Canadian pleads guilty to Yahoo hack

Karim Baratov was paid by Russian security agents to break into Yahoo accounts in 2014

A Canadian citizen who helped Russian agents break into Yahoo email accounts during its massive data breach in 2014 has pleaded guilty to charges brought by the US Justice Department.

Karim Baratov, a 22-year-old Canadian citizen, was detained in Canada in March after charges were issued for both his arrest, and that of two other Russian Federal Security Service (FSB) agents for their involvement in the theft of over 500 million Yahoo accounts in 2014.

Baratov is one of a number of hackers said to have been paid by FSB agents Dmitry Dokuchaev and Igor Sushchin to break into Yahoo's accounts in an effort to target information relating to Russian officials, industry executives and bankers, according to the indictment.

The actions of the hackers led to the largest data breach in industry history, the full scope of which was eventually revealed by Yahoo in September this year.

Advertisement
Advertisement - Article continues below

As part of his plea, Baratov also admitted to hacking over 11,000 email accounts for the FSB, as well as other clients during the period of 2010 and 2017.

Baratov has now pleaded guilty to charges of conspiracy to violate the Computer Fraud and Abuse act, aggravated identity theft, and for causing damage to protected computers. As part of his plea agreement, Baratov will face a yet-to-be-determined prison sentence and will be forced to pay a fine of up to $2.25 million (1.6 million).

He will be held without bail until his sentencing on 20 February 2018. Given his charge sheet, he could potentially face up to 24 years in jail.

"The illegal hacking of private communications is a global problem that transcends political boundaries," said US attorney Brian Stretch, announcing the guilty plea. "Cybercrime is not only a grave threat to personal privacy and security, but causes great financial harm to individuals who are hacked and costs the world economy hundreds of billions of dollars every year."

"With the assistance of our law enforcement partners in Canada, we were able to track down and apprehend a prolific criminal hacker who had sold his services to Russian government agents. This prosecution again illustrates that we will identify and pursue charges against hackers who compromise our country's computer infrastructure."

So far, Baratov is the only person to have been arrested, although the warrants against the FSB agents still stand.

09/11/2017:Yahoo's ex-CEO blames Russia for 2013 and 2014 hacks

The ex-CEO of Yahoo, Marissa Mayer,told a security hearing on Wednesday that Russia was behind the 2013 and 2014 cyber attacks.

Mayer described how Yahoo reported that attack in late 2014 to law enforcement, including the FBI, and then worked with the authorities to expose the hackers behind the attacks.

"We now know that Russian intelligence officers and state-sponsored hackers were responsible for highly complex and sophisticated attacks on Yahoo's systems," she said.

Advertisement
Advertisement - Article continues below

She said the Department of Justice and the FBI announced a 47 count indictment charging four individuals with crimes against Yahoo and its users.

Mayer stressed how seriously she views the threat of cyber attacks and said the company devoted substantial resources to security "with the shared goal of staying ahead of these sophisticated attacks and constantly evolving threats".

"Unfortunately while all of our measures helped Yahoo successfully defend against the barrage of attacks by both private and state sponsored hackers, Russian agents intruded on our systems," she said. "The threat from state-sponsored attacks has changed the playing field so dramatically that today I believe all companies, even the most well defended ones, could fall victim to these crimes."

Despite this, the ex-CEO of Yahoo told the committee that the company has not been able to identify how the attackers stole the data.

Karen Zacharia, Verizon's chief privacy officer, told the hearing that after Verizon had acquired Yahoo it obtained new information from a third party regarding the attacks and promptly conducted a review.

"Based on that review we concluded that all accounts, and not just a subset, were impacted by the 2013 security incident, said Zacharia. "Yahoo then provided further individual notices to the impacted users beginning on October 3rd 2017."

She stressed that the stolen information did not include social security numbers, passwords in clear text or sensitive financial information "like payment card data or bank account information".

Yahoo announced at the start of the month that all of its accounts were affected by the 2013 hack (see below) which tripled the number of victims affected. The breach was already considered to be the largest in industry history before the news, as the company had thought that only a billion users had been affected.

