Password breach could have ripple effects well beyond Yahoo

Password breach could have ripple effects well beyond Yahoo

By Raphael Satter

Associated Press

LONDON — As investors and investigators weigh the damage of Yahoo’s massive breach to the internet icon, information security experts worry that the record-breaking haul of password data could be used to open locks up and down the web.

While it’s unknown to what extent the stolen data has been or will be circulating, giant breaches can send ripples of insecurity across the internet.

“Data breaches on the scale of Yahoo are the security equivalent of ecological disasters,” said Matt Blaze, a security researcher who directs the Distributed Systems Lab at the University of Pennsylvania, in a message posted to Twitter .

A big worry is a cybercriminal technique known as “credential stuffing,” which works by throwing leaked username and password combinations at a series of websites in an effort to break in, a bit like a thief finding a ring of keys in an apartment lobby and trying them, one after the other, in every door in the building. Software makes the trial-and-error process practically instantaneous.

Credential stuffing typically succeeds between 0.1 percent and 2 percent of the time, according to Shuman Ghosemajumder, the chief technology officer of Mountain View, California-based Shape Security. That means cybercriminals wielding 500 million passwords could conceivably hijack tens of thousands of other accounts.

“It becomes a numbers game for them,” Ghosemajumder said in a telephone interview.

So will the big Yahoo breach mean an explosion of smaller breaches elsewhere, like the aftershocks that follow a big quake?

Ghosemajumder doesn’t think so. He said he didn’t see a surge in new breaches so much as a steady increase in attempts as cybercriminals replenish their stock of freshly hacked passwords. It’s conceivable as well that Yahoo passwords have already been used to hack other services; the company said the theft occurred in late 2014, meaning that the data has been compromised for as long as two years.

“It is like an ecological disaster,” Ghosemajumder said in a telephone interview. “But pick the right disaster. It’s more like global warming than it is an earthquake. … It builds up gradually.”

The first hint that something was wrong at Yahoo came when Motherboard journalist Joseph Cox started receiving supposed samples of credentials hacked from the company in early July. Several weeks later, a cybercriminal using the handle “Peace” came forward with 5,000 samples — and the startling claim to be selling 200 million more.

On Aug. 1 Cox published a story on the sale , but the journalist said he never established with any certainty where Peace’s credentials came from. He noted that Yahoo said most of its passwords were secured with one encryption protocol, while Peace’s sample used a second. Either Peace drew his sample from a minority of Yahoo data or he was dealing with a different set of data altogether.

“With the information available at the moment, it’s more likely to be the latter,” Cox said in an email Tuesday.

The Associated Press has been unable to locate Peace. The darknet market where the seller has been active in the past has been inaccessible for days, purportedly due to cyberattacks.

At the moment it’s not known who holds the passwords or whether a state-sponsored actor, which Yahoo has blamed for the breach, would ever have an interest in passing its data to people like Peace .

Even if the hack was a straightforward espionage operation, Gartner security analyst Avivah Litan said that wouldn’t be a reason to relax. Spies can mine trivial-seeming data from apparently random citizens to tease out their real targets’ secrets.

“That’s how intelligence works,” Litan said in a phone call.

Meanwhile Yahoo users who recycle the same password across the internet may still be at risk. While people can always change the passwords across all the sites they use, Yahoo’s announcement that some security questions were compromised too means that the risks associated with the breach are likely to linger.

A password can be changed, after all, but how do you reset your mother’s maiden name?

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Business

Robinhood Drugs Pharmacy owner Dr. Sovit Bista outside of his store on Tuesday, Dec. 30, 2025 in Everett, Washington. (Olivia Vanni / The Herald)
New pharmacy to open on Everett Optum campus

The store will fill the location occupied by Bartell Drugs for decades.

Liesa Postema, center, with her parents John and Marijke Postema, owners of Flower World on Wednesday, Dec. 31, 2025 in Snohomish, Washington. (Olivia Vanni / The Herald)
Flower World flood damage won’t stop expansion

The popular flower center and farm in Maltby plans 80 additional acres.

Mike Fong
Mike Fong will lead efforts to attract new jobs to Everett

He worked in a similar role for Snohomish County since Jan. 2025 and was director of the state Department of Commerce before that.

Washington State Governor Bob Ferguson speaks during an event to announce the launch of the Cascadia Sustainable Aviation Accelerator at the Boeing Future of Flight Aviation Center on Thursday, Jan. 8, 2026 in Everett, Washington. (Olivia Vanni / The Herald)
Gov. Ferguson launches sustainable jet fuel research center at Paine Field

The center aims to make Snohomish County a global hub for the development of green aviation fuel.

Flying Pig owner NEED NAME and general manager Melease Small on Monday, Dec. 29, 2025 in Everett, Washington. (Olivia Vanni / The Herald)
Flying Pig restaurant starts new life

Weekend brunch and new menu items are part of a restaurant revamp

Everett Vacuum owners Kelley and Samantha Ferran with their daughter Alexandra outside of their business on Friday, Jan. 2, 2026 in Everett, Washington. (Olivia Vanni / The Herald)
‘Everything we sell sucks!’: Everett Vacuum has been in business for more than 80 years.

The local store first opened its doors back in 1944 and continues to find a place in the age of online shopping.

A selection of gold coins at The Coin Market on Nov. 25, 2025 in Lynnwood, Washington. (Olivia Vanni / The Herald)
Lynnwood coin shop doesn’t believe new taxes on gold will pan out

Beginning Thursday, gold transactions will no longer be exempt from state and local sales taxes.

x
Peoples Bank announces new manager for Edmonds branch

Sierra Schram moves from the Mill Creek branch to the Edmonds branch to replace Vern Woods, who has retired.

Sultan-based Amercare Products assess flood damage

Toiletries distributor for prisons had up to 6 feet of water in its warehouse.

Senator Marko Liias speaks at the ground breaking of the Swift Orange Line on Tuesday, April 19, 2022 in Lynnwood, Washington. (Olivia Vanni / The Herald)
The Transportation Committee Chairman says new jobs could be created fixing roads and bridges

Senator Marko Liias, D-Edmonds, wants to use Washington’s $15 billion of transportation funding to spur construction jobs

Lynnwood Police Officers AJ Burke and Maryam McDonald with the Community Health and Safety Section Outreach team and City of Lynnwood’s Business Development Program Manager Simreet Dhaliwal Gill walk to different businesses in Alderwood Plaza on Wednesday, June 25, 2025 in Lynnwood, Washington. (Olivia Vanni / The Herald)
Lynnwood advocate helps small businesses grow

As Business Development Program Manager for the city of Lynnwood, Dhaliwal Gill is an ally of local business owners.

Kelsey Olson, the owner of the Rustic Cork Wine Bar, is introduced by Port of Everett Executive Director Lisa Lefebar on Dec. 2, 2025 in Everett, Washington. (Olivia Vanni / The Herald)
Rustic Cork Wine Bar opens its doors at the Port of Everett

It’s the first of five new restaurants opening on the waterfront, which is becoming a hotspot for diners.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.