Yahoo! fails to explain delayed news of 500m data hack, as questions mount on Verizon sale
Following news that internet service provider Yahoo!’s 2014 data breach was far more serious than previously thought, with more than 500 million records stolen, there has been a rush to condemn the company. But a longer term question over its sale to Verizon may be the most pressing issue for Yahoo! execs, writes Jeremy Cowan.
The criticisms focus on poor data protection policies and the failure of Yahoo!’s data privacy monitoring since the breach. Now observers are questioning the impact this will have on the ISP’s proposed sale to US network operator, Verizon.
Markus Jakobsson, chief scientist at Agari, comments: “While there will be speculation around what happened to cause this breach, the reality is these details may not ever be revealed or even truly uncovered by Yahoo! itself. The most likely scenario is that this attack was caused by malware, or the compromise of the account credentials of a user with privileged access to highly sensitive data.”
Rob Reid, the COO and founder of internet security solutions provider StayPrivate has this to say: “The Yahoo hack serves as the greatest warning yet that personal email accounts are easy targets for hackers, putting their users at considerable risk of being subjected to cybercrime. The wider public is only just becoming wise to the fact that the more we use our personal webmail accounts for sending information about ourselves, the more information exists on the open internet that can be used against us by cyber criminals. This hack highlights how cyber criminals aren’t just after big companies, but individuals.”
“The scariest thing in this case is that as yet neither Yahoo!, nor its users, are sure about what information has been compromised. We need greater awareness to the threats that consumers face and education about what solutions exist to best protect ourselves by keeping our personal data safe. At StayPrivate we work hard to inform both the business community and consumers about how easy it is for people to be a victim of cybercrime and provide the solutions to protect people,” says Reid.
Alex Mathews, EMEA technical manager at Positive Technologies, says, “Almost every year we see reports of ‘millions of leaked accounts of Yahoo! / Hotmail / Gmail / iTunes / etc.’. We would even suspect that some of this news is ‘designed’ especially for certain events. Yahoo!’s sale to Verizon sounds like an interesting occasion to make such a brouhaha, but it would appear that this time the allegations were founded.
“The elephant in the room is Yahoo!’s admission that ‘encrypted or unencrypted security questions and answers’ might be amongst the hackers haul. If the investigation determines that this extremely sensitive information were stored unencrypted then serious questions need to be answered as this lack of security will highlight serious failings by Yahoo! in its responsibility to protect customers. Any Yahoo! customers would be prudent to change their passwords – although, given the fact that the breach occurred two years ago, it is a bit like closing the stable door after the horse has not only bolted but long since died of old age.”
Mathews adds, “Despite many warnings, millions of users will still use very simple passwords like 1111, ‘qwerty’, or their own names. According to Positive Technologies research, the password “123456” is quite popular even among corporate network administrators: it was used in 30% of corporate systems studied in 2014. Hackers use the dictionaries of these popular passwords to ‘bruteforce’ the user accounts so perhaps now is the time to employ a little creativity. Yahoo! does offer additional protection in the form of Account Key and it would be prudent for any users that decide to continue using its service to employ this as a matter of urgency.”
Justine Cross, regional director at Watchful Software, comments: “The unprecedented scale of the Yahoo! breach should be a watershed moment in the way businesses protect customer data. While it appears that customer passwords were encrypted, large amounts of other personally identifiable information, including names, email addresses, dates of birth, and phone numbers were apparently unprotected. This is still more than enough information for cyber criminals to cause serious harm through fraud and phishing attacks.
“If all customer data is classified and labelled as restricted, it will be encrypted and rendered unusable by any unauthorised user, greatly reducing the impact of a breach like this,” she adds. “Classification should be an automatic process the moment any personally identifiable data concerning a customer is created on the system. With this incident likely to cost millions of dollars, no organisation can afford to leave anything concerning their customer data to chance.”
Richard Parris, CEO of Intercede, tells IoT Now: “Given the numerous high profile data breaches already revealed this year, are we really surprised by the news from Yahoo!? The real problem is not in the hack itself but in service providers like Yahoo! relying on a fundamentally insecure, username- and password-based, user authentication. If a hack does happen, those details, and other identifying information, can be exposed and they are invariably used to access other services and defraud consumers.
“In my view, we are fast reaching the point at which the industry will have to be compelled to take action. If the first duty of any government is to protect the public, establishing and protecting identity in a digital world ought to be high on the list of priorities. Solutions are available and it’s surely time we locked the stable door with secure authentication and identity management before the digital horse has bolted.”
What you can do
On a personal level Gavin Millard, EMEA technical director, Tenable Network Security offers the following advice, “With the complex, data-rich, IT environments organisations run today, there is always a high possibility of yet another breach with customer data making its way onto the dark web. As we continue to add more technologies to our networks and as attackers become more sophisticated, it’s important that organisations have a rapid process for determining the impact of the breach and a robust approach in addressing the ensuing post-breach fallout.
“If you have a Yahoo! account and have re-used the password anywhere, it would be wise to create new ones now to stop any further personal data from being exposed. To reduce the impact from the next inevitable breach of this type, users should protect themselves by having individual passwords per service rather than the one or two most use now. Modern browsers have the ability to generate and store complex passwords, as do the many password managers available.”
Millard concludes, “One of the most concerning aspects of this breach is the fact that the security questions and answers were unencrypted. Most users would have used valid responses to questions like mothers maiden name, first car, and first pet, which could lead to further exploitation and account misuse.”