04/10/2017:Yahoo says all 3 billion user accounts were hit by 2013 hack

Yahoo announced on Tuesday that all three billion of its accounts were affected by a hack in 2013, tripling the number of victims of data breach already considered the largest in industry history.

Advertisement
Advertisement - Article continues below

In December last year Yahoo publicly disclosed that more than one billion user accounts had been affected by a breach on their systems, leading to $350 million being wiped off the takeover deal by Verizon.

However, Yahoo, a company formed during the earliest days of the internet, has now "obtained new intelligence" that suggests that all three billion of its user accounts were breached.

Announcing the results of a recent investigation, a company statement by Verizon subsidiary Oath said that stolen information included names and addresses, but that passwords stored in plain text, and credit card or transaction information remained secure. The company said it continues to work closely with law enforcement agencies and forensic experts.

"In 2016, Yahoo took action to protect all accounts, including directly notifying impacted users identified at the time, requiring password changes and invalidating unencrypted security questions and answers so that they could not be used to access an account," Yahoo said in the statement.

Unfortunately, experts claimed in December that encryption technologies used on the passwords were out of date and could be easily bypassed, and that password recovery questions and linked email addresses were included in the data dump, increasing the likelihood that other accounts could be targeted.

The new will likely have significant legal implications for Verizon, who secured Yahoo in June for $4.48 billion. As part of those terms, Verizon agreed to share regulatory liabilities for both the 2013 data breach, and a second data breach revealed to have affected 500 million accounts in 2014.

Verizon's CISO Chandra McMahon said that the company is "committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats".

"Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon's experience and resources."

However, Yahoo currently faces as many as 43 class-action lawsuits from both the 2013 and 2014 hack, according to a company filing in May, a figure that is almost certainly going to increase. John Yanchunis, the lawyer representing Yahoo customers, said the cases had stalled because a federal judge required more information to legal justify the claims of his clients.

Speaking to Reuters, Yanchunis said: "I think we have those facts now. It's really mind-numbing when you think about it."

Advertisement
Advertisement - Article continues below

Rich Campagna, CEO at Bitglass, said that a hack affecting the entirety of a company's customer base is something unprecedented in the industry. "It's difficult to imagine any circumstance in which an organisation committed to security could have all network segmentation, policies, and security measures bypassed completely," said Campagna. "Even over a prolonged period of time, it is exceedingly difficult to exfiltrate three billion records without setting off a single actionable alarm."

In response to the news, US Senate chairman John Thune said that a hearing will be held later in the month that will cover two massive data breaches at both Yahoo and Equifax, according to Recode. In those reviews, the Senate will decide whether "new information has revealed steps they should have taken earlier, and whether there is potentially more bad news to come."

25/04/2017:Yahoo CEO Marissa Mayer will make $186 million from Yahoo sale

Yahoo CEO Marissa Mayer will earn $186 million through the sale of Yahoo to Verizon if the deal goes through, according tosecurities filings detailing the stocks and shares Mayer owns that do not include her salary or severance package.

Mayer owns Yahoo shares worth approximately $77 million, stock options valued at more than $84 million, and about $25 million of restricted-stock units, giving a total of $186 million. The current share price for Yahoo is $48.15, although the company has predicted it to fall to $38.59 when the deal goes through.

Shareholders were invited to attend a special meeting where they will vote on the proposed sale. This includes the golden parachute compensation, which Mayer and other executives will receive if the sale goes through, where Mayer will gain an additional $23,011,448.

Following the revelations of the Yahoo hacks affecting 1.5 billion users, Mayer lost a $9 million dollars off her severance package. When she first announced in January that she was going to leave the company, it was rumoured that she was going to make $53 million, although it turned out this was what she would have received if Verizon had forced her to step down.

Verizon's takeover of Yahoo is expected to close in June, after the data breaches knocked $350 million off the deal, leaving Verizon with a purchase price of $4.83 billion. While Yahoo will retain its brand under Verizon, it and AOL will form a new media division called Oath.

While Mayer will leave Yahoo, AOL boss Tim Armstrong will lead the division, which will also include TheHuffington Post, Techcrunch, Tumblr and Brightroll.

