Yahoo data breach: these security experts have some questions for the Silicon Valley giant

Yahoo has revealed that 500 million of its customers’ accounts have been compromised following a major data breach.

So far, so unsurprising; barely a month passes these days without one of the world’s biggest companies confessing that the personal data of millions of its customers has been stolen or otherwise exposed.

What is striking about the Yahoo breach, however, is that it happened in 2014. The company’s CISO, Bob Lord, has issued advice on how users can reduce their exposure – but given that the announcement comes two years after the fact, the words ‘stable’, ‘door’, ‘horse’ and ‘bolted’ seem pertinent.

Here are the key details about the breach as explained by Yahoo CISO Bob Lord:

“A recent investigation by Yahoo has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network.” Yahoo CISO Bob Lord

You can the full statement in this Tumblr post.

A number of cyber security experts have issued their take on the revelations. Their comments, which include some probing questions that Yahoo must answer and advice for Yahoo users, are given below.

Rob Reid, COO and founder, StayPrivate

The scariest thing in this case is that as yet, neither Yahoo nor its users are sure about what information has been compromised

The Yahoo hack serves as the greatest warning yet that personal email accounts are easy targets for hackers, putting their users at considerable risk of being subjected to cybercrime. The wider public is only just becoming wise to the fact that the more we use our personal webmail accounts for sending information about ourselves, the more information exists on the open internet that can be used against us by cyber criminals. This hack highlights how cyber criminals aren’t just after big companies, but individuals.

The scariest thing in this case is that as yet, neither Yahoo nor its users are sure about what information has been compromised. We need greater awareness to the threats that consumers face and education about what solutions exist to best protect ourselves by keeping our personal data safe.

At StayPrivate we work hard to inform both the business community and consumers about how easy it is for people to be a victim of cybercrime and provide the solutions to protect people.

Troy Gill, manager of security research, AppRiver

Yahoo allegedly investigated the 200 million records for sale on the dark web.  Where those confirmed as valid? If so, why did it take this long to inform users? And why were no forced password resets issued?

The fact that Yahoo has now confirmed the breach is no surprise – the scale, however, is. The sad reality is this is the latest in a long list of organisations that have been caught napping when it comes to protecting customers’ data, and I don’t think we’ve seen the last confession yet.

In fact as technology infiltrates every facet of our lives, we are only opening the door for these types of events to be both more frequent and by all likelihood more impactful.

Yahoo users should be particularly concerned that the stolen information includes security questions and answers as this could leave them open to far more than just their Yahoo email account being compromised. It raises the potential for accessing other accounts, including those with sensitive personal and financial information. Identity theft is a very valid concern for all the victims.

I would be interested to know the findings from Yahoo when they allegedly investigated the 200 million records that were for sale on the dark web.  Where those able to be confirmed as valid? If so, why did it take this long to inform users of the breach? And why were no forced password resets issued?

Keeping customers’ data secure should be a top priority for all enterprises. A determined hacker can be quite difficult to detect but organisations need to commit to hardening themselves to these types of attacks. This breach serves as a stark warning to all organizations that no company is too big or too small a target.

Yahoo users should change their passwords immediately and monitor activity closely. Also, they need to make sure they are using a new password that is complex, lengthy and, most importantly, ‘unique’. Since we know that password reuse across multiple accounts is very common, Yahoo users need to also ensure they are not using the same password as their Yahoo account on other accounts as well.

Gavin Millard, EMEA technical director, Tenable Network Security

One of the most concerning aspects of this breach is the fact that the security questions and answers were unencrypted

With the complex, data rich, IT environments organisations run today, there is always a high possibility of yet another breach with customer data making its way onto the dark web. As we continue to add more technologies to our networks and as attackers become more sophisticated, it’s important that organisations have a rapid process for determining the impact of the breach and a robust approach in addressing the ensuing post-breach fallout.

If you have a Yahoo account and have reused the password anywhere, it would be wise to create new ones now to stop any further personal data from being exposed. To reduce the impact from the next inevitable breach of this type, users should protect themselves by having individual passwords per service rather than the one or two most use now.

Modern browsers have the ability to generate and store complex passwords, as do the many password managers available.

One of the most concerning aspects of this breach is the fact that the security questions and answers were unencrypted. Most users would have used valid responses to questions like mothers maiden name, first car, and first pet, which could lead to further exploitation and account misuse.

