Poor, poor Yahoo. Fresh from its recent Verizon acquisition, Yahoo has announced that 500 million user account credentials were stolen during an attack in 2014, making it one of the biggest data breaches of all time.
The data stolen includes names, email addresses, telephone numbers, birthdays, hashed passwords and some "encrypted or unencrypted security questions and answers."
In light of the news, various industry professionals have offered their reaction and analysis.
Chris Petersen, CTO and Co-Founder at LogRhythm:
“Breaches are damaging and expensive as Yahoo will soon find. The ramifications of a successful attack are far reaching, and could potentially impact their deal with Verizon. In addition, they’ll suffer from lost productivity, inconvenience to customers, and potentially the permanent loss of data and credibility.
"An organisation’s success in defending against a data breach is largely dependent on its level of preparation to respond to a successful intrusion. Attackers will successfully compromise systems, but a resulting data breach can be avoided if the company detects the intrusion quickly. Bottom line: Every organisation needs to prepare for a successful attack and be able to respond quickly. Every Yahoo user would be well advised to change their password and to be prepared for malicious emails coming their way.”
James Lyne, global head of security research, Sophos:
“We continue to see even the biggest companies breached by cybercriminals looking to gain access to the private information their users provide to create a profile, including their password, date of birth or security question data.
"Cyber criminals are very proficient at using such data to commit broader fraud, so the ramifications of such a breach can extend well beyond e-mail. Being aware of any data breach is important because many people use the same password for multiple accounts. For Yahoo users and all computer users, Sophos advises these six steps as “best practice” for protecting personal data and pre-empting potential fallout from any data breach:
Jacob Ginsberg, Senior Director at Echoworx:
“Unfortunately, this yet again demonstrates that “good enough” is not good enough when it comes to security. Data persists, so even if you’ve taken steps to protect that information, hackers may have the tools to negate these defences six months, one year or three years down the line.
"If you do the bare minimum now, this won’t do you any good in six months’ time. Simple hashing of passwords isn’t enough – using strong encryption and salting passwords should be prerequisites for any organisation handling account information.”
Brian Spector, CEO of MIRACL:
“Is the Yahoo! breach what finally causes the US government to intervene on behalf of protecting people’s identities online (as we’ve seen in the EU with PSD2)?
"To date, there’s been over a billion user identities stolen as a result of current security processes and paradigms failing. It’s irresponsible of Yahoo! and any digital company to not protect its users from preventable password and personal information breaches. Any digital company that stores authentication credentials in a central web repository is inviting trouble.
"A new approach is the only solution for moving forward, regardless of the digital business. A distributed trust model that does not send or store authentication credentials on the web can provide a truly secure way of verifying the identity of a user. It’s time to move security into the 21st century. Let’s leave the username and the password security convention behind, where it belongs.”
Tyler Moffitt, Senior Threat Research Analyst at Webroot:
"Half a billion records of just emails would be impressive but half a billion names, email addresses, telephone numbers, birthdays, hashed passwords, and (the icing on the cake) “unencrypted security questions and answers” is astounding. These constant breaches only prove that the connected world we live isn't secure. It also reaffirms the need for one to heavily consider what info they hand off, regardless of how secure the site’s reputation is.
"On the bright side, no financial data was breached. And while no unencrypted passwords were stolen, the unencrypted security questions are basically the same thing. It's good Yahoo! is resetting the questions, but it doesn't change that they were compromised and that some were likely used for identity theft before Yahoo! disclosed the breach."
Jes Breslaw, director of strategy, EMEA at Delphix:
“Time and time again, we’ve seen the wide-ranging implications of a data breach. Consumer confidence takes a hit, reputations are left in tatters and fingers are pointed at those in charge of safeguarding the organisation from attack. Yet despite the growing number of global scandals, our research shows that only a quarter of data in the UK is masked.
“Traditionally organisations are very good at taking measures to protect data in their production systems, such as their websites, but neglect to protect the sensitive information held in their non-production environments where IT testing and development happens. In an evolving threat landscape, data conscious organisations need to ensure that data security is embedded into everyday practices.
"What’s needed is an irreversible process that obfuscates personal information but ensures dummy data is still available so organisations can prioritise security but ensure development processes continue unhindered."
Michael Callahan, VP at FireMon:
“Given the size of Yahoo and the scale of this data breach, it is a good reminder that attackers are just waiting for organisations to slip up in their security measures before they seize the opportunity with both hands. Yahoo no doubt has a huge, complex array of security technology in place to try and prevent cyber attacks and the leaking of any customer data.
"The trouble is, this complexity is becoming increasingly common in organisations that seek to do the “right” thing by bolstering security with more solutions. But without the right intelligent tools to help make sense of the technology, policies and access permissions under one umbrella, it becomes almost impossible to manage.
"Therefore, we keep seeing these types of breaches happening and will keep seeing them happen until proper security management is addressed.”
Kevin Cunningham, president and founder at SailPoint:
“Mergers are complicated endeavors, and the scrutiny under which both companies will reside during the course of the transaction only increases the stress to keep what should be sensitive information protected. Verizon certainly took on a calculated level of risk in acquiring Yahoo!, particularly because of its massive user base.
"The question of whether this breach will affect the sale price depends on how extensively it performed due diligence on Yahoo’s security controls. It’s a perfect illustration of the fact that this due diligence should include not just network security controls, but also identity governance controls, because as we’ve seen with LinkedIn, Dropbox and countless others, breaches very often result from compromised employee credentials.”
James Maude, senior security engineer at Avecto:
“Users should be concerned about how a behemoth of the internet failed to notice this for such a long period of time. This is especially concerning as Yahoo promised to have overhauled security following the allegations of government interference in the Snowdon documents.
“For the consumer, it is time to consider the impact of this breach and evaluate what data they stored on their Yahoo account. Users of Yahoo mail services should be the most vigilant as their email account maybe the gateway to access many online services, from banking sites to dating websites, containing highly personal information. It is important to reset passwords that may be at risk and consider what other accounts were linked to Yahoo services, such as Flickr, that may store private family photos.
“Time and time again we see organisations failing to notice suspicious activity occurring in their environment and on their endpoints as they are reliant on failing detection solutions that simply can’t spot unique targeted attacks. As Yahoo were recently acquired by Verizon who annually publish the industry leading report on data breaches, there may well be a few awkward conversations happening internally this week.”
Paul Farrington, manager of EMEA solution architects at Veracode:
"2016 will live long in the memory of those who helped to create the Internet giant Yahoo. The company is being sold for a fraction of what it was once worth, and now is linked to one of the largest data breaches on record.
"The company tells us that hack was performed by a state-sponsored actor. It’s interesting that this is given prominence in the press release whilst other details remain undisclosed. Almost, a plea for clemency from the court of public opinion. Regardless of the motives of the hacker in the Yahoo breach, businesses should take immediate action to safeguard assets and protect customer data.
"This means investing in encryption, testing apps for vulnerabilities and building a comprehensive security strategy for the long term. CIOs and CISOs should be ready to answer the question from above… could this happen to us? in way too many cases, we believe it could."
Photo credit: g0d4ather / Shutterstock