15/03/2017:Marissa Mayer gets $23m parting gift from Yahoo

Advertisement
Advertisement - Article continues below

Yahoo's departing CEO Marissa Mayer will receive $23 million from Verizon as she bids farewell to the search giant. Although it's a rather attractive figure, if Yahoo hadn't been hacked last year, she would have been taking home an extra $9 million.

The news was revealed in regulatory documents filed at the beginning of the week, which explained Mayer would be given $3 million in cash, $24,000 in benefits, and $19,971,367 in equity for her "golden parachute" payment.

The cash payment Mayer will receive comprises $1 million in salary payments, a $2 million bonus payment and $15,000 in "outplacement services".

However, when Mayer first announced her intentions to step down from the company, it was rumoured her payout would be almost double what she is getting at $53 million, but that amount would have been granted had she been sacked following the Verizon takeover rather than her resigning according to Gizmodo.

Other executives receiving "golden parachute" payouts are Ken Goldman who will be paid almost $9.5 million, Lisa Utzschneider with a $16.5 million payment and David Filo who will be presented with $66,415.

Marissa Meyer revealed she would be leaving Yahoo when the Verizon deal closed in January, although the value of the acquisition was decreased by $350 million as a result of the data breach that resulted in the company losing 200 million customer records.

Thomas McInerney, Yahoo board member and former CFO of IAC will take over from Mayer.

16/02/2017: Yahoo alerts users to new malicious account activity

Yahoo has issued fresh warnings to users about unauthorised activity on their accounts following a previously disclosed cookie forging campaign.

The troubled company, which is in the middle of an acquisition deal with Verizon, notified users on Wednesday that intruders had gained access to their accounts between 2015 and 2016, by forging cookies that act as saved passwords.

Advertisement
Advertisement - Article continues below

The cookie forging hack, which is a separate incident to the two massive data breaches in 2013 and 2014, involved intruders exploiting proprietary code to create fake cookies, granting access to accounts without the need of a password. But the warnings issued to users say that some of the cookie forging has been linked to the same hacker believed to be responsible for the breach of 500 million accounts in 2014.

"Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account," the email reads, according to the International Business Times. "We have connected some of the cookie forging activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on the 22nd September 2016."

The alerts appeared alongside news that Verizon had managed to shave off around $250 million from the $4.83 billion deal to acquire Yahoo, in the wake of the two previous data breaches, according to a report by Bloomberg citing sources close to the agreement.

"As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users' accounts without a password. The investigation has identified user accounts for which we believe forged cookies were taken or used," a Yahoo spokesperson said in a statement sent toIT Pro.

"Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again."

IT Prounderstands that Yahoo's security investigation is in its final stages, with most affected users now notified.

Yahoo is currently under investigation by the US Securities and Exchange Commission, to assess whether the company acted soon enough to alert investors and the public to the discovery of the data breaches, which collectively affected around 1.5 billion users. It also faces probes from the US Federal Trade Commission and the FBI.

24/01/2017:Yahoo admits delay to Verizon deal

Verizon's takeover deal of Yahoo has been pushed back to the second quarter of 2017.

Yahoo has admitted the acquisition deal will no longer take place in the first three months of 2017, due to "work required to meet closing conditions", although the company is working "expeditiously to close the transaction as soon as practicable in Q2".

Advertisement
Advertisement - Article continues below

In a company earnings statement, Yahoo CEO Marissa Mayer described the past year, in which Yahoo disclosed two historic hacks affecting 1.5 billion users, as "uniquely eventful", but said upcoming opportunities with Verizon remain "bright".

Although the $4.8 billion deal is taking longer than predicted, the news is not all bad for Yahoo, which posted better-than-expected quarterly profits, including a 15% gain in revenue from this time last year.

Yahoo's fortunes have taken a turn for the better thanks to its thriving mobile and social advertising business Mavens, which saw a 25% rise in revenue to $590 million.

"I'm very pleased with our Q4 results and incredibly proud of the team's execution on our 2016 strategic plan," said Mayer. "We continued to build our mobile and native businesses, while operating the company at the lowest cost structure in a decade."

