By Chris Moschella, Risk Advisory Services Manager | Cybersecurity Services Team
On December 14, 2016, Yahoo announced that a billion accounts were compromised in the largest breach of user accounts ever reported. This comes on the heels of another mega breach of 500 million user accounts disclosed by Yahoo on September 22, 2016.
Among the data that was stolen were usernames and hashed passwords. In September, Yahoo claimed that most of the compromised account passwords were hashed with the excellent bcrypt hashing function. Hashed passwords allow organizations to store passwords in a format other than plain text. For example, your password ‘1l0veKeiter!’ might be stored like this:
Password Hashing vs Encrypting
Although not critical to understanding this article, we use the term hashing instead of encrypting, the more familiar term, and wanted to explain why. Both hashing and encryption are used as ways to store passwords more securely than in plain text. But there are differences.
Any data that is encrypted can be decrypted by someone with a decryption key. When used for passwords, this means that somewhere on the server is a key that can be used to decrypt the passwords.
Hashing is a one-way operation and there is no decryption process and no key to decrypt all the passwords. Some compare decrypting a hash to unbaking a cake or turning a hamburger back into cow. The ‘data’ in the plain text password is simply no longer in the hashed password. So how does it work?
When you create your password, the hashing function produces a string of text called a hash. When you log back in and enter your password, the hashing function runs again. If you entered the correct password, the hashing function produces the same hash. The login process on the server compares the hash created as a result of your login attempt to the hash stored in the database. If they are the same, then you’ve entered the correct password, and you are allowed to proceed.
Bcrypt is a well-respected utility for hashing passwords because the underlying hashing algorithm is purpose built to be slow to process. This makes it very expensive for attackers, who have stolen a database of user IDs and bcrypt protected passwords, to obtain the plain text version of the passwords needed to access the account. While still posing a risk to those with compromised accounts, Yahoo’s use of bcrypt reduced the risk to those whose accounts were part of the original breach.
However, in this latest breach passwords were hashed with the MD5 algorithm, which is much faster to crack. In fact, using 7 year-old, consumer grade computer equipment, an attacker can try MD5 passwords at a rate of 200 million cracking attempts per second. If, as Yahoo claims, this data was stolen by a nation state, it is probably a safe bet that they are using the best equipment money can buy and are cracking these passwords at a furious rate.
So what? This is Yahoo, not my business. Why should I care?
Hackers today are clever and patient. With a cracked Yahoo password they can access the account to discern other information about the user, which may be useful in mounting an attack against the individual personally (identity theft) or against a business.
How attackers may find your business email address from your Yahoo account
There are a number of ways that attackers can use information in a Yahoo account to find a user’s work email address. A few options include the following:
- Many Yahoo users use their work email address as a secondary recovery email address that users can use to recover their account. Although Yahoo has not stated whether or not recovery email addresses were part of the breach (they only say “email addresses”), other account recovery information such as phone numbers and security questions were stolen. It would therefore not be surprising to find recovery email addresses were part of the breach.
- The hacked email addresses can be readily cross referenced against third party websites like LinkedIn and Facebook to help determine a place of work.
- An attacker could simply read through email and try to figure it out.
The point being, there many methods for someone with access to a stolen Yahoo email address to determine where someone works and find their email address. Even if an attacker can only find the place of business, it is typically easy to guess someone’s email address. There are only so many email naming conventions that companies follow, e.g., firstName.lastName@mycompany.com or firstInitialLastName@company.com. And with tools like hunter.io, determining a company’s email naming convention is a trivial exercise.
Attackers know users often reuse the same password across multiple platforms. Once the attacker knows your business email address and your Yahoo password, the attacker will simply try to log into your business email account and/or VPN with your Yahoo password in hopes they match. If you ever wondered why some companies and websites enforce periodic password changes, this is the reason.
Once a business account is compromised, an attacker has a variety of options, some of which include:
- installing backdoors to maintain access to the companies network
- emailing ransomware from one user to another
- mounting a business email compromise scam to steal funds via wire fraud
- theft of trade secrets
- emailing malware to another employee to gain even deeper systems access within the organization
What can businesses do to combat this?
Periodic password changes are a good way to mitigate the risk that a mega breach at a third party site could impact your organization. The National Institute of Standards and Technology (NIST) has issued draft password guidance where they advocate against forcing these periodic changes. However, this does create risk, and that risk becomes especially acute with accounts facing the open internet, such as business email and remote access.
The use of enhanced login mechanisms, such as multi-factor authentication (MFA) and two-factor authentication (2FA), can significantly reduce the risk that a Yahoo-like mega breach will impact the security of an unrelated business. MFA and 2FA typically require three pieces of information from users:
- a user ID (user knows)
- a password (user knows)
- a token of some variety that is generated by a device carried by the user (user has)
The third item can be an access card, your mobile phone, or a key fob with a rotating pin code. Here’s an example of how they work:
You visit a website, enter your user ID and your password, and authenticate. The website sends a temporary authorization pin code to your mobile phone as a text message. You receive the text on your phone, enter the pin code into the website, and access the account online.
An attacker who wants to bypass these protections needs more than just your user ID and password; they also need a physical device. With MFA/2FA, organizations can begin more reasonably evaluating whether NIST’s recommendation to remove password expirations makes sense for them.
Security Awareness Training
Attacks are bound to happen, and users need to know how to prevent them from happening and spot them when they do. With the Yahoo breach in mind, users should be reminded not to reuse passwords. Password reuse is a major underlying issue that causes mega breaches to create risks for other organizations. Unfortunately, it is impossible for companies to prevent employees from reusing passwords from their private accounts in their work applications. So employees should be trained to know why it is a risk, how it can impact them personally, and strategies for managing passwords, like using a password manager such as LastPass or 1Password.
If attackers are able to exploit a mere 0.01% of users impacted by Yahoo’s most recent data breach, that equates to about 10 million victims in the making. Make sure you, your family, and your business are not impacted by it.
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.