Warning over Yahoo data breach 'ripple effect'
Published 27/09/2016 | 12:31
Information security experts fear that internet giant Yahoo's massive breach data could be used to "pick locks" across the web.
While it is not yet known to what extent the record-breaking haul of passwords has been circulating, such breaches can send ripples of insecurity across the internet.
Matt Blaze, a security researcher at the University of Pennsylvania, said in a Twitter message: "Data breaches on the scale of Yahoo are the security equivalent of ecological disasters."
One big worry concerns a cyber crime technique known as "credential stuffing", which works by throwing leaked username and password combinations at a series of websites in an effort to break in.
The effect is like a thief finding a ring of keys in a block of flats and trying them, one after the other, in every door in the building. Software can make this trial-and-error process practically instantaneous.
Credential stuffing typically succeeds between 0.1% and 2% of the time, according to Shuman Ghosemajumder, the chief technology officer of California-based Shape Security.
That means cyber criminals wielding 500 million passwords could conceivably hijack tens of thousands of other accounts.
"It becomes a numbers game for them," Mr Ghosemajumder said.
He said he did not foresee a surge in fresh breaches so much as a steady increase in attempts as cyber criminals replenish their stock of freshly-hacked passwords.
It is conceivable that Yahoo passwords have already been used to hack other services. As the theft occurred in late 2014, this means that the data has been compromised for as much as two years.
"It is like an ecological disaster," Mr Ghosemajumder said.
"But pick the right disaster. It's more like global warming than it is an earthquake. It builds up gradually."
The first hint that something was wrong at Yahoo came when Motherboard journalist Joseph Cox started receiving supposed samples of credentials hacked from the company in early July.
Several weeks later, a cyber criminal using the handle "Peace" came forward with 5,000 samples - and the startling claim to be selling 200 million more.
On August 1, Mr Cox published a story on the sale, but the journalist said he had never established with any certainty where Peace's credentials came from.
He noted that Yahoo said most of its passwords were secured with one encryption protocol, while Peace's sample used a second.
Either Peace drew his sample from a minority of Yahoo data or he was dealing with a different set of data altogether - more likely, the latter.
The darknet market where Peace has been active in the past has been inaccessible for days, purportedly due to cyber attacks.
Yahoo users who recycle their passwords across different sites may be at risk. While an internet-wide password reset is one option, Yahoo's announcement that some security questions were compromised too means that the risks associated with the breach are likely to linger.