Yahoo has confirmed that more than 500 million account holders’ details have been compromised in a data breach. The breach occurred in late 2014, and was likely carried out by a state-sponsored actor, Yahoo said in a statement. Personal information compromised in the breach includes usernames, email addresses, telephone numbers, dates of birth and hashed passwords, as well as encrypted and unencrypted security questions and answers. Though there is no evidence to suggest the hackers responsible are still in its network, Yahoo has encouraged users to change their passwords and security questions and answers.
The Guru was inundated with thoughts from security experts, so we decided to publish them all!
Ryan Wilk, VP at NuData Security:
“Once again, more news of a big breach hits the wire. A blockbuster breach, with staggering size and scope which has actually been baking since 2014 when the original breach occurred and was reported on. Still, 500 million records lost will likely make this one of the biggest on record. Sadly, while that number may be what Yahoo is aware of today, we can probably expect this number to rise. With this attack of a half a billion user accounts, we are likely to see well over a billion accounts breached this year alone compared to about 800 million in 2015.
Clearly, hacks are getting bigger and more impactful. Like a snowball gaining speed and momentum hacks are gaining in scope, sophistication and impact. All while feeding a fraud engine that leads to identity theft, account fraud and a myriad of other crimes that can be stopped.
This breach will rattle consumers badly. First, we all have to start accepting that breaches are an unhappy fact of life and our personal records are being shared on the dark web – sometimes years after the breach occurs. This one, in particular, hits everyone hard. Yahoo has a lot of long standing and trusted accounts. After all, who doesn’t have a Yahoo account? Even an old one sitting around might have emails and other personal information in it that could be used by a hacker later on.
You’ll hear a lot in the next few days about changing your password, and yes, while it’s good practice to change your usernames and passwords often and make them complex, it’s just not enough on its own. Data breaches continue to build upon each other, with each breach adding additional intelligence to achieving the goal of complete profiles of identities for a large segment of our population up for sale on the dark web. Access to this data in particular, can allow the bad actors to reset passwords on banking and e-tailer sites linked to Yahoo accounts, or use the data to apply for a new credit card, or even more frighteningly, gain access to your work credentials, where the damage could be colossal.
Where credit card fraud was all the rage a couple years ago, it is this kind of account takeover and new account fraud that is on the painful and dramatic rise. We saw, in our own database of 81 billion of behavioural events annually, a 10% month-over-month increase in new account fraud.
There are behaviour-based methods that online merchants, banks, and providers, are going to need to deploy that will help keep consumer accounts safe, even if valid credentials are presented. These solutions give true insight into who sits behind the device – and provide near-perfect trust that it is the consumer, and not a fraudster using our identity information online. You can and should start expecting these multi-behaviour based solutions from those providers that protect your online accounts.
Knowing that we haven’t been able to stop these breaches from happening, and accepting the fact that much of our identity information is already on the dark web, is the first step that responsible providers need to take. The second step is putting into place security systems designed to protect their customers from the nefarious use of these stolen identities. And systems that stop these fraudsters in a completely passive and non–intrusive way to us, the consumers. The only way to achieve this is by truly being able to identify the identity of the user behind the device.
It’s time to make these breaches irrelevant by devaluing the data that hackers like “Peace” use. So even if they keep trying to steal “pieces” of our data, the data can become irrelevant, because no matter how sophisticated they get, they can’t steal our behaviour!”
Richard Cassidy, UK cyber security evangelist at Alert Logic:
“Overall this is a considerable data breach, especially if initial reports citing circa 500million records leaked, are indeed accurate. Furthermore, the data seems to have already been monetised (in part) and firmly distributed via various cybercriminal networks. It is indeed very unfortunate; service providers such as Yahoo will always be a high-value target for bad actor groups on the DarkWeb, especially those looking to prove credibility and stamp their name in the data heist record books (per say). Naturally such a breach will cause concern at board level for those involved in the M&A process and eventual purchase of Yahoo; with IT systems to be integrated between both parties, this breach will add a considerable delay to convergence efforts between both parties’ infrastructures and ultimately affect operational capability. Furthermore, the knock on effect financially as worried shareholders seek to exit to safer stocks, will create short to medium term fiscal unrest, however, it’s how Yahoo now communicate the details of the breach, helping users (who have been identified as having had their data breached) put in place expedited account security measures, not just at Yahoo, but across all personal accounts where passwords and/or usernames may be similarly used.
