Out-Law News | 15 Dec 2016 | 5:01 pm | 2 min. read
The data breach occurred in August 2013 and is separate from another historical incident the company disclosed in September. At that time it said it believed the personal data of at least 500 million Yahoo account holders had been stolen in a "state-sponsored" cyber attack in late 2014. The data breach announced in September was thought at the time to be the largest recorded in history. Yahoo's handling of that incident has been closely observed by data protection authorities.
The latest breach was discovered after a forensic investigation was carried out into "data files" shared with Yahoo by law enforcement in November, Yahoo chief information security officer Bob Lord said in a statement. Yahoo's analysis of that information found that the data appeared to be "Yahoo user data", he said.
Upon "further analysis", Lord said the company believes "an unauthorised third party, in August 2013, stole data associated with more than one billion user accounts". Yahoo has not yet "been able to identify the intrusion associated with this theft", Lord said, but revealed the incident is likely "distinct from the incident" disclosed in September.
Lord explained that a range of personal data of users may have been accessed in the attack.
"For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers," Lord said. "The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected."
Lord said that hackers also managed to steal "proprietary code" which they used to create "forged cookies" that would "allow an intruder to access users’ accounts without a password".
"The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used," he said. "We are notifying the affected account holders, and have invalidated the forged cookies. We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016."
Data breach and cyber risk specialist Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said that breaches stemming from state-sponsored cyber attacks can be very difficult to detect.
"State-sponsored cyber attacks can take months or even years for organisations to detect, owing to their highly sophisticated nature," Birdsey said. "It can be difficult to identify the origins of attacks, although there may be clues to be found in the methods of attack deployed or within the technical code of malicious software. It is also often difficult to understand the motives of such attacks. State-sponsored hackers may carry out intrusions so as to find out how a business operates and share details uncovered with local companies to help them develop rival services. Alternatively, an attack may be aimed at obtaining data to use to carry out further attacks."
"In many jurisdictions, including the UK, organisations that process personal data must take steps to provide adequate protection against the unauthorised accessing of that information. Businesses that fail to invest in cybersecurity and proactively address known vulnerabilities risk falling foul of data protection laws. Data protection authorities are likely to require businesses to explain any delay between attacks taking place and their detection, as this may indicate the adequacy of the measures organisations have in place to detect data breaches. With state-sponsored attacks so difficult to detect, authorities should provide a degree of leeway to businesses that fall victim to such attacks when assessing the protections in place to detect such intrusions," he said.