In our previous newsletter, we examined what happened in the Yahoo data breach. This week, we’ll look at Yahoo’s security failings to see what we can learn from it.
Password hashing failures
Many of Yahoo’s passwords were hashed with bcrypt for storage, which is a reasonable approach for keeping them safe, even if attackers manage to access the database. However, some of the passwords were hashed with MD5, which is a weak hashing algorithm that isn’t designed for password storage. This meant that once the hackers had access to Yahoo’s database, they may also have been able to compromise the user passwords. Ultimately, it probably didn’t matter too much in the context of Yahoo’s systems, because the hackers were able to access user accounts without usernames and passwords.
Problems with authentication cookies
It’s clear that something was very wrong with how Yahoo implemented its authentication system. The court filings state that the attackers were able to use nonces (unique cryptographic values) to forge authentication cookies which enabled them to bypass the normal authentication method of usernames and passwords. The nonces were stored alongside each record in the user database, so once the hackers had the database, they also had access to each of the accounts.
However, not a lot of information has been released regarding Yahoo’s systems, so it’s hard to say exactly what Yahoo did wrong here. What is clear is that you should never be able to just bypass username and password authentication.
On top of this, Yahoo could have stored the nonce elsewhere. Any secret value that can grant this type of access should be stored securely away from the matching user records. If the value and the user records are in the user database, hackers only have to penetrate one system and they have access to all user accounts.
Late notification
The public didn’t find out about the Yahoo data breach until September, 2016. The breach began some time in early 2014, but Yahoo’s security team didn’t find the breach of its user database until the end of the year. According to an SEC filing, “Yahoo senior management and relevant legal staff did not properly assess the scope, business impact, or legal implications of the breach, including how and where the breach should have been disclosed in Yahoo’s public filings or whether the fact of the breach rendered, or would render, any statements made by Yahoo in its public filings misleading.”
This is a serious failure on the part of Yahoo. The fact that Yahoo didn’t report the breach publicly for nearly two years after its own discovery put the affected users at risk. If the company had notified them earlier, they could have changed their passwords and taken other actions to help mitigate their risks from the information exposure. The SEC filing even states that the hackers continued to target the database well after Yahoo had discovered the breach.
Ultimately, Altaba—a company that is essentially the remnants of Yahoo—was fined $35 million by the SEC for failing to disclose the breach within an appropriate timeframe. The big takeaway here is that we need to take breach notification seriously. Not only is it a requirement in many jurisdictions, but notifying both the public and the authorities can play a vital role in mitigating the effects of a breach. People can’t take their own actions to protect themselves if they don’t even know that their account has been compromised.
CISSP Certification in 1 Week
Study everything you need to know for the CISSP exam in a 1-week bootcamp!
CompTIA’s Acquisition: What It Means for Your Security+ Certification
CompTIA’s acquisition shifts Security+ to a for-profit model, impacting cost, value, and renewals. As cybersecurity evolves, earning a CISSP equips you to tackle AI-driven threats. Destination Certification’s CISSP Masterclass helps you master your cyber security fundamentals and stay ahead. Read more.
