An investigation conducted into the two Yahoo security incidents disclosed recently revealed the existence of a connection and led researchers to believe that the claim of 200 million accounts being stolen in 2012 is likely false.

In early August, a hacker claimed to possess 200 million Yahoo user accounts stolen from the tech giant back in 2012. The hacker, known online as Peace and peace_of_mind, had offered to sell the data for 3 Bitcoin on a marketplace called TheRealDeal, where he had previously sold hundreds of millions of Tumblr, Myspace, VK and LinkedIn accounts.

Then, earlier this month, Yahoo confirmed that attackers, which the company believes were sponsored by a nation state, breached its systems in 2014 and stole at least 500 million user accounts. Yahoo never confirmed the alleged 2012 incident, although some suggested that the company discovered the 2014 breach while investigating those claims.

Security firm InfoArmor launched an investigation and determined that the vast majority of the 200 million credentials were not associated with Yahoo accounts. Experts believe the data likely comes from multiple third-party leaks and that some of the credentials match only because people reuse passwords. It’s worth noting that some people questioned the validity of the 2012 dump ever since samples of the data were made available.

InfoArmor believes Peace faked the data after having a falling-out with tessa88, another hacker who recently offered to sell hundreds of millions of accounts stolen from various services. According to researchers, tessa88 and Peace exchanged stolen information, until the former was called out over fake and low-quality dumps.

However, evidence uncovered by InfoArmor suggests that there is a link between these cybercriminals and the threat actor that carried out the 2014 attack confirmed by Yahoo.

Researchers believe tessa88 is linked to the real Yahoo hackers through an unidentified actor that played the role of a proxy. This proxy allegedly obtained the Yahoo data from professional black hats in Eastern Europe and provided it to various other actors, including cybercriminals and a state-sponsored party that had been interested in exclusive database acquisitions.

Tessa88 had previously received accounts from the proxy and InfoArmor believes tessa88 and Peace expected to get the Yahoo data as well. However, since that did not happen, Peace created a fake dump and claimed it came from a 2012 breach.

According to the security firm, the 500 million accounts were stolen from Yahoo after the compromised database was divided into hundreds of equal parts. The files, which contained data organized alphabetically, were exfiltrated in segments.

InfoArmor said the actual Yahoo dump is still not available on any cybercrime forums. However, the data has been monetized by some cybercriminals and the company believes it might have also been leveraged in attacks targeting U.S. government personnel.

Yahoo breach aftermath

News of the breach has caused serious problems for Yahoo, just as the company’s core business is about to be acquired by Verizon for $ 4.8 billion. Some believe the incident could impact the deal, but Verizon has yet to comment.

Several class actions have been filed against Yahoo by customers, including people who claim to be directly affected by the breach.

Earlier this week, U.S. Senator Patrick Leahy sent a letter to Yahoo CEO Marissa Mayer asking how such a massive breach could go undetected for two years. Senator Mark Warner has asked the Securities and Exchange Commission (SEC) to determine if the company fulfilled obligations to keep the public and investors informed, as required by law.

Mayer reportedly neglected cybersecurity since she took over the company. According to The New York Times, current and former employees said the CEO focused on functionality and design improvements rather than security.

Alex Stamos, who left his CISO position at Yahoo last year to become Facebook’s CSO, was allegedly denied financial resources for proactive security solutions. Mayer is said to have also rejected a proposal to reset all user passwords fearing that the move would result in more users abandoning its services.

Related: Yahoo Pressed to Explain Huge 'State Sponsored' Hack

Related: Russia? China? Who Hacked Yahoo, and Why?

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Just two days after Yahoo! admitted hackers had raided its database of at least 500 million accounts, the Purple Palace is being dragged into court.

Two Yahoo! users in San Diego, California, filed on Friday a class-action claim [PDF] against the troubled web biz: Yahoo! is accused of failing to take due care of sensitive information under the Unfair Competition Act and the state's Consumer Legal Remedies Act, plus negligence for its poor security, and breaking the Federal Stored Communications Act.

