LONDON -- Information-security experts are concerned that the recently announced record-breaking haul of password data from Yahoo will be used to open locks up and down the Web.
While it's unknown to what extent the stolen data have been or will be circulating, giant breaches can send ripples of insecurity across the Internet.
"Data breaches on the scale of Yahoo are the security equivalent of ecological disasters," said Matt Blaze, a security researcher who directs the Distributed Systems Lab at the University of Pennsylvania, in a message posted to Twitter.
A big worry is that a cybercriminal technique known as "credential stuffing," which works by throwing leaked user name and password combinations at websites to break in, a bit like a thief finding keys in an apartment lobby and trying them, one after the other, in every door in the building. Software makes the trial-and-error process practically instantaneous.
Credential stuffing typically succeeds between 0.1 percent and 2 percent of the time, according to Shuman Ghosemajumder, the chief technology officer of Shape Security in Mountain View, Calif.. That means cybercriminals wielding 500 million passwords could hijack tens of thousands of accounts.
"It becomes a numbers game for them," Ghosemajumder said in a telephone interview.
At the moment it's not known who holds the passwords or whether a state-sponsored hacker, which Yahoo has blamed for the breach, would have an interest in passing the data to others.
Even if the hack was a straightforward espionage operation, Gartner security analyst Avivah Litan said that wouldn't be a reason to relax. Spies can mine trivial-seeming data from apparently random people to tease out their real targets' secrets.
"That's how intelligence works," Litan said in a phone call.
Business on 09/28/2016