Yahoo has become the laughing stock of the online security industry after claims the firm was using a password system which was viewed as “broken” nearly two decades before a “new” 2013 hack, which it says could have affected an eye-watering, world record 1 billion users.
Not that customers will be quite so amused; in a statement, Yahoo head of security Bob Lord admitted that “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers” had been stolen.
He denied that any bank or payment data had been compromised, however.
Given the timescale, most of this data will already have been sold on the dark web. It is not known how the firm discovered the latest issue, although it said the breach appeared separate from a 2014 attack, disclosed in September, when Yahoo revealed a then record-breaking 500 million accounts had been compromised. Yahoo is certainly keeping the Guinness Book of Records office busy.
But Ty Miller, director of Sydney-based security firm Threat Intelligence, told The Register that the MD5 hashing algorithm has been considered not just insecure, but broken, for two decades. He added that vulnerabilities were found in 1996 and practical attacks were developed in 2005.
Ty said: “I consider it negligent of an organisation such as Yahoo!, which has an obligation to protect the private data of over one billion users, to be using such an outdated and ineffective control to protect the passwords of its customers.”
Meanwhile Bruce Schneier, a cryptologist and highly respected security expert, said: “Yahoo badly screwed up. They weren’t taking security seriously and that’s now very clear. I would have trouble trusting Yahoo going forward.”
Yahoo said it was working closely with the police and authorities.
The latest disclosure also raises fresh doubts about Verizon’s $4.8bn proposed acquisition of Yahoo, with many predicting that the mobile company will be seeking a cut-price deal or may even abandon the aquisition all together.
Related stories
Mayer told to come clean over Yahoo data breach
Yahoo fesses up to largest data breach in history
Personal data on 200m Yahoo users up for grabs
Three held at TalkTalk call centre for data theft