Yahoo admits to largest ever data breach
- Published: Friday, 23 September 2016 07:19
Yahoo has issued a statement in which its CISO, Bob Lord, says that “Yahoo believes that information associated with at least 500 million user accounts” was stolen by hackers in late 2014. As well as the size of the hack, the incident is noteworthy because of the length of time it has taken Yahoo to highlight the extent of the risk to its users. Attackers have had almost two years to exploit the stolen information without the majority of Yahoo’s users being warned about the data theft.
Yahoo’s statement says that it suspects that the attack was probably carried out by a state-sponsored actor and stolen data included “names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”
Industry comments sent to Continuity Central in reaction to the Yahoo breach include:
Stephen Gates, chief research intelligence analyst at NSFOCUS:
"Although the breach was originally reported back in July of 2012, the size of the breach apparently was incorrectly reported. In 2012, the number of potentially compromised user credentials was estimated to be around 450 thousand. However, the hacker known as Peace is claiming to have up to 500 million user credentials he/she is now attempting to sell online. That’s a huge difference.
“Yahoo users, who have not changed their passwords since then, really need to do so now. In addition, if users have used the same username/password combination on any other online accounts, they’re at risk of hackers gaining access to those other online accounts; if hackers can determine what other online accounts a user may have.
“The Verizon purchase apparently comes with some ‘baggage’ that they most likely do not want to be associated with. The likelihood of this beach affecting the purchase is however, quite small. The responsible thing to do it to force all users to update their passwords; however, that action most likely will not be well received by Yahoo’s user community for a breach that happened over four years ago.
“Although the number of breaches on this scale have been reduced over the years, they are far from over. Today, organizations of all sizes are taking measures to ensure a breach does not happen to them. Unfortunately, it has not stopped hackers from succeeding on a global scale.
“Enterprises must first assess what hackers would likely want to steal from them. Once identified, enterprises must use all measures at their disposal to protect that data – at all costs. If an organization does not practice due diligence, then they can be accused of alleged negligence. Being found guilty of negligence is never good for anyone’s career.
“You must protect your data. It is what hackers are after. This is all about monetary gain, and people will go to almost any length to achieve it. Hacker’s understand how to erode your defenses, consume your resources, control your systems, and eventually steal your data. Taking an Intelligent Hybrid Security approach will help protect what hackers are after."
David Gibson, VP of strategy and market development at Varonis:
“Hopefully Yahoo! will force password resets for all its users, even ones that it believes have not been affected. Dropbox learned this lesson the hard way. Users should also reset passwords for other accounts that share the same password as their Yahoo account and consider using a password manager going forward.
“It’s hard to say for sure whether the breach will upset the pending acquisition by Verizon—publishers of the renowned yearly Data Breach Investigation Report—but it certainly could. If witnessing a data breach capsizes a $4.8 billion acquisition doesn’t shock CEOs and CSOs into investing more in security, what will?
“There will certainly be financial repercussions for Yahoo!, if not by way of fines and lawsuits, certainly in terms of time and effort to recover, perform an investigation, and further invest in bolstering security.
“Breaches of this magnitude won’t slow until incentives are re-aligned. Dark Reading released a report recently stating that 80 percent of CSOs cite a lack of funding as being the #1 barrier preventing them from addressing cybersecurity challenges and 51 percent of CSOs cite a lack of available cybersecurity pros. The two go hand-in-hand. Until organizations are willing to invest more in security technology and pay a higher price tag to attract top security talent, they can expect similar results.
“Organizations need to invest more in cybersecurity teams, follow security best practices and make security a top priority if they want to stop hacks on this scale.
“The same lessons we learned from Target, Sony, OPM, etc. apply to Yahoo. It’s just too easy for hackers to get their hands on critical data.
“Businesses – just like individuals – are still struggling to get the basics right when it comes to securing their data. There are so many basic vulnerabilities that organizations need to address – external and internal. The number of reported breaches will no doubt continue to increase. More companies are keeping more information from consumers and business partners, which increases the value of a potential breach. In order to be productive, company networks can’t be 100 percent isolated, and no matter how much time and money you spend on security tools, nothing is fool-proof, especially when the weakest links in the chain are the people who need access to data in order to do their jobs.
“When you work under the assumption that your outer defences will be breached, it frames the data security challenge somewhat differently. Instead of pouring all of your energy into building a very high, very strong fence, spend more time securing what you truly need to protect: data. Make sure that once someone is inside, their activities will be observed and controlled. Just because you have a great lock on your front door doesn’t mean that cameras and motion sensors aren’t also a good idea. Similarly, monitoring user access and analysing it properly will help organizations identify attackers on their network and hopefully mitigate any damage.
“Burying your head in the sand and hoping nothing bad will ever happen isn’t an option these days, so companies should absolutely have a plan for what happens after they discover a breach. Just like it would be silly to choose not to have a plan for a fire in the building, it doesn’t make sense not to have a response plan for a data breach. At a minimum, it’s critical for companies to identify what may have been stolen or deleted and what their obligations are to customers, partners, shareholders, etc. Different types of information have different disclosure requirements, therefore it’s important for companies to understand what kind of data they’re storing and what those obligations are so they can plan accordingly.”
