Password breach could have ripple effects well beyond Yahoo
London, Sep 27: As investors and investigators weigh the damage of Yahoo's massive breach to the internet icon, information security experts worry that the record-breaking haul of password data could be used to open locks up and down the web.
While it's unknown to what extent the stolen data has been or will be circulating, giant breaches can send ripples of insecurity across the internet.
"Data breaches on the scale of Yahoo are the security equivalent of ecological disasters," said Matt Blaze, a security researcher who directs the Distributed Systems Lab at the University of Pennsylvania, in a message posted to Twitter.
A big worry is a cybercriminal technique known as "credential stuffing," which works by throwing leaked username and password combinations at a series of websites in an effort to break in, a bit like a thief finding a ring of keys in an apartment lobby and trying them, one after the other, in every door in the building. Software makes the trial-and-error process practically instantaneous.
Credential stuffing typically succeeds between 0.1 per cent and 2 per cent of the time, according to Shuman Ghosemajumder, the chief technology officer of Mountain View, California-based Shape Security.
That means cybercriminals wielding 500 million passwords could conceivably hijack tens of thousands of other accounts. "It becomes a numbers game for them," Ghosemajumder said in a telephone interview.
So will the big Yahoo breach mean an explosion of smaller breaches elsewhere, like the aftershocks that follow a big quake? Ghosemajumder doesn't think so. He said he didn't see a surge in new breaches so much as a steady increase in attempts as cybercriminals replenish their stock of freshly hacked passwords.
It's conceivable as well that Yahoo passwords have already been used to hack other services; the company said the theft occurred in late 2014, meaning that the data has been compromised for as long as two years.
"It is like an ecological disaster," Ghosemajumder said in a telephone interview. "But pick the right disaster. It's more like global warming than it is an earthquake. ... It builds up gradually."
The first hint that something was wrong at Yahoo came when Motherboard journalist Joseph Cox started receiving supposed samples of credentials hacked from the company in early July. Several weeks later, a cybercriminal using the handle "Peace" came forward with 5,000 samples and the startling claim to be selling 200 million more.
(AP)
-
India vs New Zealand T20 World Cup 2026 Final: Five Positive Signs Favouring India Before Title Clash -
IND vs NZ Final Live: When and Where to Watch India vs New Zealand T20 World Cup 2026 Title Clash -
Ind vs NZ T20 World Cup 2026: New Zealand Needs 256 Runs To Beat India And Win The World Cup -
UAE Attacks Iran, Becomes 5th Nation To Enter War; Reports Suggest Strike On Iranian Facility -
ICC T20 World Cup 2026 Final: Ricky Martin, Falguni Pathak To Perform At Closing Ceremony, How To Watch -
Who Is Nishant Kumar: Education, Personal Life and Possible Political Role -
IND vs NZ T20 WC Final: New Zealand Win Toss, Opt To Chase; Why Batting First Could Be A Tough Call For India -
Gold Rate Today 8 March 2026: IBJA Issues Fresh Gold Rates; Tanishq, Malabar, Kalyan, Joyalukkas Prices -
From Kerala Boy To World Cup Hero: Sanju Samson’s 89-Run Blitz, His Birth, Religion, Wife And Inspiring Story -
Hyderabad Gold Silver Rate Today, 8 March, 2026: Latest Gold Prices And Silver Rate In Nizam City -
Panauti Stadium? Is Narendra Modi Stadium an Unlucky Venue for India National Cricket Team? -
Storm Over West Bengal Govt's 'Snub' To President Droupadi Murmu
Click it and Unblock the Notifications
Sign in with Google