UK ISP BT Warns Email Using Customers After 2nd Massive Yahoo! Hack

A staggering 1 billion accounts belonging to Internet giant Yahoo! have been breached by a second major hack, albeit one that occurred in August 2013. Today BT Retail and other broadband ISPs that have used the firm for their email (e.g. Sky Broadband) are warning customers to change their passwords.

The latest confirmation of such an event follows a similar, if separate, incident that was first revealed in September 2016 after Yahoo! confirmed that at least 500 million of their accounts had been stolen in 2014 by “state-sponsored” hackers (here). Apparently Yahoo! didn’t realise that the theft had occurred until years later.

At the time the situation created an additional headache for BT and Sky Broadband because both ISPs had made use of or continue to use Yahoo!’s platform for some or all of their email services. In BT’s case it was merely a “legacy product used by some customers“, while Sky’s Yahoo! based Sky Yahoo Mail service was still at the centre of their email platform.

Hopefully anybody with a Yahoo! connected account or service, even if they weren’t among those affected, will have already changed their password. However if you haven’t done so then take note that Yahoo! has now disclosed that they were also hit by a similar incident in 2013, which apparently resulted in double the amount of accounts being stolen by hackers. Ugh!

At present Yahoo! doesn’t even seem to know how the data was stolen, which is troubling.

Bob Lord, Yahoo’s Chief Information Security Officer, said:

“As we previously disclosed in November, law enforcement provided us with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.

For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected.

Separately, we previously disclosed that our outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. We are notifying the affected account holders, and have invalidated the forged cookies. We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.”

Yahoo!’s old MD5 algorithm for hashed passwords should not be banked on as it can easily be broken, which would expose the passwords. The theft of unencrypted security questions and answers is similarly dangerous because these often form part of Two Factor Authentication (2FA) systems and a lot of online services ask the same questions.

Today BT has been the first out of a gate with the warning for any of their customers who might still make use of the old platform, albeit so far only via Twitter but they do have a website that was setup for the original incident (here). Sky has yet to issue a similar notice, but we wouldn’t be surprised if they follow suit.

https://twitter.com/BTCare/status/809335989701410816

Meanwhile Yahoo! claim to be notifying potentially affected users and have taken steps to secure their accounts, including requiring users to change their passwords. The company has also invalidated unencrypted security questions and answers so that they cannot be used to access an account. More details here.