The stolen Yahoo! database includes people's names, email addresses, telephone numbers, dates of birth, hashed passwords and encrypted or unencrypted security questions and answers about their personal lives.

“There's a sense of violation,” the plaintiffs' lawyer David Casey of Casey Gerry Schenk Francavilla Blatt & Penfield told The Register last night.

“We think they breached their duty of trust to the clients and violated privacy laws. I anticipate hundreds of cases will be filed and then those will be consolidated into one federal class action suit.”

Casey said that at least one of his clients had already seen dodgy activity on their credit card which had been attributed to the attack and another was concerned that their financial and tax data had been viewed by outsiders. The plaintiffs are seeking redress and damages from Yahoo!

The court filing also states that Yahoo! had “unreasonably delayed” telling its customers about the mega-hack. It points out that the incident, which Yahoo! blamed on state-sponsored hackers, occurred back in 2014, and the webmail giant should have detected it sooner and let people know a long time ago.

“There’s a lot of anger over the delay,” Casey said. “The delay is pretty inexplicable.”

While this is the first sueball lobbed at Yahoo!, it is unlikely to be the last. If even a fraction of the 500 million Yahoo! users targeted by hackers take action against the company, and win even a miserly award, the potential costs to the biz could count in the high multi-millions.

Under the circumstances the due diligence team at Verizon, which in July confirmed it wanted to buy Yahoo! for $ 4.8bn, are going to be recalculating their figures as to the net worth of the Purple Palace. Having such large liabilities hanging over Yahoo! can only depress its value.

Verizon told The Register that it was informed about the hack just a few days in advance of this week's staggering confession – which raises questions in itself. In late July and early August, news articles were circulating warning that stolen Yahoo! customer information was being sold on the dark web. One wonders why Verizon didn’t pick up on this earlier.

One possible theory is that while investigating the 200 million or so account records being touted on underground souks, Yahoo! discovered a separate larger break-in by government-backed hackers – and has only just confirmed that.

In the meantime, legal action will continue to mount in America, the land of the lawsuit. Yahoo! should also expect folks overseas to start lawyering up, too. It’s going to be an expensive Fall for the organization. ®

Sponsored: HPC and HPDA for the Cognitive Journey with OpenPOWER

The Register - Security

Yahoo officially acknowledged it was the victim of one of the largest data breaches in history in which data from at least 500 million user accounts was stolen.

The Yahoo breach took place in late 2014 but it wasn't confirmed until a "recent investigation." Yahoo didn't provide a specific timeline of events, but Flashpoint confirmed it recently found 200 million Yahoo accounts for sale on the deep web.

"On August 2, 2016, Flashpoint became aware of an advertisement posted on TheRealDeal Marketplace by actor "peace_of_mind" (otherwise known as "peace") for the sale of some 200 million Yahoo account credentials," Vitali Kremez, cybercrime intelligence senior analyst at Flashpoint, told SearchSecurity via email. "Peace_of_mind is the same actor whom Flashpoint previously reported as selling leaked MySpace and LinkedIn account credentials in May 2016. This actor, who is also a co-founder of TheRealDeal Marketplace, is considered highly credible based on past activity and feedback from customers."

Various new outlets have reported that the sale of the Yahoo accounts on the deep web  first prompted Yahoo to investigate a potential mega breach in the first place. The Yahoo breach follows other high profile data breaches at companies such as LinkedIn and Dropbox that have exposed user emails and information.

Keatron Evans, senior security researcher and principle of Blink Digital Security, said Yahoo needs to provide more details about the attack. "What I want to know is when Yahoo discovered this attack. If it happened in 2014, and the company has known about it for the past two years, then why has it taken so long to reveal the extent of the breach?" Evans said. "This slow response could become a PR nightmare that damages the company's reputation, and it goes to show how difficult it can be to determine the root cause of an attack that happened months or even years in the past without the right training and tools."

In a statement, Yahoo said it believes the attack was state-sponsored, though no specific nation was named. Yahoo also attempted to reassure users that their most valuable data had not been compromised.

"The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers," Yahoo wrote. "The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected."

