Yahoo staff knew they were breached two years ago

In September, just two months after Verizon announced it was planning to acquire the company, Yahoo confirmed earlier reports that the unprecedented number of “at least” half a billion user accounts had been stolen in a 2014 breach.

The disclosure set off rumblings as politicians and others wondered why the public only learned about the attack two years after it happened. How could Yahoo not have known about it all that time?

Now, Yahoo has admitted that some employees did know.

In its quarterly report, filed to the US Securities and Exchange Commission on Wednesday, Yahoo had this to say:

The company had identified that a state-sponsored actor had access to the company’s network in late 2014.

The report didn’t give details about the initial breach, whether it was disclosed to senior management, nor when Yahoo first discovered how extensive it was.

The report said that an independent board committee is investigating those questions.

Someone familiar with the investigation said that Yahoo missed the big picture because the attack wasn’t easy to analyze.

From the Financial Times:

One person familiar with the investigation said Yahoo originally did not have a “full picture” of what happened because of the “sophisticated nature of state-sponsored attacks”.

When it brought in outside experts to investigate the claim of a separate breach, which turned out to be false, it developed a more complete picture, the person said.

The breach led to the theft of information that included users’ names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt, Yahoo said) and, in some cases, encrypted or unencrypted security questions and answers.

Bcrypt is what’s known as a salt-hash-and-stretch password storage system. It’s the same system used by other recently breached companies, including Ashley Madison.

Does that mean we can relax? That the silver lining to the Yahoo breach was its use of bcrypt?

Not necessarily. Good password storage makes it much harder for criminals to crack passwords but not impossible and if your password is weak it may still get cracked. The good news is that cracking bcrypt hashes takes a lot of time and computing resources and delivers seriously diminishing returns.

Yahoo said that forensic experts are also investigating evidence that points to an intruder – believed to be the same “state-sponsored” actor it thinks is responsible for the 2014 breach – having created cookies that could have enabled them to bypass passwords in order to get at users’ accounts or information.

When you log in to a secure website the site gives you a cookie. Every time your browser makes a request to the site it sends that cookie along with the request so that the site knows you’ve been authenticated and doesn’t have to ask for your username and password again. When you log out the cookie is deleted.

If somebody can steal that cookie, or guess how it’s created, they have a key to your account that’s as good as having your password.

The Financial Times source said that the company didn’t believe that forging Yahoo Mail cookies to bypass passwords is currently possible.

Yahoo has been insisting that beyond the $1 million spent on the breach as of September, it won’t have an adverse effect on the bottom line.

Verizon hasn’t been quite so chipper about the potential financial fallout.

Yahoo also noted in the report that it’s currently looking at 23 class action lawsuits stemming from the breach, including suits coming from the US Federal Trade Commission, the US Securities and Exchange Commission, a number of State Attorneys General, and the US Attorney’s office for the Southern District of New York.