Leo Taddeo, chief security officer, Cryptzone

The best defense is to deploy access controls that examine multiple user attributes before allowing access

The loss of unencrypted security questions and answers creates a risk for enterprises that rely on this technique to enhance security for traditional credentials. The best defense is to deploy access controls that examine multiple user attributes before allowing access. This type of ‘digital identity’ makes it much harder for a hacker to take advantage of the type of information lost by Yahoo.

Alex Mathews, EMEA technical manager, Positive Technologies

Any Yahoo customers would be prudent to change their passwords – although given the fact that the breach occurred two years ago, it is a bit like closing the stable door after the horse has not only bolted but long since died of old age

Almost  every year we see reports of “millions of leaked accounts of Yahoo/Hotmail/Gmail/iTunes etc”. We would even suspect that some of this news is ‘designed’ especially for certain events. Yahoo’s sale to Verizon sounds like an interesting occasion to make such a brouhaha, but it would appear that this time the allegations were founded.

The elephant in the room is Yahoo’s admission that ‘encrypted or unencrypted security questions and answers’ might be among the hackers haul. If the investigation determines that this extremely sensitive information was stored unencrypted, then serious questions need to be answered as this lack of security will highlight serious failings by Yahoo in its responsibility to protect customers.

Any Yahoo customers would be prudent to change their passwords – although given the fact that the breach occurred two years ago, it is a bit like closing the stable door after the horse has not only bolted but long since died of old age.

Despite many warnings, millions of users will still use very simple passwords like ‘1111’, ‘qwerty’ or their own names. According to Positive Technologies research, the password ‘123456’ is quite popular even among corporate network administrators: it was used in 30% of corporate systems studied in 2014. Hackers use the dictionaries of these popular passwords to ‘brute-force’ user accounts, so perhaps now is the time to employ a little creativity.

Yahoo does offer additional protection in the form of ‘account key’ and it would be prudent for users who continue using its service to employ this as a matter of urgency.

Richard Cassidy, UK cyber security evangelist, Alert Logic

That this 2014 breach is only now coming to light raises serious concerns for Yahoo customers

This is a considerable breach if reports citing 500 million leaked records are true. And the data seems to have already been monetized (in part) and firmly distributed via cyber criminal networks.

Service providers such as Yahoo will always be a high-value target for bad actor groups on the dark web, especially those looking to prove credibility. Naturally such a breach will cause concern at board level for those involved in the M&A process and eventual purchase of Yahoo; with IT systems to be integrated between both parties, this breach will add a considerable delay to convergence efforts between both parties’ infrastructures and ultimately affect operational capability.

There will also be a knock-on financial effect as worried shareholders seek to exit to safer stocks.

Anyone who has ever signed up to Yahoo services shouldn’t wait to hear from Yahoo on whether they may have been directly affected. Steps should be taken immediately to reset shared passwords across other online accounts and monitor financial transactions closely for signs of nefarious activity.

Unfortunately, stopping every threat is a panacea that many argue is impossible to achieve.

Regardless of organisation size or security capabilities in-house, there needs to be a paradigm shift in how we view susceptibility to threats and how we architect our security framework around threat detection and early warning of nefarious activity.

Relying on legacy layered security solutions, with no correlation on activity from application to network layer, can leave organisations at greater risk of a data breach.

It’s here that we need to shift our thinking and architecture; organizations need to assess their risk status, understand the market they operate in, their competitors and of course the threat vectors most likely to be seen, architecting security capabilities that reduce that risk profile and enable better trust relationships between 3rd parties and customers, all with the aim of keeping key data security assets as protected as current technology capabilities permit.

Reliance on automated security scanning functions can lead to key indicators of compromise going undetected; the human expert analysis approach ensures a level of assurance around protection from even the most advanced malware threats or zero day activity that may be targeted against the organization.

That this 2014 breach is only now coming to light raises serious concerns for Yahoo customers. Questions need to be answered on why external communication has been withheld for so long.

Data breaches can (and do) occur across organizations of all types and sizes. Well defined incident response plans that communicate details of the breach in an effective, directed and reassuring manner both internally and externally, is the key to maintaining consumer and market confidence, not least providing affected users with the best possible chance of containing further breaches to other online accounts.

Listen to the IFSEC Insider podcast!

Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.

Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.

Listen to the podcast today