Yahoo Breached! 500 Million Accounts Compromised, Hackers Release Photo of Michelle Obama’s Passport
Pastor Dewey Moede
Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …
THE BIG STORIES:
–YAHOO! BREACHED!: Yahoo on Thursday confirmed a large-scale data breach in which 500 million accounts have been compromised in what it believes was a state-sponsored hack. The breach appears to be from 2014. According to the company, users’ “names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers” may have all been acquired in the breach. “Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network,” the company said in a statement. “Yahoo is working closely with law enforcement on this matter.” Yahoo said it would notify users who may have been affected and urged those who had not changed their Yahoo passwords since 2014 to do so. The company also noted that they believed “unprotected passwords, payment card data, or bank account information” were not compromised in the hack.
–MAYBE! ALSO! AROUND! 2012!: The hacker Peace is suggesting the hack may have actually been in 2012 not 2014. Peace has been trying to sell a database on the dark web allegedly containing 200 million Yahoo account names and there’s speculation that list is from around 2012. Peace announced that he possessed the database over a month ago. Yahoo, at the time, told Motherboard that they were “Aware” that a hacker who had previously sold legitimate password lists from LinkedIn and MySpace was selling a Yahoo file. This morning, when buzz started circulating that Yahoo would announce a massive breach, the assumption was this was the breach in question. It is unclear if this is connected in any way to the 2014 breach announced Thursday – purportedly more than twice the size, from a different year and not for an actor motivated by selling the info.
–IMPACT ON VERIZON SALE?: Marissa Mayer, chief executive of Yahoo has taken quite a bit of heat over the breach (Vanity Fair headline: THE BAD NEWS FOR MARISSA MAYER SOMEHOW MANAGES TO GET WORSE). She will still be stuck dealing with the fallout this will have on Yahoo!’s pending $5 billion sale to Verizon.
–BUT COULD MAYER HAVE DONE MORE?: A can’t miss security practice once Peace started publicly selling a list would be to force users to reset their passwords immediately, whether or not the list could immediately be confirmed. But users are not always as interested in best practices as the ones that don’t constantly require resetting passwords. And the dark web is filled with supposed data dumps that are really just patched together breaches from other sites.
–CLINTON IT CONSULTANT HELD IN CONTEMPT: The House Oversight Committee on Thursday morning voted on party lines to recommend that the House hold former State Department IT technician Bryan Pagliano in contempt of Congress. Pagliano was responsible for setting up Clinton’s private email server during her tenure as secretary of State. The former State Department employee declined to appear at an Oversight hearing on Clinton’s server last week, in spite of a subpoena demanding his presence. The committee held a follow-up hearing on the same subject on Thursday morning, which Pagliano also declined to attend. When Pagliano didn’t show, Republicans immediately adjourned the hearing and held a business meeting to vote on the contempt of Congress resolution. “Subpoenas are not optional,” Chairman Jason Chaffetz (R-Utah) said Thursday. “Mr. Pagliano is a crucial fact witness in this committee’s investigation of former Secretary of State Hillary Clinton’s use of a private server to conduct government business.” The resolution still needs to go to the House floor to be adopted. Outraged Democrats argued repeatedly that the move was an abuse of power that violates rules against harassing witnesses. “Never, no how, no way, no,” Rep. Gerry Connolly (D-Va.) said when asked to vote on the resolution.
–I (STILL) CANN: A push by Sen. Ted Cruz (R-Texas) to block the Obama administration from handing over management of the internet is not part of a short-term spending bill backed by Senate GOP leadership. Majority Leader Mitch McConnell (R-Ky.) filed the continuing resolution (CR) on Thursday without Cruz’s initiative, which had gotten fierce pushback from Democrats and the White House. Cruz and other conservatives wanted to block the administration from transferring the supervision of website domains from a Commerce Department contractor — the Internet Corporation for Assigned Names and Numbers — to a broader body that includes foreign governments. Cruz, who has kept the internet battle at the center of the spending fight, said Thursday that he was “profoundly disappointed” that the provision is being left out.To read the rest of our piece, click here.
A POLICY UPDATE:
–FEDERAL IT PROCUREMENT.The Modernizing Government Technology Act, aimed at upgrading woefully out-of-date agency information technology equipment, passed the House Thursday.
The bill, the marriage of two competing measures aimed at modernizing government technology, combined ideas from Rep. Will Hurd’s (R-Texas) MOVE IT Act and Rep. Steny Hoyer’s (D-Md.) IT Modernization Act. Both ideas would have created funds to allow agencies to replace obsolete equipment and reinvested the cost savings of using more efficient technology into upgrading more equipment.
The difference between Hurd’s and Hoyer’s bills had been MOVE IT’s proposal to grant funds directly to agencies and allow them to reinvest money on their own. The IT Modernization Act used a centralized fund to loan money for the upgrades to be repaid in the savings. The MGT Act uses both funding mechanisms.
The MGT Act passed under suspension of the rules on Thursday afternoon.
Hurd, Hoyer and other supporters, including federal chief technology officer Tony Scott, promote replacing out-of-date technology as cheaper than paying to maintain old legacy systems, and say it is also more secure.
–SMALL BUSINESSES.A bill to assist small businesses in the fight against digital threats passed the House on Wednesday.
The Improving Small Business Cyber Security Act calls for the Small Business Administration and the Department of Homeland Security to develop a strategy to aid small businesses that will leverage existing small-business development centers.
It was introduced by Reps. Richard Hanna (R-N.Y.) and Derek Kilmer (D-Wash.) and co-sponsored by a bipartisan slate including Small Business Committee Chairman Steve Chabot (R-Ohio) and ranking member Nydia Velázquez (D-N.Y.).
–MICHELLE OBAMA PASSPORT LEAKED? Hackers appear to have leaked the email files of a White House staffer working on Hillary Clinton’s Democratic presidential campaign, releasing a copy of first lady Michelle Obama’s passport and other internal documents.The website DC Leaks, which is believed to have ties to Russia, on Thursday morning revealed a cache of emails that appears to have been stolen from the account of a White House official.
The emails from the Gmail account of Ian Mellul, which date from February 2015 through July of this year, contain a mix of internal chit-chat, planning logistics and other materials from both the White House and Clinton campaign.
The website posted an image of what appeared to be the first lady’s personal passport on Twitter.
White House press secretary Josh Earnest could not confirm whether the hack is genuine but said the White House is looking into it.
DC Leaks claims to have been started by American hackers, though researchers have found strong circumstantial links between technical aspects of the site and Russian intelligence.
Chip cards are helping secure purchases nationwide. The proof is in the payments. Fraud dropped 38% at chip-ready stores in the U.S. this April vs. last year. See how chip cards are enhancing security. Click here to learn more.
WHO’S IN THE SPOTLIGHT:
–WHATSAPP. Privacy groups pushed the Federal Trade Commission (FTC) on Thursday to investigate WhatsApp’s decision to share user data with Facebook.”We are deeply concerned about the impact this proposed change in data practices will have on the privacy and security of WhatsApp users in the U.S. and across the world,” said the groups in a letter to the FTC’s chairwoman and commissioners.
“We urge the FTC to investigate this matter and to fulfill its obligation to prevent WhatsApp and Facebook from engaging in unfair and deceptive trade practices.”
The letter follows a complaint from two of the groups over the decision by WhatsApp to share some user data with its parent company, social network giant Facebook. Users can opt out of the data sharing.
The letter is signed by groups including Demand Progress and Consumer Watchdog.