Yahoo! sets record for biggest breach in history!
Thought 500 million Yahoo! accounts compromised was big? Investigators discover a billion more accounts have been hacked!
Whilst investigating the 2014 breach when some 500 million accounts were found to be compromised in what was hailed as one of the biggest hacks ever, forensic experts have discovered a further ONE BILLION accounts were hacked the year before.
Yahoo has, in an official statement, admitted the severity of the 2013 breach.
“As we previously disclosed in November, law enforcement provided us with data files that a third party claimed was Yahoo user data. We analysed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016. For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information.”
Here’s what the security industry is saying about it. Before you sit down with your tea and biscuits though, we should warn you that it doesn’t make for pleasant reading.
Andrew Bushby, UK director of Fidelis Cybersecurity
“The fact that a huge breach with personally identifiable data – including unencrypted security questions and answers – from one billion user accounts can go undiscovered for more than three years shows one thing; companies worldwide need to be reconsidering their security posture. It’s becoming increasingly clear that no company is immune from attack and as more companies are breached, more data will be up for sale in the public domain, making further attacks more likely – in essence, this means that preventative security solutions are no longer enough. Critically, in the case of Yahoo, it shouldn’t have taken the revelations and investigation of another breach to notice that the data of one billion accounts was making its way outside corporate control.”
Richard Parris, CEO at Intercede
“Companies have a responsibility to protect their customers’ data from malicious hackers. How many large-scale breaches of this kind will it take before the industry shuns the damned username and password once and for all? More secure methods of authentication have long existed – all it takes is a willingness from companies to implement these. And what’s more, some of the most secure methods today are more convenient to the end-user than having to remember a long and complicated password.”
Simply put, MD5 just isn’t up to the task
Andrew Alston, UK director at Covata
“Yahoo is pointing the finger of blame at unnamed ‘state sponsored actors.’ Whoever they were, they clearly had the hacking skills to match their ambitions. It’s a stark reminder to all organisations that today’s cybercriminals are ultra-organised and often multiple steps ahead of their targets. Anyone who has a Yahoo account – even if they no longer use it – needs to be extra vigilant following this news. While Yahoo has been quick to point out that the passwords accessed in this incident were hashed, the algorithm used – MD5 – doesn’t deliver the levels of security offered by adopting more advanced encryption technology that secures data in individual pieces rather than in large sets. Simply put, MD5 just isn’t up to the task.”
Nigel Hawthorn, chief European spokesperson at Skyhigh Networks
“While this may seem like a consumer issue at first, whenever a popular cloud service like Yahoo is hacked, the automatic response for enterprises should be to audit the ‘who, what, when, and where’ of the application’s usage within the company. In the wake of a breach like this, companies should measure exposure to the breach by identifying how many employees use Yahoo. Also, employees frequently reuse passwords, and hackers can use stolen passwords to access other accounts as we saw with Deliveroo recently. To combat this, companies should implement behavioural analytics to monitor for suspicious activity among affected accounts – the IT equivalent of post-breach credit monitoring.”
David Emm, principal security researcher at Kaspersky Lab
“There have been a number of cases this year of retrospective notifications of breaches that are of little help to customers affected by them. This underlines the need for regulation. It’s to be hoped that GDPR (General Data Protection Regulation), which comes into force in May 2018, will motivate firms to, firstly, take action to secure the customer data they hold, and secondly, to notify the ICO of breaches in a timely manner.”
Lee Munson, security researcher, Comparitech.com
“Given the fact that Yahoo has said security questions and answers may also have fallen into unfriendly hands, its customers should, in fact, review every aspect of their personal security across the internet, especially for the most sensitive of accounts, such as online banking and credit card accounts.”
Javvad Malik, Security Advocate at AlienVault
“Companies will always be targeted and breaches will occur. The larger the company, the more likely it will be targeted and breached. This statement should not come as a surprise to anyone. However, it is vitally important to be able to detect a breach in a timely manner so as to either prevent the breach, to minimise the impact, or to forewarn users, customers, and shareholders so that steps can be taken to prevent being caught off guard. However, when a breach is disclosed after three years, it has almost zero value. The damage has been long done and people could have ended up victims without realising the source.”
security questions and answers may also have fallen into unfriendly hands
David Navin, Head of Corporate at Smoothwall
“Recent research revealed that 13% of businesses believe they could lose customers in the event of a breach, which demonstrates that there is still a naive mind-set from those that don’t think a breach will affect their reputation. It needs to be hammered home that every company is vulnerable and will suffer the repercussions should a breach occur. The importance of security needs to be at the top of every boardrooms agenda and across the C-suite. They need ensure that they are complying with regulation and build a layered security defence which spans encryption, firewalls, web filtering and ongoing threat monitoring as well as a proactive stance.”
Paul Glass, partner in the Data Protection team at international law firm Taylor Wessing
“Yahoo is now in the unfortunate position of having been the victim of the two biggest, in terms of number of affected users, breaches that are in the public domain. What is even more damaging is the news that a company of the size and user base of Yahoo was still using very low strength password hashing, and storing answers to security questions in plain text, in 2013.
