Password breach could have ripple effects well beyond Yahoo

Password breach could have ripple effects well beyond Yahoo

By Raphael Satter

Associated Press

LONDON — As investors and investigators weigh the damage of Yahoo’s massive breach to the internet icon, information security experts worry that the record-breaking haul of password data could be used to open locks up and down the web.

While it’s unknown to what extent the stolen data has been or will be circulating, giant breaches can send ripples of insecurity across the internet.

“Data breaches on the scale of Yahoo are the security equivalent of ecological disasters,” said Matt Blaze, a security researcher who directs the Distributed Systems Lab at the University of Pennsylvania, in a message posted to Twitter .

A big worry is a cybercriminal technique known as “credential stuffing,” which works by throwing leaked username and password combinations at a series of websites in an effort to break in, a bit like a thief finding a ring of keys in an apartment lobby and trying them, one after the other, in every door in the building. Software makes the trial-and-error process practically instantaneous.

Credential stuffing typically succeeds between 0.1 percent and 2 percent of the time, according to Shuman Ghosemajumder, the chief technology officer of Mountain View, California-based Shape Security. That means cybercriminals wielding 500 million passwords could conceivably hijack tens of thousands of other accounts.

“It becomes a numbers game for them,” Ghosemajumder said in a telephone interview.

So will the big Yahoo breach mean an explosion of smaller breaches elsewhere, like the aftershocks that follow a big quake?

Ghosemajumder doesn’t think so. He said he didn’t see a surge in new breaches so much as a steady increase in attempts as cybercriminals replenish their stock of freshly hacked passwords. It’s conceivable as well that Yahoo passwords have already been used to hack other services; the company said the theft occurred in late 2014, meaning that the data has been compromised for as long as two years.

“It is like an ecological disaster,” Ghosemajumder said in a telephone interview. “But pick the right disaster. It’s more like global warming than it is an earthquake. … It builds up gradually.”

The first hint that something was wrong at Yahoo came when Motherboard journalist Joseph Cox started receiving supposed samples of credentials hacked from the company in early July. Several weeks later, a cybercriminal using the handle “Peace” came forward with 5,000 samples — and the startling claim to be selling 200 million more.

On Aug. 1 Cox published a story on the sale , but the journalist said he never established with any certainty where Peace’s credentials came from. He noted that Yahoo said most of its passwords were secured with one encryption protocol, while Peace’s sample used a second. Either Peace drew his sample from a minority of Yahoo data or he was dealing with a different set of data altogether.

“With the information available at the moment, it’s more likely to be the latter,” Cox said in an email Tuesday.

The Associated Press has been unable to locate Peace. The darknet market where the seller has been active in the past has been inaccessible for days, purportedly due to cyberattacks.

At the moment it’s not known who holds the passwords or whether a state-sponsored actor, which Yahoo has blamed for the breach, would ever have an interest in passing its data to people like Peace .

Even if the hack was a straightforward espionage operation, Gartner security analyst Avivah Litan said that wouldn’t be a reason to relax. Spies can mine trivial-seeming data from apparently random citizens to tease out their real targets’ secrets.

“That’s how intelligence works,” Litan said in a phone call.

Meanwhile Yahoo users who recycle the same password across the internet may still be at risk. While people can always change the passwords across all the sites they use, Yahoo’s announcement that some security questions were compromised too means that the risks associated with the breach are likely to linger.

A password can be changed, after all, but how do you reset your mother’s maiden name?

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Business

A closing sign hangs above the entrance of the Big Lots at Evergreen and Madison on Monday, July 22, 2024, in Everett, Washington. (Ryan Berry / The Herald)
Big Lots announces it will shutter Everett and Lynnwood stores

The Marysville store will remain open for now. The retailer reported declining sales in the first quarter of the year.

George Montemor poses for a photo in front of his office in Lynnwood, Washington on Tuesday, July 30, 2024.  (Annie Barker / The Herald)
Despite high mortgage rates, Snohomish County home market still competitive

Snohomish County homes priced from $550K to $850K are pulling in multiple offers and selling quickly.

