The latest cybersecurity scandal related to the leak of one billion of Yahoo passwords is a nightmare for the company and its users.
Latest Yahoo Data Leak
Yahoo disclosed this week on its company blog its second massive security breach in two months. After Yahoo's disclosure, Verizon executives find themselves in a delicate position, according to Time. The first Yahoo data breach affected 500 million accounts and it was considered at the time as the largest corporate hack in history. The latest breach announced by Yahoo this week involved one billion accounts. Both incidents took place years ago, but were only recently announced.
Since Verizon made a $4.8 billion offer to buy Yahoo's online operations, the company's stock had been steadily trading above $40 a share. However, since the news surrounding the latest hack, Yahoo stock plunged 6 percent on Thursday, Dec. 15.
Fortune reported that, according to a statement made by the White House, the FBI is investigating the hack. New York's Attorney General announced that he will also investigate the data breach.
Possible Consequences Of The Yahoo Hack
Bloomberg reported that among the data leak's victims are over 150,000 federal workers, including former diplomats, NSA, CIA and FBI employees. Especially if government e-mail addresses identifies an account owner as affiliated with the government or military, this information could be used in various spear-phishing campaigns.
According to Ars Technica, the hack took place in August 2013. Bob Lord, Yahoo's chief information security officer, said that evidence of the data breach was given to Yahoo by "law enforcement officials." Security experts believe that the data was in circulation in underground marketplaces in one form or another and used actively by Internet criminal rings for diverse purposes.
The data exposed included the name, personal details, birth date, additional e-mail addresses and phone numbers in some cases. Such detailed information within the Yahoo accounts could be easily used to identify and target individuals in a number of ways.
The danger associated with the information being in the hands of cybercriminals is very high. Hackers could be using the stolen data for targeted attacks. A major hazard is posed by just the Yahoo passwords alone. They were barely obscured by an MD5 hash, but the strength of the hash key is a major factor for the security of those passwords.
Security experts believe that many of the weaker passwords in the exposed accounts could have been cracked easily. Many MD5 hashes can be easily cracked by online available hacking tools, such as the MD5 Decrypter available on the website hashkiller.co.uk.
Richard Henderson, global security strategist at end-point security software provider Absolute Software said that the one billion broken password hashes could provide significant means for attackers attempting to get access to other accounts of the same target. And what is very unsettling about the breach is the fact that it took years for Yahoo to discover this major data leak, as well as the fact that forensic experts and Yahoo still do not know the means by which this compromise occurred.