Without a doubt however, anyone who has ever signed up to Yahoo services, shouldn’t wait to hear from Yahoo on whether they may have been directly affected (or not), steps should be taken immediately to reset shared passwords across other online accounts and monitor financial transactions closely for signs of nefarious activity. Unfortunately, stopping every threat is a panacea that many argue is impossible to achieve. Regardless of organisation size or security capabilities in-house, there needs to be a paradigm shift in how we view susceptibility to threats and how we architect our current security framework around threat detection and early warning of nefarious activity. Relying on legacy layered security solutions, with no correlation on activity from application to network layer, can leave organisations at greater risk of a data breach. It’s herein that we need to shift our thinking and architecture; organisations need to assess their risk status to data breaches, understand the market they operate in, their competitors and of course the threat vectors most likely to be seen, architecting security capabilities that reduce that risk profile and enable better trust relationships between 3rd parties and customers, all with the aim of keeping key data security assets as protected as current technology capabilities permit.
Furthermore, reliance on automated security scanning functions can lead to key indicators of compromise going undetected; the human expert analysis approach ensures a level of assurance around protection from even the most advanced malware threats or zero day activity that may be targeted against the organisation.
If initial reports that Yahoo experienced this particular breach back in 2014, and its only now coming to light, then this raises serious concerns for consumers of Yahoo products or services, and questions need to be answered on why external communication has been withheld for so long. Overall what has to be learned from this event, is that data breaches can (and do) occur across organizations of all types and sizes. Well defined incident response plans that communicate the details of the breach in an effective, directed and reassuring manner both internally and externally, is the key to maintaining consumer and market confidence, not least providing users who have been affected, with the best possible chance of containing further breaches to other online accounts where passwords or usernames may have been similarly used.”
Ryan Kalember, SVP, cyber security strategy Proofpoint:
“Your email credentials are the single most sensitive piece of information you have. News of the Yahoo breach is yet another indication that email accounts are a prime target among criminals. Email is the top way cybercriminals are breaking into the world’s most sophisticated organizations and they target personal inboxes with the same aggressiveness.
Email is a necessity in our digital society and attackers are constantly working to exploit it. It provides a direct link between an attacker and a victim. If your personal email is compromised, and an attacker assumes your identity, that exposes all of your contacts to an immediate threat and allow the attacker to reset all of your other account passwords. By taking advantage of email accounts, hackers are exploiting the digital trust that exists between the email sender and receiver. This trust is the basis for how our digital society operates. Whether it is personal or enterprise emails, the result is the same, trust is broken and information is at risk.”
Leo Taddeo, CSO at Cryptzone:
“The loss of unencrypted security questions and answers creates a risk for enterprises that rely on this technique to enhance security for traditional credentials. The best defence is to deploy access controls that examine multiple user attributes before allowing access. This type of “digital identity” makes it much harder for a hacker to take advantage of the type of information lost by Yahoo.”
Gavin Millard, EMEA Technical Director, Tenable Network Security:
“With the complex, data rich, IT environments organisations run today, there is always a high possibility of yet another breach with customer data making its way onto the dark web. As we continue to add more technologies to our networks and as attackers become more sophisticated, it’s important that organisations have a rapid process for determining the impact of the breach and a robust approach in addressing the ensuing post-breach fallout.
If you have a Yahoo! account and have re-used the password anywhere, it would be wise to create new ones now to stop any further personal data from being exposed. To reduce the impact from the next inevitable breach of this type, users should protect themselves by having individual passwords per service rather than the one or two most use now. Modern browsers have the ability to generate and store complex passwords, as do the many password managers available.
One of the most concerning aspects of this breach is the fact that the security questions and answers were unencrypted. Most users would have used valid responses to questions like mother’s maiden name, first car, and first pet, which could lead to further exploitation and account misuse.”
