Yahoo has finally commented on the news that it was hacked by the "worst bug in the world." If you missed the original announcement, a security researcher claimed he found traces of Shellshock on Yahoo's servers and tens of millions of Yahoo users were potentially at risk. Read my original news story here.
Well, Yahoo is confirming that it was hacked. However, it claims that it wasn't due to Shellshock and that no customer information was stolen.
Here's the official statement by Alex Stamos, Yahoo's Chief Information Security Officer:
Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw. After investigating the situation, it turns out that the servers were in fact not affected by Shellshock.
This weekend, three of our Sports API servers had malicious code executed on them by attackers looking for vulnerable Shellshock servers. These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs.
Regardless of the cause our course of action remained the same: to isolate the servers at risk and protect our users’ data. The affected API servers do not store user data. At this time we have found no evidence that these attackers compromised any other machines or that any user data was affected. This flaw was specific to a small number of machines and has been fixed, and we have added this pattern to our CI/CD code scanners to catch future issues.
Yahoo takes external security reports seriously and we run one of the most successful Bug Bounty programs in the world. We monitor our Bug Bounty and security aliases (firstname.lastname@example.org) 24/7 and we strive to respond immediately to credible tips.
We remain committed to providing the most secure experience possible for our users worldwide.
If you didn't follow the technical details, basically hackers did try to attack Yahoo with Shellshock and failed, but stumbled on a different flaw they could use. Fortunately, the bug was on servers Yahoo uses to update sports information, not anything that has customer information.
Yahoo was able to shut down the hackers before they got very far, and that, as they say, is that.
Of course, that's not the end of the story. Just because this attack wasn't successful this time doesn't mean another attack on Yahoo or another tech company won't be successful in the future. In fact, I guarantee another breach will happen; the only question is how soon and what company.
For the latest news on the data breaches that have already happened, and to learn about new ones, click here.