The Yahoo hack – a numbers game
Have you got a Yahoo email account? Was it one of the 500 million accounts compromised by the breach disclosed by Yahoo in September 2016? Does it matter if it was?
Those who use Yahoo to provide their principal email account should have been concerned by news of the leak. Many others, with an old Yahoo account that they do not use much, may not have been that bothered. Is such complacency justified? That depends, to gauge the risk you need to understand the cyber-crime opportunity represented by 500 million accounts.
What was stolen from Yahoo in the first place? Yahoo says the hack happened in late 2014 and that the stolen information included email addresses and hashed passwords among other items of personal data. Hashing is a way of protecting passwords, and Yahoo mainly used bcrypt. This is good security practice and the criminals would not be able to see, and therefore use, the actual passwords. So, that’s alright then?
Not so fast, to a cyber-criminal it is the volume that is of interest. The email addresses themselves are enough to work with. Suppose just 0.1% of those 500 million users have used one of the 50 most common passwords. Test each one of them to find the targets, and bingo, you have 500,000 compromisable accounts. (Yahoo, just allowed Quocirca 20 attempts at logging in to an account, no questions asked.)
In fact, the potential passwords could be tested against any online resource that allows an email address to be used as a username. How about an e-ticketing site, potentially much more useful than a Yahoo email account alone?
Testing passwords against email addresses has been termed ‘credential cracking’ in a new handbook from OWASP (the Open Web Application Security Project). The handbook lists 20 automated threats, that is, repetitive online activities carried out by software robots (bots); bots that are up to no good have been coined bad-bots. It gets worse, when it comes to taking over accounts, OWASP lists a second threat – ‘credential stuffing’.
Suppose 1% of the 500,000 compromisable Yahoo accounts belong to users that use the same password everywhere. That gives 5,000 username/password pairs that could get a criminal into all sorts of accounts. 5,000 is a lot, but remember it is only 0.001% of the total stolen. If someone told you that 0.001% of all people were this careless about online security you would probably think it was a gross underestimate.
Credential stuffing involves using a bad-bot to run verified credentials from one online resource against another and finding matches. Easily doable for a bot. This is a real issue with leaks like the Yahoo one and others such as Ashley Madison and Talk Talk; given a long list of user details bots can be used to try plugging gaps and see what works. A cyber-criminal may not be interested in your infidelity as a member of Ashley Madison (a website for adulterers), but they will be interested if you use the same credentials for your bank account.
For end users protection is quite easy in many cases. Use a unique complex password for important accounts, and where there is an option, as there is with Yahoo, switch on strong authentication. For the providers of online resources, it is not just the threat of criminals transacting via compromised accounts, it is the volume activity of bots, which can lead to performance degradation of online services.
There are a number of ways that automated threats can be mitigated. Research by The Aberdeen Group suggests that 46% of all online activity is carried out by bots. Some, such as Google’s web crawlers are necessary and wanted, but many others including credential cracking and stuffing bots are not. There is a growing number of vendors providing technology to differentiate bots from human users and good-bots from bad-bots; they put in place policies about what bots are allowed and not allowed to do. These include Distil Networks, Akamai, Imperva’s Incapsula and Shape Security.