Alex Mathews, EMEA Technical Manager, Positive Technologies:
“Almost every year we see reports of “millions of leaked accounts of Yahoo / Hotmail / Gmail / iTunes / etc”. We would even suspect that some of this news is “designed” especially for certain events. Yahoo’s sale to Verizon sounds like an interesting occasion to make such a brouhaha, but it would appear that this time the allegations were founded.
The elephant in the room is Yahoo’s admission that ‘encrypted or unencrypted security questions and answers’ might be amongst the hackers haul. If the investigation determines that this extremely sensitive information were stored unencrypted then serious questions need to be answered as this lack of security will highlight serious failings by Yahoo in its responsibility to protect customers.
Any Yahoo customers would be prudent to change their passwords – although, given the fact that the breach occurred two years ago, it is a bit like closing the stable door after the horse has not only bolted but long since died of old age.
Despite many warnings, millions of users will still use very simple passwords like 1111, “qwerty”, or their own names. According to Positive Technologies research, the password “123456” is quite popular even among corporative network administrators: it was used in 30% of corporate systems studied in 2014. Hackers use the dictionaries of these popular passwords to bruteforce the user accounts so perhaps now is the time to employ a little creativity.
Yahoo! does offer additional protection in the form of Account Key and it would be prudent for any users that decide to continue using its service employ this as a matter of urgency.”
Troy Gill, Manager of Security Research at AppRiver:
“The fact that Yahoo has now confirmed the breach is no surprise – the scale however is. The sad reality is this is the latest in a long list of organisations that have been caught napping when it comes to protecting customers’ data, and I don’t think we’ve seen the last confession yet. In fact as technology infiltrates every facet of our lives, we are only opening the door for these types of events to be both more frequent and by all likelihood more impactful.
Yahoo users should be particularly concerned that the stolen information includes security questions and answers as this could leave them open to far more than just their Yahoo email account being compromised. It raises the potential for accessing other accounts, including those with sensitive personal and financial information. Identity theft is a very valid concern for all the victims.
I would be interested to know the findings by Yahoo when they allegedly investigated the 200million records that were for sale on the dark web. Where those able to be confirmed as valid? If so why did it take this long to inform users of the breach and why were no forced password resets issued prior?
Keeping customers’ data secure should be a top priority for all enterprises. A determined hacker can be quite difficult to detect but organizations need to commit to hardening themselves to these types of attacks. This breach serves as a stark warning to all organizations that no company is too big or too small a target.
Yahoo users should change their passwords immediately and monitor activity closely. Also, they need to make sure they are utilizing a new password that is complex, lengthy and most importantly “unique”. Since we know that password reuse across multiple accounts is very common, Yahoo users need to also ensure that they are not using the same password [as their Yahoo account} on other accounts as well.”
Stephen Gates, chief research intelligence analyst at NSFOCUS:
“Although the breach was originally reported back in July of 2012, the size of the breach apparently was incorrectly reported. In 2012, the number of potentially compromised user credentials was estimated to be around 450 thousand. However, the hacker known as Peace is claiming to have up to 500 million user credentials he/she is now attempting to sell online. That’s a huge difference.
Yahoo users, who have not changed their passwords since then, really need to do so now. In addition, if users have used the same username/password combination on any other online accounts, they’re at risk of hackers gaining access to those other online accounts; if hackers can determine what other online accounts a user may have.
The Verizon purchase apparently comes with some “baggage” that they most likely do not want to be associated with. The likelihood of this beach affecting the purchase is however, quite small. The responsible thing to do it to force all users to update their passwords; however, that action most likely will not be well received by Yahoo’s user community for a breach that happened over four years ago.
Although the number of breaches on this scale have been reduced over the years, they are far from over. Today, organisations of all sizes are taking measures to ensure a breach does not happen to them. Unfortunately, it has not stopped hackers from succeeding on a global scale.
Enterprises must first assess what hackers would likely want to steal from them. Once identified, enterprises must use all measures at their disposal to protect that data – at all costs. If an organisation does not practice due diligence, then they can be accused of alleged negligence. Being found guilty of negligence is never good for anyone’s career.
You must protect your data. It is what hackers are after. This is all about monetary gain, and people will go to almost any length to achieve it. Hacker’s understand how to erode your defenses, consume your resources, control your systems, and eventually steal your data. Taking an Intelligent Hybrid Security approach will help protect what hackers are after.”
