet, 27% of certificates on external Yahoo sites haven’t been reissued since the beginning of last year.

This is despite the reissuing of certificates being a common and critical practice to mitigate a breach, to ensure that hackers no longer have access to encrypted communications.

Venafi has also claimed that, based on its research, Yahoo may not have the ability to find and replace digital certificates quickly, as only 2.5% of those in use have been issued within the past three months.

The company has also accused Yahoo of using outdated and unsecure encryption methods, in particular, MD5 and SHA-1. MD5 is, for example, vulnerable to the Flame family of malware. SHA-1 certificates, meanwhile, will no longer be accepted by most major browser vendors as of January 2017.

Hari Nair, director of product management and cryptographic researcher for Venafi, said: “Any one of these cryptographic issues would leave an organization extremely vulnerable to attacks on encrypted communication and authentication.Collectively, they pose serious questions about whether Yahoo has the visibility and technology necessary to protect encrypted communications and ensure its customer’s privacy.

“Our research has led us to believe that there is usually a high degree of correlation between weak cryptographic controls and overall cybersecurity posture.”

A source familiar with the matter told IT Pro: “The vast majority of hashed passwords stolen by what we believe was a state-sponsored actor are bcrypt protected, and only a small percentage of passwords are protected with MD5.

“As we said, we’re notifying potentially affected users and we’ve taken steps to secure their accounts, including recommending that users who haven’t changed their passwords since 2014 do so.”

23/09/2016: Yahoo hack: 500 million people’s account details stolen ‘by nation state hacker’

Yahoo has confirmed that at least 500 million people’s account detailswere stolen by a state-sponsored hacker.


The data breach included people’s names, email addresses, telephone numbers, dates of birth, hashed passwords and even security questions and answers, Yahoo CISO Bob Lord explained.

The search giant, which said the hack took place in late 2014, does not believe the stolen data included any credit card details, unprotected passwords or bank account information.

“Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network,” Lord said in a post on Tumblr. “Yahoo is working closely with law enforcement on this matter.”

News of the hack first emerged yesterday from Recode, but it is not yet clear whether the stolen account details is related to a data dump of 200 million Yahoo accounts made available on the dark web last month.

The hacker who collated them and put them up for sale online, going by the moniker Peace, said those details were from “2012, most likely”.

Yahoo is now in the process of notifying customers who may be affected, and asking them to change their passwords, or use different methods of confirming their identity.

It has invalidated any unencrypted security Q&As and urged customers to use its Yahoo Account Key, a two-factor sign-in method it first rolled out in March this year, that sends a push notification to a user’s smartphone when they need to log into their email. 

The huge batch of exposed passwords beats Dropbox’s 61 million credentials that were leaked online in August after a hack in 2012, leading to Dropbox also urging users to change their passwords.

Lord added: “An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries. Through strategic proactive detection initiatives and active response to unauthorized access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure.”

22/09/2016: Yahoo expected to confirm massive data breach

Yahoo has been hit by a massive data breach, according to leaked reports, which the company is expected to confirm later today.


Sources told Recode’s Kara Swisher – long a top source for Yahoo news – that the hack affects several hundred million users, calling it “widespread and serious”.

The hack comes at an awkward time for Yahoo, which is selling much of its business – including customer data – to Verizon as part of a $4.8 billion deal.

Details are scarce as Yahoo has yet to confirm the attack, but it appears the security breach is related to the apparent leak of 200 million accounts earlier this year by a hacker known as “Peace”.  Yahoo at the time didn’t confirm if that hack was legitimate, merely stating it was “aware” of the incident.  

IT Pro asked Yahoo for confirmation of the attack, but has yet to hear back. However, users have started to see messages to change their passwords. 

Nikki Parker, vice president at security firm Covata, criticised Yahoo’s security measures. “In this case, last month, the hacker claimed that the data was hashed with a MD5 algorithm, coding that simply isn’t robust enough to secure data,” Parker said in a statement. “You’d hope that Yahoo would’ve since thought about adopting more advanced encryption technology that secures data in individual pieces rather than in large sets, as well as empowering it to rigorously control access.”

Parker claimed that Yahoo’s slow response was “surprising”, adding: “It should have encouraged customers to change their passwords and now, potentially, more than 200 million people are at risk and have been for some time.”

If the hack is indeed confirmed, CensorNet’s CEO Ed Macnair said the usual advice applies. “Change your username and passwords across sites and with business accounts,” he said in a statement.

“Not only is personal data at risk here, but people often use such logins at work. That is always a huge issue for companies. Everyone should stay vigilant to suspicious activity and, it would be advisable to get some new passwords ready – just in case.”

Source: itpro

185 total views, 1 today