J. Paul Haynes, CEO of eSentire, said it was good to see Yahoo not jumping to conclusions with attribution.

"The timing of this breach is curious, given Yahoo's pending sale; however it's a bit premature to place blame with a state-sponsored attacker," Haynes said. "Attribution is a slippery slope and nearly impossible without a complete case file, which Yahoo nor the investigators have at this point."

Complicating matters further, Verizon is in the process of purchasing Yahoo for $ 4.8 billion. The deal is still under regulatory review. A Verizon spokesperson said the company only learned of the mega breach at Yahoo this past Tuesday, but said Verizon only has "limited information and understanding of the impact" of the breach.

Adam Levin, chairman and founder of IDT911, said data breaches should be considered a new certainty in life along with death and taxes. "All users of Yahoo email must immediately change not only their Yahoo user IDs and passwords but also any duplicate login information used to access other accounts," Levin said. "As we live in an environment where breaches have become the third certainty in life, it is essential that consumers protect themselves by using long and strong passwords, which are never shared across their universe of social, financial, retail and email accounts and updated routinely; enable two-factor authentication; and are always on guard against phishing attacks."

Yahoo suggested users review their online accounts for any suspicious activity, change account details, avoid clicking suspicious links and use the Yahoo Account Key two-factor authentication tool.

Brett McDowell, executive director of the FIDO Alliance, said this should be a warning to everyone that strong passwords alone may not be enough. "Cyber criminals know that consumers use the same passwords across websites and applications, which is why these millions of leaked password credentials are so useful for perpetuating fraud. We need to take that ability away from criminals and the only way to do that is to stop relying on passwords all together," McDowell said. "The frequency and severity of these data breaches is only getting worse year-over-year, and this trend will continue until our industry ends its dependency on password security and adopts un-phishable strong authentication."

Vishal Gupta, CEO of Seclore, said the fallout from this attack could be devastating. "This nation now has access to 500 million phone numbers. With talk of Russian attempts to influence the election, it isn't difficult to imagine how access to the contact information, and personal details, of that many potential votes could be used maliciously," Gupta said. "Unless organizations take stricter security measures and apply data-centric security solutions, hackers will always come up with inventive ways to leverage sensitive information for malicious purposes."

Next Steps

Learn more about the merits of encrypting and hashing passwords

Find out how to build strong passwords and prevent data breaches

Get info on best practices for conducting information security assessments

SearchSecurity: Security Wire Daily News

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

New Gmail Alerts Warn of Unauthenticated Senders

August 11, 2016 , 2:10 pm

New Trojan SpyNote Installs Backdoor on Android Devices

July 29, 2016 , 12:21 pm

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

Critical MySQL Vulnerability Disclosed

September 12, 2016 , 11:00 am

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm

Android Patch Fixes Nexus 5X Critical Vulnerability

September 2, 2016 , 12:49 pm

Browser Address Bar Spoofing Vulnerability Disclosed

August 17, 2016 , 12:54 pm

Threatpost | The first stop for security news

The account details of well over 43 million users were stolen when the online music service was hacked back in 2012.

In June 2012, advised all users to change their passwords after hackers posted password hashes to a password cracking forum. The company also made some improvements to how passwords were stored after it admitted that it had been using the MD5 algorithm with no salt.

No one knew exactly how many accounts had been stolen. Now, breach notification service LeakedSource claims to have obtained the data and counted 43,570,999 accounts. The leaked data includes usernames, email addresses, passwords, dates of registration and some internal data.

While the incident was first disclosed by the company in June 2012, some reported at the time that the breach actually took place several months earlier. LeakedSource has now confirmed that the website was hacked on March 22, 2012.

LeakedSource managed to crack 96 percent of the unsalted MD5 hashes within two hours. An analysis of the passwords has shown that many of them are not only easy to crack, but also very easy to guess (e.g. 123456, password, lastfm and 123456789).

Dropbox was also hacked in 2012 and experts revealed this week that attackers had compromised more than 68 million accounts. However, unlike, Dropbox used salted SHA1 and bcrypt to protect user passwords.