David Gibson, VP of strategy and market development at Varonis:
“Hopefully Yahoo! will force password resets for all its users, even ones that it believes have not been affected. Dropbox learned this lesson the hard way. Users should also reset passwords for other accounts that share the same password as their Yahoo account and consider using a password manager going forward.
It’s hard to say for sure whether the breach will upset the pending acquisition by Verizon—publishers of the renowned yearly Data Breach Investigation Report—but it certainly could. If witnessing a data breach capsizes a $4.8 billion acquisition doesn’t shock CEOs and CSOs into investing more in security, what will?
There will certainly be financial repercussions for Yahoo!, if not by way of fines and lawsuits, certainly in terms of time and effort to recover, perform an investigation, and further invest in bolstering security.
Breaches of this magnitude won’t slow until incentives are re-aligned. Dark Reading released a report recently stating that 80% of CSOs cite a lack of funding as being the #1 barrier preventing them from addressing cybersecurity challenges and 51% of CSOs cite a lack of available cybersecurity pros. The two go hand-in-hand. Until organisations are willing to invest more in security technology and pay a higher price tag to attract top security talent, they can expect similar results.
Organisations need to invest more in cybersecurity teams, follow security best practices and make security a top priority if they want to stop hacks on this scale.
The same lessons we learned from Target, Sony, OPM, etc. apply to Yahoo. It’s just too easy for hackers to get their hands on critical data.
Businesses – just like individuals – are still struggling to get the basics right when it comes to securing their data. There are so many basic vulnerabilities that organisations need to address – external and internal. The number of reported breaches will no doubt continue to increase. More companies are keeping more information from consumers and business partners, which increases the value of a potential breach. In order to be productive, company networks can’t be 100% isolated, and no matter how much time and money you spend on security tools, nothing is fool-proof, especially when the weakest links in the chain are the people who need access to data in order to do their jobs.
When you work under the assumption that your outer defences will be breached, it frames the data security challenge somewhat differently. Instead of pouring all of your energy into building a very high, very strong fence, spend more time securing what you truly need to protect: data. Make sure that once someone is inside, their activities will be observed and controlled. Just because you have a great lock on your front door doesn’t mean that cameras and motion sensors aren’t also a good idea. Similarly, monitoring user access and analysing it properly will help organisations identify attackers on their network and hopefully mitigate any damage.
Burying your head in the sand and hoping nothing bad will ever happen isn’t an option these days, so companies should absolutely have a plan for what happens after they discover a breach. Just like it would be silly to choose not to have a plan for a fire in the building, it doesn’t make sense not to have a response plan for a data breach. At a minimum, it’s critical for companies to identify what may have been stolen or deleted and what their obligations are to customers, partners, shareholders, etc. Different types of information have different disclosure requirements, therefore it’s important for companies to understand what kind of data they’re storing and what those obligations are so they can plan accordingly.”
Gubi Singh, Chief Operating Officer at Redscan:
“There is never a good time to be hit by a cyber-attack but the reported breach, appears to have happened at the worst possible moment for Yahoo and that’s unlikely to be a coincidence. Criminals will spend months planning and implementing attacks on companies of this size, with attackers biding their time to avoid detection.
For companies undergoing a merger or acquisition, a comprehensive cyber security assessment can reduce risk for all parties involved and has become a key part of the due diligence process.”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“Every single Yahoo user should be turning on Yahoo’s two factor authentication immediately. Yahoo has been prompting users to do this for months and most have ignored the call for extra security. If a headline like this can’t motivate them to take Yahoo’s good advice and use the extra security they’re offering, I’m not sure what could.
Many breach headlines evoke vague awareness – a company you’ve heard of, or something that sounds important. Yahoo is Internet royalty. The message everyone should take from this is truly anyone can be cracked. Apparently it’s a state level actor, which isn’t surprising the amount of effort and resources it likely took to break security at one of the Internet’s biggest names.”
Amichai Shulman, CTO and Co-Founder of Imperva:
“The ease of getting tons of stolen credentials, with the fact that users will always continue to reuse passwords simply because they are human, make brute force attacks more effective than ever and force application providers to take proper measures to protect their users.
