Password breach could have ripple effects well beyond Yahoo

LONDON -- As investors and investigators weigh the damage of Yahoo's massive breach to the internet icon, information security experts worry the record-breaking haul of password data could be used to open locks up and down the web.

While it's unknown to what extent the stolen data has been or will be circulating -- or how easy it would be to use if it were -- giant breaches can send ripples of insecurity across the internet.

"Data breaches on the scale of Yahoo are the security equivalent of ecological disasters," said Matt Blaze, a security researcher who directs the Distributed Systems Lab at the University of Pennsylvania, in a message posted to Twitter .

A big worry is a cybercriminal technique known as "credential stuffing," which works by throwing leaked username and password combinations at a series of websites in an effort to break in, a bit like a thief finding a ring of keys in an apartment lobby and trying them, one after the other, in every door in the building.

Software makes the trial-and-error process practically instantaneous.

Credential stuffing typically succeeds between 0.1 percent and 2 percent of the time, according to Shuman Ghosemajumder, the chief technology officer of Mountain View, California-based Shape Security.

That means cybercriminals wielding 500 million passwords conceivably could hijack tens of thousands of other accounts.

"It becomes a numbers game for them," Ghosemajumder said in a telephone interview.

So will the big Yahoo breach mean an explosion of smaller breaches elsewhere, like the aftershocks that follow a big quake?

That seems unlikely, given Yahoo said the "vast majority" of its passwords were stored in an encrypted form believed to be difficult to unscramble.

On the other hand, Yahoo said the theft occurred in late 2014, meaning hackers have had as many as two years to try to decipher the data.