Hanqing Zhou|Yijiang Li|Jason M Mays|Karabo Ntokwane|Qianru Yang Yahoo Data Breach Team 4 Hanqing Zhou|Yijiang Li|Jason M Mays|Karabo Ntokwane|Qianru Yang

Background The Internet service company Yahoo! reported two major data breaches of user account data to hackers during 2016. Both breaches are considered the largest discovered in the history of the Internet : First announced breach Reported in September 2016, had occurred sometime in late 2014 Second announced breach Occurring earlier around August 2013, was reported in December 2016. Specific details of material taken include: names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and hashed passwords

What Happened & How In July 2016, account names and passwords for about 200 million Yahoo! accounts were for sale on "TheRealDeal" The seller--"Peace_of_Mind" stated in confidential interviews with Vice and Wired. Peace has previously been connected to sales of similar private information data from other hacks including that from the 2012 LinkedIn hack. Peace stated the data likely dates back to 2012, while some of the sample accounts were still active, they lacked necessary information to fully login properly, reflecting their age. Experts believe that Peace is only a broker of the information that hackers obtain and sell through him. Yahoo! stated they were aware of the data and were evaluating it, cautioning users about the situation but did not reset account passwords at that time.

Impact on the Customers Customer data that was leaked include names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and hashed passwords Such information, especially security questions and answers, could help hackers break into victims' other online accounts

Impact on the Employees CEO stepped down Legal advisor resigned Operational disruptions

Impact on the business reputation Loss of Customer trust Brand devaluation Yahoo! is currently facing an SEC investigation Verizon and Yahoo will share the costs of the FBI investigation and other potential third party investigations

Impact on the business (financial) $16 million in direct costs related to the breaches, costs and liabilities created by lawsuits from customers and partners. class-action lawsuit shareholder lawsuits Verizon acquired Yahoo deal by $350 million less Share prices went down by 5% AT&T dropped revenue share agreement

Root Cause Outdated Data-Encryption Technology Vulnerability and weakness of MD5 algorithms Cryptographically broken of Customer accounts data MD5 algorithms vs. Hashing algorithms

Other Causes Secure Team’s failure on Security Practices Low priority of an upgraded data protection tool A Long-term Recession of Yahoo’s Business Less budget of security due to bad business Importance of system performance than security

What controls were missing? Lost enforcement on security Q&A encryption Cookie-basic attack and phishing attacks Part of account used MD5 algorithm Delay in discovering and reporting Dismissive of InfoArmor's services

Our Recommendations Full conversion from MD5 and SHA-1 algorithm to bcrypt for certificates and passwords. Reissue certificates to external Yahoo websites on a routine schedule. Prioritizing security as equal to consumer products. Develop a crisis management plan to address future breaches.

Thank you!