"Our top priority continues to be enhancing security for our users. Our commitment to our users is unwavering, and we continue to be encouraged by their loyalty to us and their ongoing patronage of our products," she added.

That loyalty has certainly been tested over the last few months, after Yahoo disclosed two of the largest data breaches in industry history, affecting more than 1.5 billion users. Although Yahoo has not provided specific reasons for a delay in the deal, continued fallout from those revelations are likely causing headaches for both sides, with Verizon rumoured to be seeking a lower sale price.

The US Securities and Exchange Commission is currently investigating Yahoo's practices to assess whether the company disclosed news of the hack soon enough to its investors and the public.

However, it appears from the latest earnings report that the company has been able to mitigate some of that fallout, managing to buck analyst expectations.

But the company did see losses, with gross revenue for Yahoo's search platform falling by 6% to $821 million, as the company struggles to compete against Google. Desktop revenue also fell to $3.46 billion for the full year, down from $3.5 billion in 2015. Of the 1 billion total users the company claims to have, 650 million of those use mobile devices.

23/01/2017:US authorities probe Yahoo hacks

Advertisement
Advertisement - Article continues below

The US Securities and Exchange Commission (SEC) has launched an investigation into the previously disclosed breach of user data at Yahoo, according to a company quarterly filing.

Yahoo stated it was "cooperating with federal, state and foreign" authorities in a filing from November 2016, first unearthed this week by theWall Street Journal,as agencies began investigations into a "security incident".

One of those agencies, the SEC, is assessing whether the company should have informed investors sooner after the discovery of two massive data breaches in 2013 and 2014, according to a report by the WSJ,citing anonymous sources close to the matter.

Yahoo made headlines in September 2016 when it reported a data breach affecting 500 million user accounts in 2014, and again in December 2016 when a second, more significant leak was discovered involving more than one billion users, dating back to 2013.

The SEC issued requests in December 2016 for information and documents, according to the sources, to discern exactly when Yahoo found out about the cyber attacks, and whether subsequent disclosures complied with civil security laws and SEC guidelines.

Following reports of the 2014 hack, US senator Mark Warner approached the SEC in September to request an investigation into Yahoo's practices and whether the company had fulfilled obligations to inform investors and the public.

Yahoo has yet to explain why it took almost two years to disclose the breach publically, despite having knowledge of the leak in 2014.

The SEC is among a number of authorities investigating the company, including the Federal Trade Commission and the US Attorney's Office in Manhattan, according to the filing. The sources have stated that the investigation is in its early stages, and it is currently unclear if further action will be taken against Yahoo.

The $4.8 billion take-over deal of Yahoo by Verizon has faced mounting pressure following the discovery of the breaches, and the subsequent sale of leaked data on the dark web. Verizon is still set to go ahead with the deal, but is likely to negotiate down the price before a final agreement is struck.

IT Pro has approached Yahoo for comment.

Advertisement
Advertisement - Article continues below

15/12/2016:Yahoo faces pressure from Verizon as accounts 'are sold on dark web'

Verizon has moved to secure a better deal on its acquisition of Yahoo's internet business, following this week's revelation that a 2013 hack affected more than one billion user accounts.

The US network firm first announced plans to buy Yahoo's business in July for $4.8 billion, but economic fallout from the discovery of two massive data breaches in 2013 and 2014 means the company is now seeking amendments to the original proposal.

The largest US wireless carrier is likely to go ahead with deal but seeks "major concessions" following recent news of the largest hack in industry history, according to Reuters sources close to the matter.

In October, Verizon stated it was reassessing the deal after the discovery of a hack in 2014 affecting 500 million user accounts. The latest hack has forced Verizon to "review the impact of this new development before reaching any final conclusions" on the deal.

Sources claim that Verizon is willing to go to court to renege on the deal if Yahoo does not adjust the offering price. Shares in the California-based internet service fell more than 6% on Thursday after news of a second data breach.

