Breach may have ripple effects that reach well beyond Yahoo
LONDON — As investors and investigators weigh the damage of Yahoo’s massive breach to the internet icon, information security experts worry that the record-breaking haul of password data could be used to open locks up and down the web.
While it’s unknown to what extent the stolen data has been or will be circulating, giant breaches can send ripples of insecurity across the internet.
A big worry is a cybercriminal technique known as “credential stuffing,” which works by throwing leaked username and password combinations at a series of websites in an effort to break in, a bit like a thief finding a ring of keys in an apartment lobby and trying them, one after the other, in every door in the building. Software makes the trial-and-error process practically instantaneous.
Credential stuffing typically succeeds between 0.1 percent and 2 percent of the time, according to Shuman Ghosemajumder, the chief technology officer of Shape Security.
That means cybercriminals wielding 500 million passwords could conceivably hijack tens of thousands of other accounts.
So will the big Yahoo breach mean an explosion of smaller breaches elsewhere, like the aftershocks that follow a big quake?
Ghosemajumder doesn’t think so. He said he didn’t see a surge in new breaches so much as a steady increase in attempts as cybercriminals replenish their stock of freshly hacked passwords. It’s conceivable as well that Yahoo passwords have already been used to hack other services; the company said the theft occurred in late 2014, meaning that the data has been compromised for as long as two years.
“It is like an ecological disaster,” Ghosemajumder said. “But pick the right disaster. It’s more like global warming than it is an earthquake . ... It builds up gradually.”
At the moment it’s not known who holds the passwords or whether a state-sponsored actor, which Yahoo has blamed for the breach, would ever have an interest in passing its data to cybercriminals.
Even if the hack was a straightforward espionage operation, Gartner security analyst Avivah Litan said that wouldn’t be a reason to relax.