Amichai Shulman, CTO and Co-Founder of Imperva:
"The ease of getting tons of stolen credentials, with the fact that users will always continue to reuse passwords simply because they are human, make brute force attacks more effective than ever and force application providers to take proper measures to protect their users.
“Data from breaches is hot merchandise on both sides of the legitimacy fence, the security marketplace on one side and the dark market on the other.
“To prevent brute force attacks, security officers should not rely on password policies only, but should take specific detection measures like rate limiting login attempts, detecting login attempts from automated browsers, treat with caution logins from unexpected countries and anonymous sources, and compare login data to popular passwords and stolen credentials.
“As we point out in our blog, there is a concerning pattern of breaches which occurred in 2012, but their severity was underestimated and under reported. Organizations must not become complacent in the face of 2016’s lack of mega breaches. As it turns out, those who don’t carefully monitor their networks today may well regret it in 2020.”
Michael Patterson, CEO of Plixer:
“It is interesting that - Peace – the alleged hacker who claimed to have access to 200 million user accounts and was selling them online just prior to the Verizon purchase of Yahoo. It may be just a hack or someone with a hidden agenda that designed the timing to try and disrupt a billion dollar transaction. Yahoo has been investigating this hack since August and should have immediately asked users to change their passwords while they look into the claims.”
Brian Laing, VP, Lastline:
“This hack only emphasizes the critical importance of maintaining strong authentication measures in both personal and professional web applications. With so many accounts potentially open for hacker use in distributing advanced malware, a data breach of this scale will no doubt have a far reaching impact on malware distribution worldwide. We recommend changing passwords immediately, and consider using a second factor authentication, to ensure that accounts are not being used by malware spammers. Because enterprise assets such as laptops are used in blurred fashion between personal and professional everyday in our daily lives, it also underscores the criticality of protecting organizations from the network core to the outer edges against advanced persistent threats. A hack like the Yahoo one can provide a very large distribution hub for malware, through legitimate accounts, on a huge scale for years to come.”
Michael Callahan, VP at FireMon:
“Given the size of Yahoo and the scale of this data breach, it is a good reminder that attackers are just waiting for organizations to slip up in their security measures before they seize the opportunity with both hands. Yahoo no doubt has a huge, complex array of security technology in place to try and prevent cyber attacks and the leaking of any customer data. The trouble is, this complexity is becoming increasingly common in organizations that seek to do the “right” thing by bolstering security with more solutions. But without the right intelligent tools to help make sense of the technology, policies and access permissions under one umbrella, it becomes almost impossible to manage. Therefore, we keep seeing these types of breaches happening and will keep seeing them happen until proper security management is addressed.”
Mark James, Security Specialist at ESET:
“500million accounts is huge by any standards, we sometimes get a little blasé as the numbers get higher but let’s not make any mistakes here, that’s a lot of customers’ information stolen here.
“Data breaches are on the up, it’s almost a daily occurrence but the damage it causes is massive. The data may be used for immediate financial gain or used later along with more information to enable identity theft or phishing attacks either way it could be very damaging for the victim.
“As always in these cases it’s the end user that ultimately pays the price, of course from a PR point of view it’s never good for the company that was breached but for the individual it could have long term financial implications if things go badly wrong. It could also mean accounts may be temporally unavailable and for some, emails are a lifeline. Changing email address if you move to another provider is not as easy as it sounds because of the nature of how email works you still need access to the old email in case of older websites that may require password resets or account recovery with the original email address.
“As Verizon are about to buy Yahoo, they will have to consider the backlash of future issues with compromised account data. Because the ramifications of data breaches are often felt in the future they will have to consider the implications of any customers who can prove identity issues caused as a result of this particular breach if they are the new owners.
“Although it seems an easy task, stopping data breaches is not as easy as it sounds. Doing all you possibly can to stop it in the first place, ensuring that if it does happen then the data is stored in such a way it’s impossible to do anything with it and having a good contingency plan in case it happens is what organizations need to be doing.
“What other businesses can learn from this is, where possible, being proactive with your user base; the users need to be kept in the loop. If there has been a breach then find out how, where and why. Ensure your systems are now clean if malware is involved, reset passwords, inform your users and keep them up-to-date. We all understand data breaches are a factor of modern day computing but the impact can be cushioned with the correct flow of information.”
Brian Spector, CEO of MIRACL:
“This is a modern-day mega breach, and demonstrates how data theft and identity fraud is a multi-billion dollar business on the dark Web.
“It is still too early for more detailed analysis, but the attack vectors commonly used to initialize attacks of this magnitude are to gain access by stealing employee or insider credentials. The credentials are still all too often simply user name and password. What the attacker knows: when a password, irrelevant of how complex the password may be, is successfully stolen, the attacker can get access to internal systems and work their way to sensitive information - and steal it all.
“The underlying issue is that the username and password system is old technology that is not up to the standard required to secure the deep information and private services that we as individuals store and access online today. By contrast, new, secure methods of multi-factor authentication can provide much stronger security, and make database hacks, password reuse, browser attacks and social engineering a thing of the past.”