In December last year, Yahoo admitted that over one billion user accounts were hacked. It looks like thousands of Australian government officials were among the users that had their Yahoo email addresses, passwords and other personal information stolen.
Yahoo has said the hacking occurred way back in 2013 and the stolen information included email addresses, hashed passwords and other personal information. InfoArmor specialises researching data theft and had revealed that the database of compromised accounts was sold by an Eastern European cybercriminal gang called Group E for $300,000 each to three different buyers.
InfoArmor has since informed the Australian Department of Defence that over 3000 of the one billion account credentials stolen in the Yahoo hack were tied to Australian government officials. This includes high-profile politicians, senior Defence officials, Australian Federal Police officers, judges and staffers of the Australian Privacy Commissioner, according to the ABC, who first reported on the story.
InfoArmor had alerted the Department of Defence of the hack back in October, two months before Yahoo revealed the mega breach, that the stolen credentials for private Yahoo services were tied to Australian Government email accounts. Some of them were identifiable because government email addresses were used as the recovery email addresses.
The ABC obtained a copy of the stolen database and identified a number of high profile Australian politicians affected on the list. They included Social Services Minister Christian Porter, Shadow Treasurer Chris Bowen, Victorian Premier Daniel Andrews, Liberal MP Andrew Hastie, opposition health spokesperson Catherine King and Liberal senator Cory Bernardi.
Mind you, we don’t know how many of those Yahoo accounts remained active and they’re not exclusively tied to the Yahoo email service. Flickr and Tumblr users would also require a Yahoo account to access. Some Yahoo accounts may have been set up without the politicians’ knowledge by former staffers, according to the ABC.
In December, Yahoo said that stolen information may include “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers”.
Yahoo said it had notified potentially affected users and has also invalidated unencrypted security questions and answers so that they cannot be used to access an account.
Here’s the thing: while Yahoo had hashed the passwords, the use of MD5 has been criticised by security experts. According to the Sophos security blog Naked Security: “MD5 isn’t a good choice for this kind of hashing because in reality it doesn’t produce truly random hashes, and it’s possible to create MD5 ‘collisions’ where two different inputs produce the same hash. Its use has been discouraged in favour of better hashing functions for two decades.”
It’s easier to crack MD5 passwords compared to those that are encrypted using better hash functions. Let’s hope the affected government officials don’t have anything important stored in Yahoo email accounts or have a tendency to re-use passwords for other services on the internet.