Data from breaches is hot merchandise on both sides of the legitimacy fence, the security marketplace on one side and the dark market on the other.
To prevent brute force attacks, security officers should not rely on password policies only, but should take specific detection measures like rate limiting login attempts, detecting login attempts from automated browsers, treat with caution logins from unexpected countries and anonymous sources, and compare login data to popular passwords and stolen credentials.
As we point out in our blog, there is a concerning pattern of breaches which occurred in 2012, but their severity was underestimated and under reported. Organisations must not become complacent in the face of 2016’s lack of mega breaches. As it turns out, those who don’t carefully monitor their networks today may well regret it in 2020.”
Michael Patterson, CEO of Plixer:
“It is interesting that – Peace – the alleged hacker who claimed to have access to 200 million user accounts and was selling them online just prior to the Verizon purchase of Yahoo. It may be just a hack or someone with a hidden agenda that designed the timing to try and disrupt a billion dollar transaction. Yahoo has been investigating this hack since August and should have immediately asked users to change their passwords while they look into the claims.”
Michael Callahan, VP at FireMon:
“Given the size of Yahoo and the scale of this data breach, it is a good reminder that attackers are just waiting for organisations to slip up in their security measures before they seize the opportunity with both hands. Yahoo no doubt has a huge, complex array of security technology in place to try and prevent cyber attacks and the leaking of any customer data. The trouble is, this complexity is becoming increasingly common in organisations that seek to do the “right” thing by bolstering security with more solutions. But without the right intelligent tools to help make sense of the technology, policies and access permissions under one umbrella, it becomes almost impossible to manage. Therefore, we keep seeing these types of breaches happening and will keep seeing them happen until proper security management is addressed.”
Mark James, Security Specialist at ESET:
“500million accounts is huge by any standards, we sometimes get a little blasé as the numbers get higher but let’s not make any mistakes here, that’s a lot of customers’ information stolen here.
Data breaches are on the up, it’s almost a daily occurrence but the damage it causes is massive. The data may be used for immediate financial gain or used later along with more information to enable identity theft or phishing attacks either way it could be very damaging for the victim.
As always in these cases it’s the end user that ultimately pays the price, of course from a PR point of view it’s never good for the company that was breached but for the individual it could have long term financial implications if things go badly wrong. It could also mean accounts may be temporally unavailable and for some, emails are a lifeline. Changing email address if you move to another provider is not as easy as it sounds because of the nature of how email works you still need access to the old email in case of older websites that may require password resets or account recovery with the original email address.
As Verizon are about to buy Yahoo, they will have to consider the backlash of future issues with compromised account data. Because the ramifications of data breaches are often felt in the future they will have to consider the implications of any customers who can prove identity issues caused as a result of this particular breach if they are the new owners.
Although it seems an easy task, stopping data breaches is not as easy as it sounds. Doing all you possibly can to stop it in the first place, ensuring that if it does happen then the data is stored in such a way it’s impossible to do anything with it and having a good contingency plan in case it happens is what organisations need to be doing.
What other businesses can learn from this is, where possible, being proactive with your user base; the users need to be kept in the loop. If there has been a breach then find out how, where and why. Ensure your systems are now clean if malware is involved, reset passwords, inform your users and keep them up-to-date. We all understand data breaches are a factor of modern day computing but the impact can be cushioned with the correct flow of information.”
Brian Spector, CEO of MIRACL:
“This is a modern-day mega breach, and demonstrates how data theft and identity fraud is a multi-billion dollar business on the dark Web.
It is still too early for more detailed analysis, but the attack vectors commonly used to initialize attacks of this magnitude are to gain access by stealing employee or insider credentials. The credentials are still all too often simply user name and password. What the attacker knows: when a password, irrelevant of how complex the password may be, is successfully stolen, the attacker can get access to internal systems and work their way to sensitive information – and steal it all.
The underlying issue is that the username and password system is old technology that is not up to the standard required to secure the deep information and private services that we as individuals store and access online today. By contrast, new, secure methods of multi-factor authentication can provide much stronger security, and make database hacks, password reuse, browser attacks and social engineering a thing of the past.”
