Yahoo password breach could have ripple effects
Security experts warn consumers of ‘credential stuffing’
LONDON — As investors and investigators weigh the damage of Yahoo’s massive breach to the internet icon, information security experts worry that the record-breaking haul of password data could be used to open locks up and down the web.
While it’s unknown to what extent the stolen data has been or will be circulating, giant breaches can send ripples of insecurity across the internet.
“Data breaches on the scale of Yahoo are the security equivalent of ecological disasters,” said Matt Blaze, a security researcher who directs the Distributed Systems Lab at the University of Pennsylvania, in a message posted to Twitter .
A big worry is a cybercriminal technique known as “credential stuffing,” which works by throwing leaked username and password combinations at a series of websites in an effort to break in, a bit like a thief finding a ring of keys in an apartment lobby and trying them, one after the other, in every door in the building. Software makes the trial-and-error process practically instantaneous.
Credential stuffing typically succeeds between 0.1 percent and 2 percent of the time, according to Shuman Ghosemajumder, chief technology officer of Mountain View, Calif.based Shape Security.
That means cybercriminals wielding 500 million passwords could conceivably hijack tens of thousands of accounts.
“It becomes a numbers game for them,” Ghosemajumder said.
Yahoo said the theft occurred in late 2014, meaning that the information has been compromised for as long as two years.
The first hint that something was wrong at Yahoo came when Motherboard journalist Joseph Cox started receiving supposed samples of credentials hacked from the company in early July.
Several weeks later, a cybercriminal using the handle “Peace” came forward with 5,000 samples — and the claim to be selling 200 million more.
On Aug. 1 Cox published a story on the sale, but the journalist said he never established with any certainty where Peace’s credentials came from.
He noted that Yahoo said most of its passwords were secured with one encryption protocol, while Peace’s sample used a second.
Either Peace drew his sample from a minority of Yahoo data or he was dealing with a different set of data altogether.
“With the information available at the moment, it’s more likely to be the latter,” Cox said Tuesday.
Even if the hack was an espionage operation, Gartner security analyst Avivah Litan said that wouldn’t be a reason to relax. Spies can mine trivial-seeming data from apparently random citizens to tease out their real targets’ secrets.
“That’s how intelligence works,” Litan said.