When asked about the deal, a Yahoo spokesperson told IT Pro: "We are confident in Yahoo's value and we continue to work towards integration with Verizon."

Pressure from Verizon came as reports suggest the leaked database affecting over 1 billion users has already been sold on the dark web.

The leak was first discovered by security researcher, Andrew Komarov, who found a leaked database of Yahoo user details being sold by a hacking group he had been tracing based in Eastern Europe, according to statements received by Bloomberg. The hackers, which he calls "Group E", are considered professional cybercrimminals that typically sell leaked information to spammers, and are unlikely to be working for any specific nation.

Komarov, who is a chief intelligence officer at InfoArmo, said that three unknown users had paid $300,000 for full copies of the leaked database, two of which are known spammers. The seller gave one buyer a list of 10 details belonging to US government officials to verify authenticity, which led Komarov to speculate the buyer was part of a foreign intelligence agency.

Advertisement
Advertisement - Article continues below

The researcher suspected that Yahoo had been hit by a second attack when news of a 2014 hack in September revealed a leaked database that differed from the one he had discovered. InfoArmo was able to intercept the database as it was being sold, and alerted Yahoo of the discovery in October, which has since been confirmed this week.

"The difference of [the] Yahoo hack [to] any other hack is in that it may really destroy your privacy, and potentially have already destroyed it several years ago without your knowledge," said Komarov speaking to Bloomberg.

"The Yahoo hack makes cyber espionage extremely efficient," added Komarov. "Personal information and contacts, email messages, objects of interest, calendars and travel plans are key elements for intelligence-gathering in the right hands."

Although Yahoo blamed the first hack on a third-party state-sponsored hacker, the company has been silent on who may have carried out the second, much larger attack.

15/12/2016:US senator calls for probe of Yahoo security following hack

A senior Democratic senator has said he would launch an investigation into Yahoo's security practices after a second massive data breach was reported on Thursday affecting over 1 billion user accounts.

The hack, which is now the largest on record, was reportedly carried out in 2013 when an unauthorised third party accessed data containing over 1 billion user details, potentially including names, telephone numbers and hashed passwords.

Following Thursday's news of another data breach, Senator Mark Warner of Virginia announced he would be seeking to probe Yahoo security protocols to establish how such a significant amount of user data could have been stolen.

"This most recent revelation warrants a separate follow-up and I plan to press the company on why its cyber defences have been so weak as to have compromised over a billion users," said Warner, in a statement to Reuters.

Warner, who is set to become the leading Democrat on the Senate Intelligence Committee in 2017, said he had also made repeated attempts to contact Yahoo for a briefing covering the first reported hack in 2014, which affected 500 million accounts, but failed to get a reply.

Advertisement
Advertisement - Article continues below

"If a breach occurs, consumers should not be first learning of it three years later," added Warner. "Prompt notification enables users to potentially limit the harm of a breach of this kind, particularly when it may have exposed authentication information such as security question answers they may have used on other sites."

Following the hack in 2014, the senator approached US security services to investigate Yahoo's actions and whether it sufficiently met obligations to inform the public of the breach.

Yahoo has claimed that the stolen information did not include passwords in clear text, or any financial details, however users have been urged to take steps to secure their accounts, and replace security questions and answers.

15/12/2016:Yahoo hack: More than one billion Yahoo accounts hacked

Yahoo has confirmed that more than a billion user accounts have been hacked in a security breach back in 2013. The breach could scupper its acquisition by Verizon.

The internet firm said in a statement that it believed an unauthorised third party stole data associatedwith more than one billion user accounts in August 2013. It said it has not been able to identify the intrusion associated with this theft.

It added that this was "distinct from the incident the company disclosed on September 22, 2016", when it revealed 500 million email addresses had been hacked back in 2014.

For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.

Yahoo said that its investigations indicated that the stolen information did not include passwords in clear text, payment card data, or bank account information. "Payment card data and bank account information are not stored in the system the company believes was affected," the firm said.

It has notified affected users and taken steps to secure their accounts. It has also invalidated unencrypted security questions and answers so that they cannot be used to access an account.

Advertisement
Advertisement - Article continues below

In a separate issue, Yahoo said that outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users' accounts without a password.

