Earlier this September, Yahoo announced a record-breaking data breach that exposed 500 million accounts. The company has announced yet another data breach that was twice as large; one billion user accounts were affected.
First Reported Data Breach
According to Yahoo, the first data breach occurred in 2014, before it started applying some security protections in 2015. Half a billion accounts were exposed, including information such as names, email addresses, telephone numbers, dates of birth, and hashed passwords, as well as encrypted or unencrypted security questions and answers.
The company said at the time that the attacker was no longer in its networks and that users’ accounts should be safe.
New Data Breach
According to Yahoo’s new security team, the newly discovered data breach happened before the other one, in August 2013. An unauthorized party, which Yahoo couldn’t identify, gained access to Yahoo’s servers and one billion user accounts.
As with the other data breach, exposed information included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.
Alleged NSA Connections
Earlier this October, not long after the first data breach was reported, there were some other reports backed by multiple Yahoo sources that the company was not only scanning everyone’s emails for the U.S. government, but also that it allowed the NSA to install kernel-level malware. This would’ve given the NSA free reign on Yahoo’s servers, and it would’ve allowed the agency to see any email, not just those that were the target of an investigation.
Although this backdoor was seemingly installed in 2015, as we keep on seeing, government-mandated backdoors always end up being used by other malicious parties, eventually. That could mean that the 2013 and 2014 Yahoo data breaches may not be the last we’re going to see from the copmany, especially when it still doesn’t seem to take security too seriously even today.
Verizon Acquisition In Doubt
Verizon has been in talks with Yahoo over the possibility of an acquisition since before the data breaches were announced. Yahoo knew at least about the 2014 data breach when the negotiations with Verizon started, but it doesn’t seem to have told Verizon about it. Verizon has since asked Yahoo for a $1 billion discount on the $4.8 billion deal it offered.
However, after reports of Yahoo giving NSA complete access to its servers (which may have tainted its reputation and the trust users have in the company)and the recently announced data breach, Verizon may even consider dropping the deal altogether. At the very least, if we're to go by the numbers ($1 billion discount for 500 million user accounts data breach), and if Verizon wants to play its hand aggressively, it may now ask for another $2 billion discount, lowering the deal to less than half of what was initially proposed.
If that does happen, then it would show other companies that giving intelligence agencies secret access to all user data, which is likely unconstitutional and also shows a careless attitude towards security, could one day cost those companies billions of dollars, either through lost deals or lost reputation.
Yahoo Users: What To Do Now
If you haven’t already completely lost faith in Yahoo’s handling of the security of your emails and its willingness to protect those emails from the eyes of all third parties, then you may want to follow Yahoo’s instructions from below to protect your account:
Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account
Review all of your accounts for suspicious activity
Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information
Avoid clicking on links or downloading attachments from suspicious emails
Consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.
Choosing End-To-End Encryption
You may want to consider an end-to-end encrypted email solution that can protect your emails even when there’s a data breach or when the email service provider installs backdoors for various governments. With end-to-end encryption, email contents are encrypted on the user’s devices before they ever reach the company’s servers.
Yahoo’s previous security team had considered enabling end-to-end encryption for its users, too, through a browser extension initially developed by Google. However, by the time the project was ready, the NSA had already installed its backdoor, and the end-to-end encryption project was eventually canceled by Yahoo leadership.
Google hasn’t been working on the project for the past eight months either, or at least not publicly. However, end-to-end encrypted services such as ProtonMail or Tutanota, as well as other OpenPGP-based solutions, are still an alternative to email services that don't offer end-to-end encryption.