Here’s why Yahoo changed the timeline on its malware breach. Again.


Marissa Mayer, president and chief executive officer of Yahoo, delivers a keynote speech last week at the 2014 Consumer Electronics Show (CES) in Las Vegas. (David Paul Morris/Bloomberg News)

Yahoo’s ad servers were hijacked near the beginning of the year. Due to the hack, ads redirecting visitors to sites that download malware showed up on the Yahoo homepage and in products like Yahoo Mail and Messenger for some users. And Friday, Yahoo extended its suspected timeline of the event for the second time. But security experts say that these type of reassessments are par for the course when it comes chasing down cybercriminals.

A Yahoo spokesperson originally told the media the malware incident occurred on Jan. 3, then updated its statement to extend the breach back to Dec. 31 -- despite the security company that uncovered the malware incident originally reporting its first evidence of the hack dated back to Dec. 30. Now the official timeline is Dec. 27 - Jan. 3. And while earlier assurances said that "users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected," the company now says that though the bulk of those exposed were on European sites, "a small fraction of users outside of this region may have been impacted as well."

Yahoo's announcement is similar to Target's recent reassessment of the number of people affected by its security breach. While the company initially announced that credit and debit card information was stolen from as many as 40 million people, on Friday Target said hackers may have compromised the personal data of an additional 70 million people -- and the information included names, phone numbers and e-mail addresses rather than financial data. These changing figures can leave consumers feeling like companies are dragging their feet responding to a breach, or worse, outright misleading the public.

But experts say these changes aren't necessarily the result of incompetence or deception, but rather are often due to the difficult nature of doing forensic analysis on cybercrimes. "I don’t find it surprising when statistics regarding a breach change", says Nick Levay, the Chief Security Officer at cybersecurity firm Bit9. (Full disclosure: Levay and I were previously colleagues at the Center for American Progress.)

"At any point during an investigation, you can discover something that changes your understanding of the scope, " Levay explains, adding that inquires can be "further complicated by the fact that many attackers employ anti-forensic techniques to impede investigators." Yahoo confirmed to The Post that the update to the attack timeline was the result of "further investigation" into the attack, which it described as a "complex" issue.

While this can be frustrating for the public relations team of a breached company, this challenge is also part of what attracts some people to the information security field. "From a practitioner's perspective, it’s like unraveling a mystery," says Levay. "Every system or log could contain a plot twist." But Yahoo and Target, assuredly, would both prefer fewer twists at this point.

Andrea Peterson covers technology policy for The Washington Post, with an emphasis on cybersecurity, consumer privacy, transparency, surveillance and open government.
Comments
Show Comments
Most Read Business
Next Story
Timothy B. Lee · January 14