"Based on the ongoing investigation, the company believes an unauthorized third party accessed the company's proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used," said the firm.

It said that it had connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September this year.

The latest breach could threaten to derail its impending sale to Verizon, because the acquisition would mean that Verizon may become liable for these breaches. This could result in Verizon offering less for the purchase of the troubled web giant.

Ilia Kolochenko, CEO of web security firm High-Tech Bridge, said:"Such disclosure, taking into consideration the unclear and even suspicious disclosure timeline - just before the buyout, may provide a valid reason for Yahoo's shareholders to sue Yahoo's top management if the deal fails or brings less money than expected."

Paul German, CEO at encryption firm Certes, told IT Pro in a written statementthat with Yahoo suffering two of the largest hacks in history, its attitude to cyber security is seriously into question.

"Yahoo is relying on an outdated cybersecurity model which takes a, protect', detect', react' approach which simply does not work. The problem lies in the fact that once inside a network, there is a significant delay before a hacker is detected, leaving them free to move uninhibited, accessing vast quantities of sensitive data and wreaking havoc," he said.

Brian Laing, vice president at malware detection firm Lastline, added that firms too often fail to account for the magnitude of potential losses when resourcing preventative measures.

"Perhaps a Yahoo - Verizon deal adjustment may stand as a sober reminder how important it is to get a state-of-art cyber defence strategy in place," he said.

10/11/2016: Yahoo says its employees knew about the hack in 2014

Advertisement
Advertisement - Article continues below

In a securities filing on Wednesday, Yahoo said some of its employees knew that a "state-sponsored actor" had broken into its network two years ago.

This was the attack that led to theft of data such as names, dates of birth and passwords associated with more than 500 accounts. It's considered to be one of the largest-ever data breaches affecting a private company.

The company did not state whether, at the time, this attack was disclosed to senior management.

Yahoo first revealed a data breach had taken place on 22 September this year. It said the hack was discovered while investigating a hacker's claim of possessing some Yahoo user data.

The Yahoo filing also said that the company was investigating "certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the security incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users' accounts or account information."

The company plans to sell its internet operations to Verizon for $4.8 billion. Pinning down whether employees knew or when they found out about the attack has therefore become a priority for the deal to be carried through.

The deal with Verizon had been decided a couple of months before the data breach was made public, and the company could be wanting to learn more about how it happened and was dealt with.

31/10/2016:EU data watchdogs demand answers about Yahoo hack

Europe's data watchdogs have expressed concerns over Yahoo's alleged systematic email surveillance andthe leak of 500 million user credentials.

In aletterdelivered to the US email provider last Thursday, the Article 29 Data Protection Working Party (WP29) described the 2014 data breach, which only emerged in September, as "deeply concerning", and said it is duty-bound to protect "the significant number of EU data subjects" who may have been affected.

Advertisement
Advertisement - Article continues below

"It is of the utmost importance that Yahoo devote significant resources to understand, communicate and address all aspects of this unprecedented data breach and notify the adverse effects to the data subjects using the services that your company provides," said the letter from the WP29, which comprises all 29 EU member states' data protection regulators.

"This must be carried out in a quick, comprehensive and easily understood manner, so that Yahoo users across Europe will understand any action they need to take as a result of the breach," added the WP29.

It urged Yahoo to cooperate fully with any investigations and queries, and deliver specific information which is "of interest" to the authority. This includes the content of the data, consequences of the 2014 breach and the number of people affected in each European country.

The letter, signed by chairwoman Isabelle Falque-Pierrotin, also addressed the "concerning" mass surveillance Yahoo allegedly conducted, with the firm accused of using a systematic search of all incoming user emails at the request of the US government.

"It will be important to understand the legal basis and justification for any such surveillance activity," said the letter, "...including an explanation of how this is compatible with EU law and the protection of EU citizens."

"We are aware of the letter from the Article 29 Data Protection Working Party and will work to respond as appropriate," said a Yahoo spokesperson, in an email to IT Pro.

