Yahoo security problems a story of too little, too late

Sun Dec 18, 2016 5:39pm EST
Email This Article |
Share This Article
  • Facebook
  • LinkedIn
  • Twitter
| Print This Article | Single Page
[-] Text [+]

By Joseph Menn, Jim Finkle and Dustin Volz

SAN FRANCISCO/BOSTON/WASHINGTON (Reuters) - In the summer of 2013, Yahoo Inc launched a project to better secure the passwords of its customers, abandoning the use of a discredited technology for encrypting data known as MD5.

It was too late. In August of that year, hackers got hold of more than a billion Yahoo accounts, stealing the poorly encrypted passwords and other information in the biggest data breach on record. Yahoo only recently uncovered the hack and disclosed it last week.

The timing of the attack might seem like bad luck, but the weakness of MD5 had been known by hackers and security experts for more than a decade. MD5 can be cracked more easily than other so-called "hashing" algorithms, which are mathematical functions that convert data into seemingly random character strings.

In 2008, five years before Yahoo took action, Carnegie Mellon University's Software Engineering Institute issued a public warning to security professionals through a U.S. government-funded vulnerability alert system: MD5 "should be considered cryptographically broken and unsuitable for further use."

Yahoo's failure to move away from MD5 in a timely fashion was an example of problems in Yahoo's security operations as it grappled with business challenges, according to five former employees and some outside security experts. Stronger hashing technology would have made it more difficult for the hackers to get into customer accounts after breaching Yahoo's network, making the attack far less damaging, they said.

"MD5 was considered dead long before 2013," said David Kennedy, chief executive of cyber firm TrustedSec LLC. "Most companies were using more secure hashing algorithms by then." He did not name specific firms.

Yahoo, which has confirmed it was still using MD5 at the time of the attack, disputed the notion that the company had skimped on security.

"Over the course of our more than 20-year history, Yahoo has focused on and invested in security programs and talent to protect our users," Yahoo said in a statement to Reuters. "We have invested more than $250 million in security initiatives across the company since 2012."   Continued...

A photo illustration shows a Yahoo logo on a smartphone in front of a displayed cyber code and keyboard on December 15, 2016. REUTERS/Dado Ruvic/Illustration