Yahoo breach: a breakdown of the biggest data breach ever

Everyone can learn something from Yahoo's mistakes.

When looking for the recipient of the booby prize for most shocking security in 2016, there can be no more worthy than Yahoo for not just one, but two major data breaches disclosed this year - the second of which affected over one billion accounts.    

Mark James, IT security specialist at ESET summed up the scale of this breach nicely, stating that: “This breach supposedly happened in 2013. According to the source “internetlivestats”, in 2013 the internet users worldwide amounted to just over 2.7 billion. Yahoo states over 1 billion user accounts were compromised, that’s over one third of the total internet users at the time. For perspective, just imagine as you’re walking down the street every third person you see has had their details stolen and are now accessible on the internet.”    

The news came as no shock to many of the world’s leading cyber security experts, who have been urging web users and companies who handle people’s personal information to take adequate steps to secure it.   

“When Yahoo admitted earlier this year that it had been attacked in 2013, there were suggestions that the number of compromised accounts could place the company somewhere near the top of the pile in terms of the biggest ever data breaches,” said Lee Munson, security researcher for Comparitech.com. “Now, there is no doubt, after it emerged that more than one billion accounts were compromised in the same year. The worrying part of this news is the fact that the communications company does not appear to have noticed this second breach until November of this year, giving the attackers plenty of time to make merry with the stolen credentials.”   

Javvad Malik, security advocate at AlienVault said that it is inevitable that breaches will occur, and agreed that the fact that it took so long to disclose both breaches is worrying. “When a breach is disclosed after three years, it has almost zero value,” he said. “The damage has been long done and people could have ended up victims without realising the source.

“The lack of breach detection is extremely worrying, and should serve as a reminder to all organisations of all sizes that if you hold user data, you have a responsibility to secure it.” 

Though Paul Calatayud, CTO at FireMon insisted that this lack of cxlarity from Yahoo is not unusual. “The fact that Yahoo is not sure how the breach occurred is not uncommon. Often the forensic data is there but being able to shift through the complexities and scale of a large technology base is a challenge.” 

Potential outcomes

As one of the biggest data breaches in history, there is always fallout both from the company’s perspective and its customers.

“The damage inflicted upon a big business from a well-orchestrated attack can exact costs for decades to come. These costs can range from the hard dollar costs of litigation, paying ransoms, investigations and infrastructure replacement to the soft-but-real losses of escalating customer churn and brand value decline,” said Brian Laing, VP at malware detection firm Lastline.

Furthermore, it’s been reported that since these disclosures, Verizon’s has requested changes to its pending acquisition of Yahoo’s core assets.

“Interestingly, if Yahoo! hadn’t instrumented their environment to detect evidence of intrusion, they may never have “officially” discovered the recent two data breaches, which have been devastating to their brand and may have ultimately cost them their sale to Verizon,” surmised David Gibson, VP of strategy and market development at Varonis.

Mike Ahmadi, global director, critical systems security at Synopsys continued: “It is rather interesting to see the issue of cybersecurity risks being used as leverage in an acquisition, even if it is only speculation.  It seems like the market is ripe for a third party evaluation and certification as a way to demonstrate some level of due diligence.”

From a customer perspective, “Once big blobs of data like this are breached, they end up in many places. They hit black markets. They are passed around in dark corners of the Internet where bad guy experts brag to each other about their skills,” said Jonathan Sander, VP of product strategy for Lieberman Software.

“If there’s one thing we learned in 2016, it is that breaches – and this latest Yahoo one is among the largest ever – can go undetected for years. Troves of data apparently compromised as long ago as 2012 popped on the Dark Net in 2016, which likely means that at least some of this data has been circulating through the Dark Net for years,” continued Amichai Shulman, CTO of Imperva.

Lessons learned

Oliver Pinson-Roxburgh, EMEA director at Alert Logic said that “The most critical part of an incident response process is lessons learnt. Organisations need to question how far the rabbit hole goes in all cases.”

Breach detection and time to detection was a common theme throughout the industry experts. 

Amichai Shulman, CTO Imperva, explained that, “This Yahoo breach and others before it teach us a couple of things: Attackers are still ahead of enterprises, even the larger companies when it comes to covering their tracks. The alleged breaches were only detected once the leaked information surfaced on the web; and time is still a factor. While the passwords were not leaked in clear text, the time between leakage and detection allowed the attackers, using modern computing power, to crack most of the passwords. If the enterprises had promptly detected the breaches a lot of the potential damage could have been avoided.”

“We all can learn from Yahoo!’s misfortune, teaching us how to pre-empt and react to [potential] breaches, because the tools are out there on the market to help. With Yahoo being such a behemoth organisation, the question here is – did they invest in security and, if so, how did it go so wrong?” questioned Alez Cruz-Farmer, VP at NSFOCUS.

For Phil Lieberman, president of Lieberman Software, “The truth and lesson to be learned from this situation is that you must always be looking for intrusions, expect them, expect they will not be discoverable, and operate your infrastructure to minimize losses.  If you are not constantly looking for intrusions and running your shop to minimize losses, you will always find yourself in a total loss of security as Yahoo now finds themselves.”

“For all of us, this breach is a reminder that your online identities are always at risk. There is a lot of talk about making sure you have strong passwords but when those passwords are exposed in a breach, there is a different issue that arises – what else can the hackers do with knowledge of your password?” said Paul Calatayud, FireMon.

Advice

The experts offered some advice for users of Yahoo.

Lee Munson, Comparitech.com, said that “It is imperative that everyone with a Yahoo account should change their password immediately. Not only that, they should also change passwords elsewhere on the web too, if they have reused the same one across several accounts.

“New passwords should be unique to every site and account used and should be strong – lengthy, using letters, numbers and symbols, but not including words or dates of birth.

“Given the fact that Yahoo has said security questions and answers may also have fallen into unfriendly hands, its customers should, in fact, review every aspect of their personal security across the internet, especially for the most sensitive of accounts, such as online banking and credit card accounts.”

Alex Mathews, lead security evangelist at Positive Technologies suggested that users continue to remain vigilant. “Yahoo users should be aware of increased phishing attempts, as well as being wary of unsolicited texts and phone calls, given that mobile numbers were stolen.  Now would be a great time to change passwords across the board, on everything from social media to other online services,” he said.

In terms of what companies like Yahoo can do, the answer will come from the top: “Security behind the protection of Personally Identifiable Information (PII) is a matter of culture and dedication, and is not necessarily a money issue.  The core of this problem lies at the feet of the CEO and Board of Directors in this case in not managing and monitoring their most precious asset: their customers’ information and thereby damaging shareholder equity,” said Lieberman.

Ryan Kalember, SVP of cybersecurity strategy at Proofpoint concluded: “With the level of information available, cyber criminals will continue to attack companies and they won’t stop while they’re still being rewarded. Today, one billion consumers were breached. What will happen tomorrow? Businesses have to take the necessary steps in order to ensure that they don’t become the next headline.”

Dean Alvarez, Features Editor, IT Security Guru
Image Credit: Dennizn / Shutterstock