SecurityWeek has reached out to for comment and will update this article if the company responds.

LeakedSource says it has already added 2 billion leaked records to its databases and it’s currently working on processing other mega breaches.

“We have so many databases waiting to be added that if we were to add one per day it would still take multiple years to finish them all,” the company said.

The list of old mega breaches that came to light this year affected companies such as Mail.Ru (25 million), LinkedIn (167 million), Myspace (360 million), Tumblr (65 million), and VK (170 million). The leaked credentials have also been used in password reuse attacks targeting Netflix, Facebook, GitHub, Twitter and others.

Related: Russian Hackers Attack Two U.S. Voter Databases: Reports

Related: User Data Possibly Stolen in Opera Sync Breach

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

  • Home
  • Software
  • Social Networking

Twitter suspends 360,000 accounts for terrorist ties Credit: REUTERS/Dado Ruvic

Twitter continues to fight to keep terrorist groups and sympathizers from using its service.

The social network announced today that in the last six months it has suspended 235,000 accounts for violating its policies related to the promotion of terrorism. In February, Twitter reported that it had suspended 125,000 accounts since mid-2015 for terrorist-related reasons.

[ Make threat intelligence meaningful: A 4-point plan. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

That means Twitter has suspended 360,000 accounts since the middle of last year.

"Since that [February] announcement, the world has witnessed a further wave of deadly, abhorrent terror attacks across the globe," the company wrote in a blog post. "We strongly condemn these acts and remain committed to eliminating the promotion of violence or terrorism on our platform."

Twitter also reported that daily suspensions are up more than 80% since last year, with spikes in suspensions immediately following terrorist attacks.

"Our response time for suspending reported accounts, the amount of time these accounts are on Twitter, and the number of followers they accumulate have all decreased dramatically," the company said. "As noted by numerous third parties, our efforts continue to drive meaningful results, including a significant shift in this type of activity off of Twitter."

There has been increasing focus on trying to keep terrorist groups, whether it's ISIS or homegrown white supremacists, from using social networks like Twitter and Facebook to communicate, call for attacks and to recruit new members.

Democratic presidential nominee Hillary Clinton even raised the issue during her acceptance speech at the Democratic National Convention last month. "We will disrupt their efforts online to reach and radicalize young people in our country. It won't be easy or quick, but make no mistake - we will prevail," Clinton said.

Social media, including sites like YouTube and instant messaging service Telegram, have been used for years. Those sites are fighting back, too.

Facebook previously reported that it has suspended accounts it found were associated with radicalized groups.

Today, Twitter noted that it not only is suspending accounts, but is making it harder for those suspended to return to the platform.

"We have expanded the teams that review reports around the clock, along with their tools and language capabilities," Twitter said. "We also collaborate with other social platforms, sharing information and best practices for identifying terrorist content... Finally, we continue to work with law enforcement entities seeking assistance with investigations to prevent or prosecute terror attacks."

This story, "Twitter suspends 360,000 accounts for terrorist ties" was originally published by Computerworld.

We all know that scanning random QR codes is a risky proposition, but a newly detailed social engineering attack vector dubbed QRLJacking adds another risk layer to their use.

Many web apps and services offer the option of using QR codes for logging into the service: chat apps like WhatsApp and Weibo, email service QQ Mail, e-commerce services like Alibaba and Aliexpress, and others.

As detailed by Seekurity Labs researcher Mohamed Abdelbasset Elnouby, QRLJacking (i.e. Quick Response Code Login Jacking) is a method for tricking users into effectively logging into an online account on behalf of the attacker by making them scan the wrong QR code.

A QRLJacking attack follows these basic steps:


Ultimately, the attacker can take over the victim’s account completely and gather information about the victim’s device and its current location.

“All what the attackers need to do to initial a successful QRLJacking attack is to write a script to regularly clone the expirable QR Codes and refresh the ones that is displayed in the phishing website they created,” says Elnouby.

He demonstrated the attack against a WhatsApp user in this video:

More details about the attack vector, its usability, possible mitigations, and PoC attack code can be found on GitHub.

Help Net Security