[BreachExchange] Youch! Yahoo Coughs Up 500M Records And 2016 Crosses 2B Records Compromised
Audrey McNeil
audrey at riskbasedsecurity.com
Fri Sep 23 15:07:54 EDT 2016
https://www.riskbasedsecurity.com/2016/09/youch-yahoo-coughs-up-500m-records-and-2016-crosses-2b-records-compromised/
Today Yahoo confirmed their systems were compromised in late 2014,
resulting in the single largest data breach disclosed to date. The
intrusion resulted in the compromise of at least 500 million records
including customer names, email addresses, telephone numbers, dates of
birth, hashed passwords and, in some cases, security questions and answers.
This Yahoo announcement makes this the largest breach that we have ever
tracked (surpassing the recent MySpace breach at 360M), and also the total
number of records compromised in 2016 now stands at 2,066,205,412. Yes, we
have crossed the 2 BILLION mark for the first time ever!
As the news unfolded, it became clear there was more to this story. Some
sources were quick to make a connection between today’s announcement and an
August 1st report of another incident involving Yahoo user data. Just 7
weeks ago, it was revealed that 200 million Yahoo usernames, hashed
passwords, dates of birth, and some back-up email addresses, were being
offered for sale on The Real Deal forum by the hacker known as Peace. The
assumption was made that today’s announcement was somehow a confirmation of
the legitimacy of that breach and that the two events were actually the
same occurrence.
However, the press announcement offered by Yahoo and the facts around the
August disclosure clearly did not align. The press release indicated the
attack took place in 2014 while the data offered for sale on The Real Deal
appeared to date from 2012. That would indicate the records emanated from
an attack that terminated well before 2014. What’s more, attribution for
the 2014 incident is being placed at the feet of the ubiquitous
“state-sponsored actor.” There have been no reports linking Peace to state
sponsored activity or an APT group. This raised doubts the two events were
connected.
After we reached out to Yahoo, sources close to the investigation confirmed
our suspicion. The two events are not related. This summer’s disclosure
sparked an internal investigation at Yahoo. To date, investigators have not
uncovered evidence substantiating the August claim that data for 200
million+ Yahoo user accounts was compromised. However, inside sources went
on to state that after investigating the hacker’s claims, the internal
security team opted to conduct a “deep dive review” of Yahoo systems. In
the course of doing so, they identified the 2014 activity and confirmed an
eye-popping 500 million records compromised from that event.
With over 2,700 breaches reported and more than 20 incidents impacting 10
million or more records, we can’t help but wonder where will we be at the
close of 2016. How many more mega-breaches are lurking in the shadows,
waiting to come to light? And how much bigger can they get?
Today Yahoo confirmed their systems were compromised in late 2014,
resulting in the single largest data breach disclosed to date. The
intrusion resulted in the compromise of at least 500 million records
including customer names, email addresses, telephone numbers, dates of
birth, hashed passwords and, in some cases, security questions and answers.
This Yahoo announcement makes this the largest breach that we have ever
tracked (surpassing the recent MySpace breach at 360M), and also the total
number of records compromised in 2016 now stands at 2,066,205,412. Yes, we
have crossed the 2 BILLION mark for the first time ever!
As the news unfolded, it became clear there was more to this story. Some
sources were quick to make a connection between today’s announcement and an
August 1st report of another incident involving Yahoo user data. Just 7
weeks ago, it was revealed that 200 million Yahoo usernames, hashed
passwords, dates of birth, and some back-up email addresses, were being
offered for sale on The Real Deal forum by the hacker known as Peace. The
assumption was made that today’s announcement was somehow a confirmation of
the legitimacy of that breach and that the two events were actually the
same occurrence.
However, the press announcement offered by Yahoo and the facts around the
August disclosure clearly did not align. The press release indicated the
attack took place in 2014 while the data offered for sale on The Real Deal
appeared to date from 2012. That would indicate the records emanated from
an attack that terminated well before 2014. What’s more, attribution for
the 2014 incident is being placed at the feet of the ubiquitous
“state-sponsored actor.” There have been no reports linking Peace to state
sponsored activity or an APT group. This raised doubts the two events were
connected.
After we reached out to Yahoo, sources close to the investigation confirmed
our suspicion. The two events are not related. This summer’s disclosure
sparked an internal investigation at Yahoo. To date, investigators have not
uncovered evidence substantiating the August claim that data for 200
million+ Yahoo user accounts was compromised. However, inside sources went
on to state that after investigating the hacker’s claims, the internal
security team opted to conduct a “deep dive review” of Yahoo systems. In
the course of doing so, they identified the 2014 activity and confirmed an
eye-popping 500 million records compromised from that event.
With over 2,700 breaches reported and more than 20 incidents impacting 10
million or more records, we can’t help but wonder where will we be at the
close of 2016. How many more mega-breaches are lurking in the shadows,
waiting to come to light? And how much bigger can they get?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160923/e7c8cf4a/attachment.html>
More information about the BreachExchange
mailing list