The EU privacy group also delivered a letter toWhatsApp on Friday, expressing "serious concerns" over the way the messaging app handles its users' private data. The letter urged WhatsApp to halt all plans to share data with its parent company Facebook, until "appropriate legal protections can be assured."

19/10/2016:Yahoo profits bloom despite hack

Yahoo's quarterly profits were better than analysts had anticipated, despite the company's recently revealed hack of 500 million people's account details.

The data breached during the hack included customers' names, email addresses, telephone numbers, personal details and passwords, according to Yahoo CISO Bob Lord.

Advertisement
Advertisement - Article continues below

Verizon, who was looking to buy Yahoo for $4.83, displayed concerns last week, saying that the hack could have a material impact on the deal.

However, Tuesday's stock market results showed that the hack had no major effect on the number of Yahoo customers. Yahoo said results actually showed a growth in page views and email account usage.

Contrary to expectations, Yahoo's quarterly profits more than doubled, reaching $163 million. Yahoo CEO Marissa Mayer said: "We launched several new products and showed solid financial performance across the board."

As Yahoo continues to lose share within the digital advertising market, these positive financial results could be due to a good cost management strategy.

Analysts are still unsure as to whether Verizon's acquisition of Yahoo will still go ahead. Although most don't expect the deal to be entirely cancelled due to the hack, the price and contract terms of it could be renegotiated.

Mayer said: "In addition to our continued efforts to strengthen our business, we are busy preparing for integration with Verizon. To that end, we take deep responsibility in protecting our users and the security of their information. We're working hard to retain their trust and are heartened by their continued loyalty as seen in our user engagement trends."

11/10/2016: Yahoo disables email forwarding

Users of Yahoo mail are unable to forward emails to external accounts, as the feature has been "temporarily disabled".

According to abrief poston its support forums, Yahoo has blocked users from using the 'automatic forwarding' function as they work to develop the feature further.

Users would normally be able to create copies of their incoming messages using automatic forwarding, which would be sent to other accounts such as Hotmail or Gmail. However, users began complaining at the beginning of the month that this feature had been blocked, according to theAssociated Press.

Advertisement
Advertisement - Article continues below

Yahoo said in the post: "This feature is under development. While we work to improve it, we've temporarily disabled the ability to turn on Mail Forwarding for new forwarding addresses."

Yahoo user Brian McIntosh said forwarding has been "a basic concept for 15 years for just about every email provider out there. All of a sudden it's under development, and only at Yahoo", speaking to theAssociated Press.

"That all this has ceased to function when they have been getting a lot of press seems extremely dubious to me," added McIntosh.

In September Yahoo revealed a record-breaking hack of personal information, affecting at least 500 million customers in 2014.

More recently the company was found to have secretly built custom software to scan emails, allowing the US government to conduct surveillance on its users' emails.

IT Proapproached Yahoo to ask why it has disabled this function and if it was related to the data breach, but we have yet to receive a reply.

What is certainly true is that this move makes it more difficult to users to move to other email accounts, which is likely happening on a mass scale right now.

27/09/2016:Yahoo 'using unsecured certificates'

Yahoo hasn't taken the necessary steps to patch security holes that could leave customers open to further hacks, it has been claimed.

Security firm Venafi Labs carried out research on Yahoo's use of cryptographic systems and security certificates and found some troubling results.

Advertisement
Advertisement - Article continues below

According to the firm, which used a combination of its own data and data from global certificate intelligence database TrustNet, 27% of certificates on external Yahoo sites haven't been reissued since the beginning of last year.

This is despite the reissuing of certificates being a common and critical practice to mitigate a breach, to ensure that hackers no longer have access to encrypted communications.

Venafi has also claimed that, based on its research, Yahoo may not have the ability to find and replace digital certificates quickly, as only 2.5% of those in use have been issued within the past three months.

The company has also accused Yahoo of using outdated and unsecure encryption methods, in particular, MD5 and SHA-1. MD5 is, for example, vulnerable to the Flame family of malware. SHA-1 certificates, meanwhile, will no longer be accepted by most major browser vendors as of January 2017.

