Yahoo’s Billion Blunder Breach

 

Lee Munson, Security Researcher, Comparitech

When Yahoo admitted earlier this year that it had been attacked in 2013, there were suggestions that the number of compromised accounts could place the company somewhere near the top of the pile in terms of the biggest ever data breaches. Now, there is no doubt, after it emerged that more than one billion accounts were compromised in the same year, possibly in an entirely separate attack. The worrying part of this news is the fact that the communications company does not appear to have noticed this second breach until November of this year, giving the attackers plenty of time to make merry with the stolen credentials. Thus, it is imperative that everyone with a Yahoo account should change their password immediately. Not only that, they should also change passwords elsewhere on the web too, if they have reused the same one across several accounts.

Yahoo's Billion Blunder Breach

New passwords should be unique to every site and account used and should be strong and lengthy, using letters, numbers and symbols, but not including words or dates of birth. Given the fact that Yahoo has said security questions and answers may also have fallen into unfriendly hands, its customers should in fact review every aspect of their personal security across the internet, especially for the most sensitive of accounts, such as online banking and credit card accounts. Additionally, the leaking of email addresses also makes it likely that Yahoo customers could be targeted by phishing attacks, prompting them into changing their login credentials on fake sites that are designed to look like banks, etc. So the advice here is to never click on links found in emails, unless absolutely certain that they have come from a legitimate source.

Yahoo does not appear to have noticed this second breach until November of this year. Click to Tweet

Alex Mathews, Lead Security Evangelist, Positive Technologies

Yahoo must feel like it has a giant target on its back at the moment. Given its years of operation, it has amassed a vast trove of people’s personal data which seemingly draws hackers like moths to a flame.  As the wholesale trading of stolen personal data continues online, the value of such a massive database of names, email addresses, phone numbers and passwords will have commanded a good price on dark online markets, especially when they were fresh. Forensic analysis will eventually determine the entry point for the attacker, but the fact it is not currently known will probably be causing much angst.  It is only once this is found and fixed that the brand can begin to pick up the pieces and truly reassure users. Yahoo users should be aware of increased phishing attempts, as well as being wary of unsolicited texts and phone calls, given that mobile numbers were stolen.  Now would be a great time to change passwords across the board, on everything from social media to other online services.

Brian Laing, Vice-President, Lastline

The damage inflicted upon a big business from a well orchestrated attack can exact costs for decades to come. These costs can range from the hard dollar costs of litigation, paying ransoms, investigations and infrastructure replacement to the soft, but real losses of escalating customer churn and brand value decline. Companies too often fail to account for the magnitude of potential losses when resourcing preventative measures. Perhaps a Yahoo/Verizon deal adjustment may stand as a sober reminder how important it is to get a state-of-art cyber defense strategy in place.

Perhaps a Yahoo/Verizon deal adjustment may stand as a sober reminder... Click to Tweet

Javvad Malik, Security Advocate, AlienVault

Companies will always be targeted and breaches will occur. The larger the company, the more likely it will be targeted and breached. This statement should not come as a surprise to anyone. However, it is vitally important to be able to detect a breach in a timely manner so as to either prevent the breach, to minimize the impact, or to forewarn users, customers, and shareholders so that steps can be taken to prevent being caught off guard. However, when a breach is disclosed after three years, it has almost zero value. The damage has been long done and people could have ended up victims without realizing the source. The lack of breach detection is extremely worrying, and should serve as a reminder to all organizations of all sizes that if you hold user data, you have a responsibility to secure it.

A reminder to all organizations of all sizes that if you hold user data, you have a responsibility to secure it. Click to Tweet

Mark James, IT Security Specialist, ESET

Yahoo has announced that yet another breach has happened involving more than 1 billion of their user accounts. As breaches seem to be happening more and more these days we can be forgiven for allowing data breach news to fall on deaf ears, but we need to get this in perspective here, this breach supposedly happened in 2013. According to the source “internetlivestats”, in 2013 internet users worldwide amounted to just over 2.7 billion. Yahoo states over 1 billion user accounts were compromised, that’s over one third of the total internet users at the time. For perspective, just imagine as you’re walking down the street every third person you see has had their details stolen and are now accessible on the internet. So what can you do about the breach? NOTHING.

In 2013, Internet users worldwide amounted to just over 2.7 billion. Click to Tweet

There is nothing you can do about that particular breach, but you can try and limit any further damage as a result of your data going missing. Whenever headlines like this make the news, normally the first thing you read is “change your passwords”. It’s becoming the “go to” statement, but it’s a very valid point and one that should be default for any account that’s involved in a breach. When your data is stolen, purchased, hacked or traded, your details may be used to gain access to other accounts or logins. Changing those compromised passwords and any other account that may be using the same passwords could limit access for the criminals. You also need to think about any secret questions and answers that were used. If you’re not already, be overly cautious about emails or communications arriving out of the blue, especially any that require you to validate details or hand over further information. And always take a few minutes to make separate enquiries before giving up more private data.

