In December of 2016, Yahoo announced another security breach, this one affecting more than one billion of its users’ accounts. Some experts claim that this is one of the largest data hacks in history, and, following Yahoo’s previous hacks, threatens the reputation of the company. Company executives claim that the data breach has been ongoing all the way back to 2013, giving the perpetrators several years to exploit the information. The information stolen includes sensitive details, such as birth dates, addresses, telephone numbers, and social security numbers, forcing experts to recommend users change passwords for all of their online accounts. Fortunately, however, the company said that the unencrypted passwords, bank information, and credit card numbers were not stolen, as they were stored differently (Pham, 2016).
The hackers were able to do this by taking advantage of weaknesses in MD5, which was used to hash the passwords. MD5 for the most part has been banished from HTTPS encryption, but some companies, including some major ones, are still using it, even though its many flaws are well known. More specifically, using MD5 and its closely related companion SHA1, the transport layer security protocol that lies under the surface of HTTPS becomes vulnerable to SLOTH attacks. SLOTH is short for security losses from obsolete and truncated transcript hashes, and works when both the end user and the server “support RSA-MD5 signatures for client authentication, SLOTH makes it possible for an adversary to impersonate the end user, as long as the end user first visits and authenticates itself to a site controlled by the attacker” (Goodin, 2016)
Use your promo and get a custom paper on
"Yahoo Security Breach".
Furthermore, weakness in MD5 reduces the requirements of finding a collision drastically. That is, MD5 is a 128-bit function, meaning it is expected that a collision is expected after completing 2^64 computations. However, problems with MD5 reduce this requirement down to 2^15 (Goodin, 2016). Because of exploitation methods discovered in the last few years, MD5 significantly reduces the computational power needed to break encryptions. However, Yahoo and other companies continued to use this method of encryption even after its weaknesses became known as early as 2008, and it was Yahoo that bore the brunt of the industry’s irresponsibility.
As a response to this hack, Yahoo vowed to update their security systems and methods. For example, the company has decided to void unencrypted security questions and has encouraged its users to stop using security questions altogether. More importantly, the company has decided to stop using MD5 and SHA1, in favor of more recent and more secure encryption methods. Furthermore, Yahoo is advising its users to change all of their passwords for all of their online accounts, as hackers are able to gain access to them using the stolen personal information. They can do this by building programs that can use this information to trying logging in to popular websites. They can also open accounts and credit cards in the users’ names, prompting some to recommend keeping an eye on credit reports or even putting a freeze on them.
For the company itself, users and other businesses have begun to question how reliable Yahoo really is, with some users flocking away from them. Wired reports that shortly after the revelation of the hack, Verizon formally requested a refund of close to five billion dollars for a previous deal, leading many experts to claim that Verizon no longer had confidence in Yahoo and regretted their deal (Newman 2016). Overall, Yahoo seems to be resilient enough, as they are still one of the largest and most heavily trafficked websites. The breach, even including previous breaches, so far have not proven themselves serious enough to take down such a large company.