Both of those have been recognised as very poor security for many years. Even if these breaches do turn out to be the action of a nation state, that doesn’t excuse such security practices. This latest breach must have a significant impact on the price of the Verizon acquisition. The scale of the two breaches, coupled with what they appear to show about Yahoo’s approach to security, will surely add even more weight to Verizon significantly lowering the purchase price. It also emphasises the importance of purchasers understanding the security risks of target businesses and building in contractual mechanisms to adjust the price, or even allow them to walk away from the deal if breaches like these come to light before completion.”
John Madelin, CEO at RelianceACSN. Prior to joining RelianceACSN, John was a Verizon VP responsible for the Verizon Data Breach Investigations Report
“If Verizon were seeking a billion-dollar discount from the agreed $4.8bn takeover, then logically a breach twice the size should shave off a further $2bn. Of course this is speculation, and we will see how this ultimately plays out, but it reinforces that in today’s business environment, security goes further than the responsibility of the IT department. It’s a boardroom issue, and it’s quickly becoming personal. It’s personal for the billion-plus users whose details have probably been sold on the dark web for the last three years, and it’s personal for the shareholders who will likely lose a large portion of their investments. It’s personal for the board, the security team and troubled CEO Marissa Mayer who will be held personally accountable for this loss of data and capital.”
what can you do about the breach? NOTHING!
Justin Fier, Director of Cyber Intelligence and Analysis at Darktrace
“Time and time again, we have seen attacks of this scale plague the news. It is clear that companies have a huge visibility problem – they cannot see what is happening inside their own networks. New forms of attacks are inconspicuous, and can remain in a network for weeks, or even months, before sounding any alarms. Yahoo’s latest breach, yet again, heralds the new era of ‘trust attacks’ that aim to erode faith in the integrity of our data, and the institutions who host it. With over a billion accounts breached, cyber-criminals are undoubtedly succeeding in undermining consumer confidence in an organisation’s ability to keep our information private. Companies need to ask themselves a crucial question: how do you stop the attacker already inside your network, before it escalates into a crisis?”
Mark James, IT Security Specialist at ESET
“So what can you do about the breach? NOTHING. There is nothing you can do about that particular breach, but you can try and limit any further damage as a result of your data going missing. Whenever headlines like this make the news normally the first thing you read is “change your passwords”, it’s becoming the “go to” statement, but it’s a very valid point and one that should be default for any account that’s involved in a breach. When your data is stolen, purchased, hacked or traded your details may be used to gain access to other accounts or logins, changing those compromised passwords and any other account that may be using the same passwords could limit access for the criminals. You also need to think about any secret questions and answers that were used. If you’re not already, be over cautious about emails or communications arriving out of the blue, especially any that require you to validate details or hand over further information and always take a few minutes to make separate enquiries before giving up more private data.”
Dr Jamie Graves, CEO, ZoneFox
“While this hack is getting a lot of attention given the detrimental impact it is likely to have on Yahoo’s purchase by Verizon, it is vital that businesses everywhere take note and learn a lesson from what could be the biggest cyber-security breach in history. Whether the breach occurred due to an external actor breaking-in, or through a trusted third party, once the attacker has gained a foothold they effectively become an ‘insider’, able to traverse and access systems with impunity. As with any insider or trusted partner – if proper monitoring is not put in place, then security incidents like the one that happened over the weekend can occur quickly and without warning.”
Ilia Kolochenko, CEO of web security firm High-Tech Bridge
“I don’t think the breach will impact Yahoo’s customers in any new manner now, unless someone makes the breached database public and enables the re-use of passwords and secret questions/answers. The attackers who breached Yahoo, must have already leveraged the compromised data for their own purposes. If they haven’t done so already after September’s disclosure, all Yahoo customers should consider changing their passwords, including accounts on all other services on which they registered using their Yahoo email. Migration to a more reliable email provider, such as Gmail, also makes sense.”
Yahoo is relying on an outdated cyber security model
Ed Macnair, CEO, CensorNet
“A breach of this size is almost unfathomable – even disregarding the fact this is the second massive breach disclosure from Yahoo in a matter of months. There’s clearly been some historic security failings at the company and they are now paying the price. We’re living in an era where any data held online is inherently insecure and if it the right controls aren’t in place, someone will steal it. While the numbers impacted in this case are massive, Yahoo isn’t the first and won’t be the last unless businesses do better at protecting the information they hold.”
Alex Mathews, Lead Security Evangelist at Positive Technologies
“Forensic analysis will eventually determine the entry point for the attacker, but the fact it is not currently known will probably be causing much angst. It is only once this is found and fixed, that the brand can begin to pick up the pieces and truly reassure users.”
Paul German, CEO at Certes
“Yahoo is relying on an outdated cyber security model which takes a, ‘protect’, ‘detect’, ‘react’ approach, which simply does not work. The problem lies in the fact that once inside a network, there is a significant delay before a hacker is detected, leaving them free to move uninhibited, accessing vast quantities of sensitive data and wreaking havoc. There is a fundamental step missing – damage limitation. At whatever point a hacker enters a network they must be contained, restricting the data they can access and the damage they can inflict before they are detected. This obvious step is missing from the cyber security strategies of some of the world’s biggest organisations and is the reason we are seeing hacks that affect consumers on such a massive scale. However, by looking to approaches such as cryptographic segmentation to contain a threat, businesses can ensure a hacker cannot roam freely across its network, significantly limiting the impact of an attack.”