• On September 22, 2016, Yahoo announced the discovery of a late 2014 breach that resulted in the leak of some 500 million user account records. Affected data includes names, telephone numbers, email addresses, hashed passwords, dates of birth, and in some cases, security questions and answers.
• Despite speculation that the incident revealed on September 22 might be linked to an August advertisement for the sale of 200 million Yahoo account records on TheRealDeal marketplace by actor “peace_of_mind” (aka “peace”), Flashpoint has received confirmation from a number of credible sources with high confidence that the two incidents are separate.
• Flashpoint assesses that the primary threat caused by the exposure of Yahoo accountholders’ information is “credential stuffing/zombie password” attacks, otherwise known as password reuse attacks.
On Thursday, September 22, 2016, Yahoo revealed that an internal investigation had discovered that user account information belonging to at least 500 million registered Yahoo users had been stolen from the company’s network. The breach, which, according to a Yahoo press release, occurred in late 2014, is believed to be the work of thus far unnamed state-sponsored actors.
Yahoo has stated that the affected articles of information include:
• Telephone numbers
• Email addresses
• Hashed passwords (the majority of which were encrypted with bcrypt)
• Dates of birth
• Some security questions and answers (both encrypted and unencrypted)
The company also noted that payment card and bank account information, as well as plaintext passwords, are not known to have been compromised.
In an attempt to remediate the breach, Yahoo began notifying affected accountholders at 2:30 PM EDT and encouraged them to reset their passwords. The company has also invalidated exposed security question and answer pairs.
During the evening of Wednesday, September 21, rumors began circulating that technology news outlet Recode was preparing to release a piece detailing a substantial breach at Yahoo. On September 22, Recode released its report, which suggested that some 200 million records had been compromised, and directly referenced the activity from actor “peace_of_mind” in early August 2016. This may be the cause of confusion in media reporting surrounding this incident; initially, it was widely-reported that 200 million records had been affected, but Yahoo subsequently revealed that this number was actually upwards of 500 million.
On August 2, 2016, Flashpoint reported on peace_of_mind’s advertisement for the sale of leaked Yahoo data on TheRealDeal marketplace for approximately $1,800 USD in Bitcoin. In fact, peace_of_mind (also known as “peace”) is the same actor behind numerous previous breaches that were subsequently deemed legitimate, including that of LinkedIn. Additional reporting on this actor is available in Flashpoint’s cyber intelligence portal.
Flashpoint has received confirmation from a number of credible sources with high confidence that the Yahoo breach, announced September 22 is not related to the data offered for sale in early August by peace; they are separate incidents. In addition, several facets of peace’s initial advertisement — as well as information from Yahoo’s press release — contradict one another, further strengthen the argument that these incidents are very likely unrelated.
• peace originally claimed that their database is from 2012; Yahoo claims the breach occurred in late 2014.
• peace advertised some 200 million records; Yahoo has stated that upwards of 500 million records were affected.
• peace’s original data sample included country codes; Yahoo did not mention country codes in its press release.
• Yahoo claims that some security questions/answers and telephone numbers were affected. These items did not appear in peace’s original sample on TheRealDeal.
• Flashpoint has no evidence that peace is a state-sponsored actor; Yahoo currently believes a state-sponsored actor to be responsible for the breach.
As of this writing, Flashpoint is not in possession of the leaked 500 million account records and is not aware of advertisements for its sale on the Deep and Dark Web. If this breach is truly the work of state-sponsored actors, the data is unlikely to surface on the criminal underground.
Flashpoint will continue to monitor for changes in this situation and will provide updates as they become available.