Yahoo is expected to confirm a data breach that exposed hundreds of millions of credentials dating back four years. A report published today by Recode intimates that the total number of exposed credentials will be higher than the 200 million initially reported in early August.
A request for comment made to Yahoo was not returned in time for publication. The news comes as Verizon continues toward a $4.83 billion acquisition of Yahoo’s operating business.
The Yahoo breach would be among the largest credential leaks this year, which has already been littered by a number of high-profile, high-volume exposures of passwords and personal account information. Most of those, however, have involved large caches of older user information and credentials accumulated from sources online from a number of past breaches.
LeakedSource, an subscriber-based aggregator of personal data found online, told Threatpost that two files containing Yahoo credentials have been available for years, including a sample text file containing 5,000 credentials, and an encrypted file containing 40 text files claiming to be from Yahoo.
“We have both of them as well as the decryption key for the 40 text files which we determined to be fake,” LeakedSource said. “The 5,000 sample however may be real and provide enough evidence for Yahoo to begin resetting passwords.”
The files do not include dates, but the headers include a user ID, username, country, recovery email, date of birth, recovery phone number and recovery key.
“It would not be difficult for us to obtain 5,000 users with Yahoo accounts, and then create a fake list with their country, recovery email, and birthday as well as phone number,” LeakedSource said. “Only Yahoo would know if it’s real because 5,000 is too small.”
Already this year, Twitter, MySpace, LinkedIn, Tumblr, TeamViewer, Vkontakte and others have been forced to reset user passwords because of massive dumps of stolen credentials online.
News of the Yahoo leak bubbled to the surface in August when a Russian hacker known as Peace, or peace_of_mind, put the credentials up for sale for three Bitcoin on a Dark Web site called The Real Deal. Yahoo said at the time it was aware of the claim and trying to determine the facts of the matter. Many of the credentials, however, were either expired or had been changed since 2012, reducing the value of the leaked data. Yahoo, for its part, did not issue a password reset for its users.
The greater security issue hanging over the Yahoo leak and all the others this year is password reuse. Experts continue to caution users to be vigilant about using unique and strong passwords, or password managers. But with users faced with an overwhelming number of passwords for personal and business use, it’s quite tempting to reuse passwords. Experts, however, caution greatly against this practice because attackers can match up user names and credentials from a multitude of leaks and gain access to many of a user’s accounts knowing just one password.
“This won’t be just a Yahoo incident, but an incident against every account that reused a password,” said Troy Hunt, a researcher who runs the Have I Been Pwned service. “It may mean an attacker has had access to other accounts, and for how long?”
Hunt said Peace’s involvement in the Yahoo leak or breach gives it a measure of legitimacy given the rash of other confirmed leaks the hacker has been involved in. In a June interview with Wired’s Andy Greenberg, Peace said he/she was part of a hacking team that had disbanded, and that another hacker known as Tessa88 who was involved in leaking Twitter credentials and other password dumps, had started selling stolen credentials without permission from the criminal gang. This, Peace said, prompted him to start selling as well. Peace also said he was in possession of about a billion more credentials from the same time frame.
“It’s tricky. On the one hand, you’ve got a historical incident. You can’t do anything about the data that’s out there or that happened long ago,” Hunt said. “This is after-the-horse-has-bolted-the-barn stuff. If it’s legitimate, it’s going to be old data. One of the problems you’ve got with breaches from that era is that the acceptable norms for storing password data were quite different than today.”
The Yahoo data is reportedly hashed using MD5, which has already been condemned as a broken algorithm and most providers have moved away from it. The same goes for SHA1, which was the hashing algorithm reportedly used by LinkedIn to secure its credentials.
“That’s part of the problem with these legacy breaches. Today with faster CPUs and attacks against older algorithms, they’re ripping them to shreds,” Hunt said.
Hunt compared the data in these breaches to a historical snapshot of how security was done, the days when forgotten passwords were sent to users in plaintext, for example.
“People have short-term memory as to how we consistently did things like this only a few years ago,” Hunt said.