Hari Nair, director of product management and cryptographic researcher for Venafi, said: "Any one of these cryptographic issues would leave an organization extremely vulnerable to attacks on encrypted communication and authentication.Collectively, they pose serious questions about whether Yahoo has the visibility and technology necessary to protect encrypted communications and ensure its customer's privacy.

"Our research has led us to believe that there is usually a high degree of correlation between weak cryptographic controls and overall cybersecurity posture."

A source familiar with the matter told IT Pro: "The vast majority of hashed passwords stolen by what we believe was a state-sponsored actor are bcrypt protected, and only a small percentage of passwords are protected with MD5.

"As we said, we're notifying potentially affected users and we've taken steps to secure their accounts, including recommending that users who haven't changed their passwords since 2014 do so."

23/09/2016: Yahoo hack: 500 million people's account details stolen 'by nation state hacker'

Yahoo has confirmed that at least 500 million people's account details were stolen by a state-sponsored hacker.

Advertisement
Advertisement - Article continues below

The data breach included people's names, email addresses, telephone numbers, dates of birth, hashed passwords and even security questions and answers, Yahoo CISO Bob Lord explained.

The search giant, which said the hack took place in late 2014, does not believe the stolen data included any credit card details, unprotected passwords or bank account information.

"Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo's network," Lord said in a post on Tumblr. "Yahoo is working closely with law enforcement on this matter."

News of the hack first emerged yesterday from Recode, but it is not yet clear whether the stolen account details is related to a data dump of 200 million Yahoo accounts made available on the dark web last month.

The hacker who collated them and put them up for sale online, going by the moniker Peace, said those details were from "2012, most likely".

Yahoo is now in the process of notifying customers who may be affected, and asking them to change their passwords, or use different methods of confirming their identity.

It has invalidated any unencrypted security Q&As and urged customers to use its Yahoo Account Key, a two-factor sign-in method it first rolled out in March this year, that sends a push notification to a user's smartphone when they need to log into their email.

The huge batch of exposed passwords beats Dropbox's 61 million credentials that were leaked online in August after a hack in 2012, leading to Dropbox also urging users to change their passwords.

Lord added: "An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries. Through strategic proactive detection initiatives and active response to unauthorized access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure."

22/09/2016: Yahoo expected to confirm massive data breach

Advertisement
Advertisement - Article continues below

Yahoo has been hit by a massive data breach, according to leaked reports, which the company is expected to confirm later today.

Sources told Recode's Kara Swisher - long a top source for Yahoo news - that the hack affects several hundred million users, calling it "widespread and serious".

The hack comes at an awkward time for Yahoo, which is selling much of its business - including customer data - to Verizon as part of a $4.8 billion deal.

Details are scarce as Yahoo has yet to confirm the attack, but it appears the security breach is related to the apparent leak of 200 million accounts earlier this year by a hacker known as "Peace". Yahoo at the time didn't confirm if that hack was legitimate, merely stating it was "aware" of the incident.

IT Pro asked Yahoo for confirmation of the attack, but has yet to hear back. However, users have started to see messages to change their passwords.

Nikki Parker, vice president at security firmCovata, criticised Yahoo's security measures. "In this case, last month, the hacker claimed that the data was hashed with a MD5 algorithm, coding that simply isn't robust enough to secure data," Parker said in a statement. "You'd hope that Yahoo would've since thought about adopting more advanced encryption technology that secures data in individual pieces rather than in large sets, as well as empowering it to rigorously control access."

Parker claimed that Yahoo's slow response was "surprising", adding: "It should have encouraged customers to change their passwords and now, potentially, more than 200 million people are at risk and have been for some time."

If the hack is indeed confirmed, CensorNet's CEO Ed Macnair said the usual advice applies. "Change your username and passwords across sites and with business accounts," he said in a statement.

"Not only is personal data at risk here, but people often use such logins at work. That is always a huge issue for companies. Everyone should stay vigilant to suspicious activity and, it would be advisable to get some new passwords ready just in case."

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/business/business-strategy/354195/where-modernisation-and-sustainability-meet-a-tale-of-two
Sponsored

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019