Every 3rd person you see has had their details stolen and are now accessible on the Internet. Click to Tweet

If you have not already, now might be a good time to get a password manager. Many versions exist both free and paid that allow you to generate unique passwords for every site you visit as well as store all your existing ones, and evaluate your current passwords to see how they good they are. Lastly, consider two factor or two step verification for your accounts that allow it. A really good site to see if your service uses or allows 2FA is https://twofactorauth.org/. This allows you an extra level of protection above your username and password that is very easy to use and will stop others accessing your details without your permission.

Amichai Shulman, CTO, Imperva

If there’s one thing we learned in 2016, it is that breaches, and this latest Yahoo! one is of the largest ever, can go undetected for years. Troves of data apparently compromised as long ago as 2012 popped on the Dark Net in 2016, which likely means that at least some of this data has been circulating through the Dark Net for years. This Yahoo! breach and others before it from LinkedIn, Dropbox and Yahoo! itself teach us a couple of things:

  • Attackers are still ahead of enterprises. Even the larger companies when it comes to covering their tracks. (Which we have pointed to at the end of 2015). The alleged breaches were only detected once the leaked information surfaced on the web.
  • In these mega breaches, time is still a factor. While the passwords were not leaked in clear text, the time between leakage and detection allowed the attackers, using modern computing power, to crack most of the passwords. If the enterprises had promptly detected the breaches, a lot of the potential damage could have been avoided.

We can expect these “ghost hacks” from 2013 and 2014 to continue to haunt us in 2017, and likely in even bigger numbers than we’ve seen so far (in terms of incidents, not in terms of records). Enterprises should attempt to avoid exfiltration of sensitive information, especially when the attack is entirely from remote sources. And while ideally we’d catch these attacks in real time, if we focus on “timely detection” where we identify the breach in a few days or even a month later, it is still better than three years.

On average, an attacker will be in (the network) 205 days or more before detection. Click to Tweet

Ryan Kalember, SVP of Cybersecurity Strategy, Proofpoint

It’s critical that consumers and business alike realize that email credentials can be the gateway to more sensitive information than nearly anything else. News of the additional Yahoo breach is yet another indication that email accounts are a prime target among criminals. Email is the top way cybercriminals are breaking into the world’s most sophisticated organizations and they target personal inboxes and account information with the same aggressiveness. Email is a necessity in our digital society and attackers are constantly working to exploit it. When a hacker gets into your email account, they can also steal sensitive information like your name, date of birth, past passwords, and even your security questions and answers.

The breach provides a direct link between an attacker and a victim. If your personal email is compromised, and an attacker assumes your identity, that exposes all of your contacts to an immediate threat and allows the attacker to reset all of your other account passwords. By taking advantage of email accounts, hackers are exploiting the digital trust that exists between the email sender and receiver. This trust is the basis for how our digital society operates. Whether it is personal or enterprise emails, the result is the same, trust is broken and information is at risk. With the level of information available, cyber criminals will continue to attack companies and they won’t stop while they’re still being rewarded. Today, one billion consumers were breached. What will happen tomorrow? Businesses have to take the necessary steps in order to ensure that they don’t become the next headline.

Oliver Pinson-Roxburgh, EMEA Director, Alert Logic

The most critical part of an incident response process is lessons learnt. Organizations need to question how far the rabbit hole goes in all cases. As things are detected during an incident, work streams should be started to question where else data resides and how can it be accessed from the systems hacked. The lessons learnt is second only to how you respond to an incident in the first place. How to respond relies on what information you have, getting pertinent information when under extreme pressure is tough when you are in this position. It seems that in this case the investigators are still uncovering information, which again supports the fact that on average an attacker will be in 205 days or more before detection. It also supports the fact that, in many cases, organizations are unable to self-detect. An over reliance on blocking technologies and the lack of expertise, as well as the lack of  focus on detection coverage across the kill chain, is often the biggest challenge for organizations. In many cases for larger organizations, the challenge of getting visibility is compounded by complexity, the fact the investigation is ongoing suggests that complexity is hampering them.

Alez Cruz-Farmer, Vice-President, NSFOCUS

This is another huge blow for Yahoo!, and an example of where adoption of the latest security methods have not been implemented. We all can learn from Yahoo!’s misfortune, teaching us how to preempt and react to [potential] breaches, because the tools are out there on the market to help. With Yahoo! being such a behemoth organization, the question here is: Did they invest in security and, if so, how did it go so wrong?

Mike Ahmadi, Global Director, Synopsys

It is rather interesting to see the issue of cybersecurity risks being used as leverage in an acquisition, even if it is only speculation.  It seems like the market is ripe for a third party evaluation and certification as a way to demonstrate some level of due diligence.