Too Little, Too Late? Yahoo! Starts Sending Password Reset Notices

Too Little, Too Late? Yahoo! Starts Sending Password Reset Notices

Yahoo! has begun sending out password reset notices in the wake of its confirmed breach of 500 million credentials. It's likely cold comfort to those impacted by the incident.

The internet pioneer said yesterday that certain user account information was stolen from the company’s network in late 2014, including names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.

The revelation set tongues wagging across the financial and security worlds, with some questioning whether Verizon’s planned acquisition of the company will still go through; and many noting that Yahoo! CEO Marissa Meyer is likely not long for her job. Others are concerned that the online giant only now notified the public of the incident, almost two years after it happened. 

“The [supposed] breach raises a lot of questions about internal security policies at Yahoo,” said Ilia Kolochenko, CEO of web security firm High-Tech Bridge, via email. “For example, why were such a huge number of accounts compromised? SQL injections (supposing that an insecure web application or a web service was involved) cannot be totally prevented; however, database's internal security mechanisms should detect and prevent such anomalies when somebody is dumping the entire database.”

Things could get worse, as this could be just one of two enormous breaches for the company. Back in August, the hacker responsible for dumping hundreds of millions of MySpace, LinkedIn and other credentials online in recent months claimed to have put up for sale 200 million Yahoo log-ins. That leak however was tied to a 2012 incursion.

Yahoo! said that the 500-million-credential heist was carried out by a state-sponsored attacker, but few additional details have been given.

"It's too early and premature to make any conclusions both about the origins and the attackers,” said Kolochenko. “For example, we should keep in mind that governments are not the only players on the Dark Web with important technical and financial capabilities. Yahoo's database is a perfect good for almost any cybercrime gang as it can be used to conduct chained and password reuse attacks against companies and individuals.

In any event, it’s critical for anyone with a Yahoo! account to not only reset their passwords, but also reset them on every single account for which those password-user ID combinations have also been used. Banking on password re-use, which is endemic, cyber-criminals like to use stolen credential stores to brute-force other accounts to gain access to perhaps more valuable information. If someone used his or her Yahoo! details to also sign up for online banking, or a healthcare portal, or a tax filing service, and so on, that could lead the criminals to access extremely sensitive documents and information. This could in turn be sold on the Dark Web, used to craft elaborate and believable phishing schemes, or criminals could use the access to steal money or steal corporate secrets.

“We know that some people reuse their user names and passwords on multiple sites, and even if a tiny percentage of the people involved in this Yahoo breach did that, we could potentially see identity theft at a scale previously unheard of,” said Nathan Wenzler, principal security architect at AsTech Consulting. “It could easily cause compromises to customer's bank accounts, credit card accounts, loan services, shopping accounts and any other website or service where those credentials are used. It's imperative that people change their passwords on these kinds of sites immediately, as well as on a regular basis, and they should never use the same password for different sites. More fallout will likely come from this as time goes on, but changing passwords is a good immediate step until the rest becomes known.”

Photo © charnstir/

Source: Information Security Magazine