All of Yahoo’s 3 Billion Accounts Compromised in 2013

The massive data breach announced by Yahoo in December was believed to have affected around 1 billion accounts, but it turns out it actually affected the company’s entire user base of around 3 billion accounts.

The revelation came after Oath, the Verizon subsidiary that Yahoo is now part of, ordered a new forensic investigation into the data breach. Verizon finalized the Yahoo acquisition in June for $4.48 billion, after the price was lowered by $350 million because of the breach announcement.

Yahoo announced in September 2016 that hackers broke into its infrastructure in 2014 and gained access to the details of about 500 million accounts. After receiving additional data from law enforcement, the company uncovered that it had also been breached earlier, in 2013. The company revealed in December that in the 2013 breach, hackers stole user account information including names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions and answers for more than 1 billion accounts.

However, during the integration of Yahoo’s assets into Verizon’s infrastructure, new forensic information came to light that showed the 2013 breach actually affected Yahoo’s entire user base at the time —approximately 3 billion users, Oath said in a statement. The company is now notifying the rest of its users who hadn’t already been alerted in December.

The Yahoo data breach was already the largest in the history of the internet in terms of impacted number of users. The new number of 3 billion compromised accounts puts it at a level that’s unlikely to be matched anytime soon, simply because there are very few companies around with a similarly large user base.

Yahoo said that the stolen data did not include passwords in clear text, payment card data or bank account information. However, some security researchers are skeptical.

“Taking into consideration that the integrity of Yahoo user accounts was compromised, one can reasonably infer that Yahoo ignored the fundamental principles of access segregation, continuous security monitoring and related security processes,” said Ilia Kolochenko, CEO of web security company High-Tech Bridge. “Therefore, it’s a bit hard to believe that sensitive information related to these accounts remained safe. Moreover, even hashed passwords can be bruteforced and then leveraged by the attackers. Information like date of birth or answer to secret question(s) can be a universal door-opener for cybercriminals.”

“It’s difficult to imagine any circumstance in which an organization committed to security could have all network segmentation, policies, and security measures bypassed completely,” said Rich Campagna, CEO of security firm Bitglass. “Even over a prolonged period of time, it is exceedingly difficult to exfiltrate 3 billion records without setting off a single actionable alarm.”

NFL Players’ Information Exposed Due to Misconfigured Elasticsearch Server

Security researchers found a publicly accessible Elasticsearch server containing personal information of 1,133 National Football League players and agents. The data included email addresses, mobile phone numbers, home addresses and IP addresses, and appears to have originated from nflpa.com, the website of the National Football League Players Association.

Elasticsearch is a search engine used in enterprise environments for big data projects. It’s typically used in conjunction with log collection, data analytics and data visualization platforms. While it’s not a database itself, Elasticsearch can contain sensitive information that is being cached for processing.

According to researchers from security firm Kromtech Alliance, the misconfigured Elasticsearch node was used to collect data from an audit module of Orchard CMS that is used to analyze user activity on nflpa.com. Orchard CMS is a free, open-source content management system.

The Kromtech researchers were not the only ones who found the server and its data, as hackers had already left a ransom note on it. The note dated from February and might have been the result of a larger attack against publicly exposed Elasticsearch servers at the time.

Among the NFL players who had their information exposed was former 49ers quarterback Colin Kaepernick.

“The seriousness of his data being leaked is that Kaepernick has told reporters that he has received multiple death threats since 2016 for protesting during the national anthem,” Bob Diachenko, Kromtech’s chief communication officer, said in a blog post. “He opted out of the final season of his contract with the 49ers to become a free agent and still remains unemployed after no NFL team picked him up for the 2017 season. His email, home address and personal phone number were available in plain text.”

This latest incident highlights the risks of not protecting cloud-hosted databases and other systems appropriately. Over the past year researchers have found personal customer information from many large companies stored in publicly accessible Amazon S3 buckets or in MongoDB databases.

Last month researchers found that attackers hijacked more than 4,000 misconfigured Elasticsearch nodes and used them to host malware command-and-control servers.

Serious Remote Code Execution Flaw Patched in Apache Tomcat

The Apache Tomcat developers released patches for a potentially dangerous remote code execution vulnerability that could allow attackers to upload malicious files on servers with certain configurations.

Apache Tomcat is an open-source web server for applications developed with the Java Servlet and the JavaServer Pages (JSP) technologies. It is popular in enterprise environments and is also integrated into various commercial products.

The newly patched vulnerability can be exploited if the default servlet is configured with the parameter readonly set to false or the WebDAV servlet is enabled with the parameter readonly set to false, researchers from a consultancy firm called Alphabot Security said in a blog post. “This configuration would allow any unauthenticated user to upload files (as used in WebDAV). It was discovered that the filter that prevents the uploading of JavaServer Pages (.jsp) can be circumvented. So JSPs can be uploaded, which then can be executed on the server.”

The problem has been fixed in Apache Tomcat 9.0.1, 8.5.23, 8.0.47 and 7.0.82. Users should upgrade as soon as possible because the issue has been publicly disclosed and a working exploit is available. The good news is that the vulnerable server configuration is not very common.

That said, as the recent Equifax data breach showed, failure to patch vulnerabilities in the software stack running on publicly exposed servers can have major repercussions.

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor’s degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key’s fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 58 posts and counting.See all posts by lucian-constantin