Why did it take Yahoo nearly four years to discover the biggest hack in history?

Avatar photo

Contributor

Author Bio ▼

Adam Bannister is a contributor to IFSEC Global, having been in the role of Editor from 2014 through to November 2019. Adam also had stints as a journalist at cybersecurity publication, The Daily Swig, and as Managing Editor at Dynamis Online Media Group.
December 16, 2016

Download

Whitepaper: Enhancing security, resilience and efficiency across a range of industries

Yahoo’s reputation has plumbed new depths after it admitted on Wednesday it had fallen victim to the biggest hack in history.

It’s the second damaging revelation in a few months, with the company revealing in September that it had suffered an attack not only huge in scale – 500,000 accounts were compromised – but that it had taken two years to even realise it.

Users scrambling to change passwords therefore did so knowing that criminals had already had since 2014 to exploit their data.

That incident has now been surpassed on two counts, with the other hack affecting a staggering one billion accounts and this time occurring not just two but three years ago in 2013.

Users are being urged to change passwords and security questions, but once again the words ‘horse’, ‘stable’, ‘door’ and ‘bolted’ seem pertinent.

Some experts have advised users to go further still and close their accounts. Yahoo, which has for years been losing email market share to Gmail and Hotmail, can expect to see that trend accelerate.

The company, whose shares tumbled 6% following the revelations and whose $4.8bn sale to Verizon is now in doubt, has been ticked off by Germany’s cyber security authority for failing to adopt modern encryption techniques to protect users’ personal data.

Below several cyber security experts share their verdicts on the latest hack and their punches are very much non-pulled.

j-paul-haynes-ceo-esentireJ Paul Haynes, CEO, eSentire

“Any breach that involves personally identifiable (PII) information – like names, addresses, and user credentials – can haunt its victims for months or years”

Any breach that involves personally identifiable (PII) information – like names, addresses, and user credentials – can haunt its victims for months or years. This information usually ends up on the dark web, where it’s cycled through buyers who can use that information to commit various forms of fraud.

Hackers can also use PII to access other systems, particularly if the victim used similar username and password combinations for other accounts.

joe-siegrist-ceo-lastpassJoe Siegrist, CEO, LastPass

“The frequency of large-scale hacks may be contributing to security fatigue – leaving people feeling helpless in the face of multiple incidents”

The frequency of the large-scale hacks we’re hearing about may be contributing to security fatigue – leaving people feeling helpless in the face of multiple incidents. Take back control of personal security by not using and reusing weak passwords across your accounts.

Creating unique, long, complex passwords with a password management tool is a simple way to do this. It’s also advisable to do this instead of storing passwords in browsers as this could make them vulnerable to malware attacks.

andersen-cheng-ceo-post-quantumAndersen Cheng, CEO, Post-Quantum

“M&A and IPO activities are on the rise, so there is a good chance we will see breaches or hacks uncovered as companies carry out due diligence before deals are finalised”

The latest Yahoo breach is catastrophic in numbers – easily the biggest data breach we have seen to date. Even more worrying is why this took so long to be disclosed, with the incident taking place nearly four years ago. It looks like these kinds of deals between companies will disclose even more of these historical incidents as we move forward.

M&A and IPO activities are on the rise, and they will continue to gather pace in 2017, such is the sheer volume of, and demand to invest in, the next tech ‘unicorn’. With this uptick in activity, there is a good chance that we will see data issues such as breaches or hacks uncovered as companies carry out their due diligence before deals are finalised. I expect there will be a few more unpleasant surprises uncovered next year.

ilia-kolochenko-ceo-high-tech-bridgeIlia Kolochenko, CEO, High-Tech Bridge

“Such disclosure, taking into consideration the unclear and even suspicious disclosure timeline – just before the buyout – may provide a valid reason for Yahoo’s shareholders to sue Yahoo’s top management if the deal fails or brings less money than expected”

Announcing such a massive breach three years after it has occurred, is a very serious, and hopefully well-thought out step taken by Yahoo. As we don’t have any clear technical details around what has actually happened, it’s difficult to make any conclusions on who or what was at the origins of the breach.

However, I am pretty sure that this news has the potential to negatively impact the deal with Verizon. Such disclosure, taking into consideration the unclear and even suspicious disclosure timeline – just before the buyout – may provide a valid reason for Yahoo’s shareholders to sue Yahoo’s top management if the deal fails or brings less money than expected.

I don’t think the breach will impact Yahoo’s customers in any new manner now, unless someone makes the breached database public and enables the re-use of passwords and secret questions/answers.

The attackers who breached Yahoo, must have already leveraged the compromised data for their own purposes. If they haven’t done so already after September’s disclosure, all Yahoo customers should consider changing their passwords, including accounts on all other services on which they registered using their Yahoo email. Migration to a more reliable email provider, such as Gmail, also makes sense.

eldon-sprickerhoff-founder-and-chief-security-strategist-esentireEldon Sprickerhoff, founder and chief security strategist, eSentire

“The magnitude of this breach drives home how critical two factor-authentication is when it comes to account security”

The magnitude of this breach doesn’t just impact Yahoo account holders, it extends to anyone using web mail services and drives home how critical two factor-authentication is when it comes to account security.

We all have a role to play in the security of our own data. The same fate could be a reality for anyone not using two-factor authentication to secure their accounts.

In Yahoo’s case, account passwords were hacked. Think of it as a one-way encryption that can’t be decrypted. But, if you take every possible alphanumeric and punctuation combination, mix it with every possible seed, and feed it through the hash function, you end up with all possible hashed passwords.

You can then do a reverse lookup and find the actual password. What this means, is that with standard password technology in place (like the kind used by Yahoo), hackers can easily identify user passwords.

Two-factor authentication takes security one step further, eliminating the need for hashes, and the risks associated with hashes. It’s a feature that’s enabled by adding another form of identity verification to the account sign-in process, like a phone number.

It’s a simple step that provides significantly more protection to account holders.

The greater risk with this particular breach is the countless other email accounts that could be impacted. Many Internet Service Providers (ISPs), like Rogers in Canada or Sky UK in the UK, use white-label Yahoo mail for their account holders. So, if you have a Rogers or Sky UK web mail account, you actually have a Yahoo email account. Regardless, the safest route for all users is to update all passwords and ensure two-factor authentication is enabled, immediately.

jamie-graves-ceo-zonefoxJamie Graves, CEO, ZoneFox

“Whether an external actor broke in, or the breach was through a trusted third party, once the attacker has gained a foothold they effectively become an ‘insider’, able to traverse and access systems with impunity”

We’ve known for a few months now that Yahoo has suffered a big breach back in 2013, but what wasn’t clear was the sheer scale of the information taken. These latest figures are seismic.

While this hack is getting a lot of attention given the detrimental impact it is likely to have on Yahoo’s purchase by Verizon, it is vital that businesses everywhere take note and learn a lesson from what could be the biggest cyber-security breach in history.

Whether the breach occurred due to an external actor breaking in, or through a trusted third party, once the attacker has gained a foothold they effectively become an ‘insider’, able to traverse and access systems with impunity. As with any insider or trusted partner, if proper monitoring is not put in place, then security incidents like the one that happened over the weekend can occur quickly and without warning.

In order to identify and remedy the situation as fast as possible, businesses no matter how large or small, must ensure they have some form of behavioural monitoring solution in place at all times, to identify and combat any breaches and suspicious activity from staff and partners alike immediately.

 

Listen to the IFSEC Insider podcast!

Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.

Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.

IFSECInsiderPodcastLogo

Related Topics

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Topics: