Blog
← Back to Blog
December 15, 2016 cybersecurity

Yahoo's Second Breach: 3 Billion Accounts

Broken lock representing massive security failure

Remember in September when we wrote about Yahoo's 500 million account breach and called it the biggest in history? Well, Yahoo just topped themselves. Yesterday they disclosed a separate breach, this one from 2013, that affected 1 billion accounts. (Update: Yahoo would later revise this to 3 billion, meaning every Yahoo account ever created.)

Let me repeat that: every. Single. Account.

So in the span of three months, Yahoo has disclosed two separate massive breaches, one from 2013 and one from 2014, neither of which they told anyone about until 2016. This is a company in the process of being acquired by Verizon for $4.8 billion. The acquisition is now in serious jeopardy, and honestly, it should be.

What This Breach Includes

The 2013 breach data includes:

  • Names and email addresses
  • Phone numbers and dates of birth
  • Hashed passwords (MD5, which is woefully outdated)
  • Security questions and answers (unencrypted in some cases)
  • Forged cookies that allowed attackers to access accounts without passwords

The forged cookies are new and particularly alarming. This means attackers could log into Yahoo accounts without knowing the password at all. They created authentication cookies that Yahoo's systems accepted as legitimate. This is a fundamental compromise of Yahoo's authentication infrastructure.

What's Different from the September Disclosure

This is a separate incident. Different attackers (Yahoo believes), different time period (2013 vs. 2014), different scale (3 billion vs. 500 million). The fact that Yahoo experienced two separate mega-breaches in consecutive years without detecting either for years suggests a systemic security failure, not a one-time incident.

If You Haven't Already...

After our September post, hopefully you already:

  • Changed your Yahoo password
  • Changed security questions on all accounts
  • Enabled two-factor authentication
  • Checked for password reuse across services

If you didn't do those things in September, do them now. The urgency just doubled.

And add one more action: seriously consider deleting your Yahoo account entirely. If you don't actively use Yahoo services, there's no reason to leave an account with your personal data sitting on servers that have been compromised twice in two years.

The Business Lesson

The Yahoo breaches are a case study in what happens when a company doesn't invest in security. Reports suggest that Yahoo's security team was understaffed, that executives resisted investments in encryption and detection capabilities, and that the security team's concerns were repeatedly overruled.

For smaller businesses, the lesson isn't that you need a massive security budget. It's that you need to listen when your IT people tell you there's a problem. When your IT provider recommends upgrading your firewall, or implementing better email security, or conducting a risk assessment, those aren't upsells. They're attempts to prevent exactly the kind of disaster that's unfolding at Yahoo.

Security is an investment. The alternative, as Yahoo is discovering, is much more expensive.

2016: The Year of the Breach

We're going to do a full year-in-review post soon, but even a quick summary is staggering:

  • Hollywood Presbyterian ransomware ($17K ransom paid)
  • Panama Papers (11.5 million documents from a law firm)
  • LinkedIn (117 million passwords)
  • Equifax (431,000 tax records)
  • SWIFT banking attacks ($91 million stolen)
  • Shadow Brokers (NSA hacking tools leaked)
  • Yahoo (500 million + 3 billion accounts)
  • Dyn DDoS (half the internet went down)

If 2016 doesn't convince you that cybersecurity matters, nothing will. Stay safe out there.