Yahoo continues to face severe criticism over its handling of the revelation of the 2014 theft of a half-billion customer account records, and the future of its proposed $4.8 billion merger with Verizon is unclear.
The Yahoo hack, said to be the largest such data breach in history, was confirmed by the company on Sept. 22. But since then, Yahoo officials have refused to provide details on their assertion that the hack was the work of “state-sponsored actors.” Verizon has been similarly quiet on the question of how the breach might affect the pending merger.
Following the breach disclosure, security experts turned their attention to Yahoo’s security practices, and didn’t like what they saw. ThreatPost reported that one security company’s investigation into Yahoo’s cryptographic keys and digital certificates unearthed “a mixed bag of outdated hashing algorithms and self-signed certificates permeating Yahoo’s production environment.”
Meanwhile, speculation has begun to center on Yahoo’s so-far-unsubstantiated claim that the hack originated with a foreign government. PC World quoted executives at two other tech firms as questioning the claim.
“This just doesn’t reek of nation-state activity,” one such exec told PC World. “Nation-states are after intellectual property. They don’t give a damn about emails and passwords from a Yahoo account.” Yet another security firm has posited that the Yahoo hack was actually the work of "an Eastern European criminal gang," Fortune reported.
According to the New York Times, Yahoo began investigating a possible data breach in late July, after the Verizon deal was announced. At that time, sources told the Times, Yahoo believed 280 million user credentials had been leaked. Neither Yahoo nor Verizon has said whether Yahoo disclosed this to Verizon during the merger talks. “During the course of that investigation, Yahoo learned of the more severe breach,” the Times reported.
Just as in previous major account data breaches such as the theft of 167 million account credentials from LinkedIn, announced this past May, hackers gained access to the Yahoo data through an Account Takeover (ATO) attack. There’s never been more evidence that piecemeal approaches to safeguarding user account data won’t cut it in the current threat environment, with hackers easily able to exploit code vulnerabilities and steal user session information.
Google Takes On Cross-Site Scripting
In other news this week, Google has turned its attention to cross-site scripting flaws, a major issue for developers and another ongoing challenge in securing websites, web applications, and user data.
Google announced the availability of two new tools for developers looking to protect against cross-site scripting security flaws, ZDNet reported. The tools “alert users when subtle, small misconfigurations could lead to cross-site scripting vulnerabilities,” the news site said.
Google also recommends that developers consider setting a "nonce" -- an unpredictable, single-use token which has to match a value set in content security policies -- to further enhance web security, according to ZDNet.
Learn the Basics About Account Takeover
Want to better understand how attackers leverage web application security flaws to gain access to sensitive user account data? Read our ebook, Account Takeover: How Hacking Happens in 2016, for full details and for useful advice on securing your company’s websites, web apps, and user data.