Yahacking: The Last Straw


“The year 2016 saw a record number of stolen account credentials up for sale on the Dark Web” is something you might have read in of our previous articles. That being said, MySpace no longer holds this record (with 360 million hacked accounts in 2008).

The turn for the title is now passed on to another multinational thanks to what is better known in the media as the “Yahacking” incident. In a continuous freefall since Google first surfaced, what used to be the most popular internet portal of the year 2000 is now in a very tight spot. The company in question had announced in July that it would be bought by Verizon Wireless. However, in light of recent events, the acquisition is now at risk.

Care to venture a guess of who we might be talking about?

Well, it’s Yahoo! of course.

Yahoo Mail

Last week, Yahoo! announced that the login names and passwords of at least 500 million accounts had been hacked and, with this, admitted to the biggest data breach recorded up until now. And that’s not all: according to public records, the breach had actually taken place in 2014. It is unclear yet if the company’s management was aware of this incident at that time, but one thing is certain though: its credibility has gone down the drain.

Let’s say, for a moment, that the critics are right and that Yahoo! willingly ignored its responsibility to inform users. Two years to communicate the details of such a sensible cyber-attack seems a bit farfetched, doesn’t it? Unfortunately, news such as this one has ceased to amaze us. Think back, for instance, at the LinkedIn affair, when stolen data had only surfaced in June, whereas the breach had in fact occurred in 2012. What’s even sadder is that this time difference is completely within the average detection range of current tools.

Linkedin password

But let us not stray too far from our initial topic.

Initially one of the pioneers of the early internet era in the 1990s, Yahoo! is globally known for its Web portal, search engine and other related services, including Yahoo! Mail, Yahoo! News, Yahoo! Finance, Yahoo! Groups, Yahoo! Answers, advertising, video sharing, online photo management (Flickr), fantasy sports and its social media website (Tumblr).

In spite of losing its popularity crown over the years, the different services it proposes still attract over a billion users. Some quick math will lead us to realize that one in every two user accounts is now roaming freely in the depths of the Dark Web.

The Yahoo! representatives failed to communicate any information related to the nationalities or to the geographical locations of the compromised accounts. As such, we have no substantial evidence whereas the hackers’ objective is concerned. Which is all the more reason to be responsive.

If you are among the users of the above mentioned services, we hope that, as our loyal readers, you did wait for this article to come out in order to change your password. But, just in case, we shall once more assume the Cybersecurity Jedi Master role and fulfill our duty: if a Yahoo! account you have, change your password you must!

« Better safe than sorry » is a cliché that will forever reign in an IT environment, more so in one preoccupied with cybersecurity. To this we might add that the hackers responsible for the incident did not limit themselves to a mere password stealing. Oh no, they didn’t. In their greedy quest, they also aimed for personal account questions (the so-called security questions #i<3irony).

We dare talk here about irony seeing how these questions pose more disadvantages than advantages nowadays. It’s scary to see that the majority of users records a valid response during this phase, such as, for example, the name of their first animal, their mother’s maiden name and so on.

Why is it scary? Just think of it like this: if a hacker knows that the name of your first dog was “Cutie”, he/she will undoubtedly put to good use this information. You might think that choosing a password such as “Cutie17” is a good idea since adding some numbers into the equation is always a good idea.

While we applaud the effort, this proof of goodwill is completely annihilated by having used the same word from the answers recorded to your security question. With such an array of personal intel with concern to its target, hackers can compromise faster than ever before your other accounts by simply relying on a dictionary attack.[1] At the dawn of Cybersecurity 2.0, these questions should be used to confuse cyber-criminals, not to help them construct an even bigger information database on our account.

Cybersecurity what?

But what is the true impact of a breach such as this one within an enterprise? According to Gartner, 95% of cybersecurity vulnerabilities in 2020 will be caused by user behavior. You might say to yourself that if your Yahoo! Mail account has been hacked, this has nothing to do with whatsoever with you job. And that’s where, once again, you are wrong. Why is that? Before drawing a conclusion, just read the following scenarios:

(1) The first scenario concerns the practice of a unique password, even for your professional accounts (a practice which is highly frowned upon). If you are a supporter of this practice, we advise to quickly find a new one. We beg you pardon, quickly find new ones – a different and powerful password for each and every one of your accounts.

Choosing a password

(2) The second scenario illustrates how one’s personal data found on the hacked accounts can be used against him/her. In the case of Yahoo! Mail, it is highly likely that hackers will use this information in order to proceed, hereafter, to a more refined targeting by using social engineering or phishing techniques and, finally, finding that one entry point into the company you work for. You don’t see the link quite yet?

Take the time to answer to the following questions and you’ll have a better idea of what we’re getting at.

Have you already sent an email to one of your co-workers using your personal account? Have you already forwarded a professional email to your personal account? Have you already linked a professional account (Gmail, Outlook, etc.) to your personal account? say yes

If you answered ‘yes’ to these questions, then it’s quite probable that the hackers have already gained access to the following elements: the name of the company you work for, your co-workers’ contacts and all other intel you might have shared with the latter. Also, depending on the nature of the accounts you might have linked to your Yahoo! Mail (if it is or not a professional account), the consequences can go from bad to worse in an instant.

From the moment a cyber-criminal has his hands on the key to your digital lives, your real life has nothing more to hide. Just by knowing your professional mailing list, hackers can undertake your identity to spread malicious attachments in your working environment. And unfortunately, your co-workers might find out a little bit to late the true identity of their correspondent.

The conclusion? Whether we are talking about Yahoo! or any other Web giant, we must be aware of how easy it has become to obtain stolen password in the current increasingly digitalized landscape.

The stakes for a modern enterprise have evolved, as it must find a way to always be one step ahead in the cybersecurity arms race. To do so, businesses must find a solution capable of monitoring and making the link between the different characteristics of a suspicious connection, all the while taking into account the context of a network. Because, let’s be honest, “yahacked” is not really an accomplishment we wish to add to the incident track record of 2016.

(About the author: Cristina Ion is community manager at ITrust SAS. This blog originally appeared on the ITust blog, which can be viewed here)



Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.
Please note you must now log in with your email address and password.