Henry M. Jackson High School’s robotic team, Jack in the Bot, shake hands at the 2024 Indiana Robotics Invitational.(Henry M. Jackson High School)
Mill Creek robotics team — Jack in the Bot — wins big

Henry M. Jackson High School students took first place at the Indiana Robotic Invitational for the second year in a row.

The computer science and robotics and artificial intelligence department faculty includes (left to right) faculty department head Allison Obourn; Dean Carey Schroyer; Ishaani Priyadarshini; ROBAI department head Sirine Maalej and Charlene Lugli. PHOTO: Arutyun Sargsyan / Edmonds College.
Edmonds College to offer 2 new four-year degree programs

The college is accepting applications for bachelor programs in computer science as well as robotics and artificial intelligence.

FILE — Boeing 737 MAX8 airplanes on the assembly line at the Boeing plant in Renton, Wash., on March 27, 2019. Boeing said on Wednesday, Feb. 21, 2024, that it was shaking up the leadership in its commercial airplanes unit after a harrowing incident last month during which a piece fell off a 737 Max 9 jet in flight. (Ruth Fremson/The New York Times)
Federal judge rejects Boeing’s guilty plea related to 737 Max crashes

The plea agreement included a fine of up to $487 million and three years of probation.

Neetha Hsu practices a command with Marley, left, and Andie Holsten practices with Oshie, right, during a puppy training class at The Everett Zoom Room in Everett, Washington on Wednesday, July 3, 2024. (Annie Barker / The Herald)
Tricks of the trade: New Everett dog training gym is a people-pleaser

Everett Zoom Room offers training for puppies, dogs and their owners: “We don’t train dogs, we train the people who love them.”

Andy Bronson/ The Herald 

Everett mayor Ray Stephenson looks over the city on Tuesday, Jan. 5, 2015 in Everett, Wa. Stephanson sees  Utah’s “housing first” model – dealing with homelessness first before tackling related issues – is one Everett and Snohomish County should adopt.

Local:issuesStephanson

Shot on: 1/5/16
Economic Alliance taps former Everett mayor as CEO

Ray Stephanson will serve as the interim leader of the Snohomish County group.

Molbak's Garden + Home in Woodinville, Washington will close on Jan. 28. (Photo courtesy of Molbak's)
After tumultuous year, Molbak’s is being demolished in Woodinville

The beloved garden store closed in January. And a fundraising initiative to revitalize the space fell short.

Everett Mayor Cassie Franklin, Advanced Manufacturing Skills Center executive director Larry Cluphf, Boeing Director of manufacturing and safety Cameron Myers, Edmonds College President Amit Singh, U.S. Rep. Rick Larsen, and Snohomish County Executive Dave Somers participate in a ribbon-cutting ceremony on Tuesday, July 2 celebrating the opening of a new fuselage training lab at Paine Field. Credit: Arutyun Sargsyan / Edmonds College
‘Magic happens’: Paine Field aerospace center dedicates new hands-on lab

Last month, Edmonds College officials cut the ribbon on a new training lab — a section of a 12-ton Boeing 767 tanker.

Gov. Jay Inslee presents CEO Fredrik Hellstrom with the Swedish flag during a grand opening ceremony for Sweden-based Echandia on Tuesday, July 30, 2024, in Marysville, Washington. (Ryan Berry / The Herald)
Swedish battery maker opens first U.S. facility in Marysville

Echandia’s marine battery systems power everything from tug boats to passenger and car ferries.

Helion Energy CEO and co-founder David Kirtley talks to Governor Jay Inslee about Trenta, Helion’s 6th fusion prototype, during a tour of their facility on Tuesday, July 9, 2024 in Everett, Washington. (Olivia Vanni / The Herald)
State grants Everett-based Helion a fusion energy license

The permit allows Helion to use radioactive materials to operate the company’s fusion generator.

People walk past the new J.sweets storefront in Alderwood Mall on Thursday, July 25, 2024, in Lynnwood, Washington. (Olivia Vanni / The Herald)
New Japanese-style sweets shop to open in Lynnwood

J. Sweets, offering traditional Japanese and western style treats opens, could open by early August at the Alderwood mall.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.