Matt Walmsley, Director, EMEA at Vectra Networks:
“While this breach has undoubtedly rocked Yahoo to its core, and public notification took a long time, the company is lucky to have even spotted the breach. Under stringent upcoming data legislation such as GDPR, which comes into force in May 2018, the way this breach came to light and was handled would have left EU organisations at risk of a potential fine of four per cent of global turnover. If any of the Yahoo user data compromised by this hack is connected to EU citizens, uncovering the situation now does at least avoid that scenario – this time.
It’s extremely concerning just how many organisations are still blissfully unaware of huge data breaches taking place within their network infrastructure. Research shows that only about two out of 10 data breaches are detected internally – leaving around 80 per cent of data breaches detected by external discovery and third party agencies. The huge delay in this breach coming to light, and more shockingly the lack of awareness that anything even happened until an external party alerted Yahoo, clearly shows the growing challenge of maintaining visibility across increasingly large and complex networks alongside physically unmanageable data centres. In this case, it’s reasonable to assume that the breached user account data was held in Yahoo’s data centres, an area of diverse, and in many cases, under protected security risks.
There are plenty of opportunities to catch a hacker in-progress when an organisation is penetrated, before they can achieve their goal. For example, during the attacker’s reconnaissance, escalation, data corruption or exfiltration. Each of these phases of the attack often occur over an extended period of time. This offers ample chance to identify the infiltrator’s behaviour, and make an early and effective intervention before the intrusion becomes a full blown critical incident involving 500 million users’ data. As network infrastructure continues to expand, it will only be the automation of such detections, using innovation like artificial intelligence, that can ensure these subtle indicators of in-progress attacks can be searched for 24/7/365 at scale and in real–time.”
Rob Reid, COO and Founder at StayPrivate:
“The Yahoo hack serves as the greatest warning yet that personal email accounts are easy targets for hackers, putting their users at considerable risk of being subjected to cybercrime. The wider public is only just becoming wise to the fact that the more we use our personal webmail accounts for sending information about ourselves, the more information exists on the open internet that can be used against us by cyber criminals. This hack highlights how cyber criminals aren’t just after big companies, but individuals.”
“The scariest thing in this case is that as yet neither Yahoo, nor its users, are sure about what information has been compromised. We need greater awareness to the threats that consumers face and education about what solutions exist to best protect ourselves by keeping our personal data safe. At StayPrivate we work hard to inform both the business community and consumers about how easy it is for people to be a victim of cybercrime and provide the solutions to protect people.”
Andersen Cheng, CEO at Post-Quantum:
“To date there is no clear evidence about the mechanism used by the hackers in what is one of the largest data thefts in history. We can only assume it was due to unauthorised access to Yahoo’s database, which is known to have suffered security lapses in the past.
I understand from intelligence sources that there have been similar breaches to other databases, not necessarily in terms of size but in terms of significance, which have not yet been reported by other entities.
The Yahoo! breach is yet another case of how organisations handle access control to the large swathes of personal data they hold. At present very few companies have proper processes in place to manage segregation of duties in the digital world. All operating systems we use today have not been designed with such processes in mind – which is a major concern.
In fact, current access management tools are outdated, not effective and certainly won’t be in coming years, when computers and hackers alike become more sophisticated. This is because the focus of these systems is on detection, rather than prevention. As this Yahoo! theft shows, such an approach is useless, particularly when such a theft can go undetected for years.
Ben Harknett, Managing Director EMEA at RiskIQ:
“Reports of the Yahoo cyber-breach this morning calls into question organisations’ ability to know how vulnerable their digital assets are, and how exposed customer data could be if it was to fall into the wrong hands. With increased sophistication of cyber-crime, state-sponsored or not, the emphasis on cyber security needs to shift from cure to prevention. As a business, knowing what your entire attack surface looks like from the moment of design to implementation and throughout its lifespan is crucial. No matter what size, the digital footprint needs to be constantly monitored so organisations know exactly which digital assets they have, where they are and if there are any weaknesses which could be exploited. Acting in a state of planned defence helps to reduce the likelihood of attack, where the consequences can be potentially devastating to the business, but most of all, the customers whose data is trusted to them.”
Justin Feir, Director of Cyber-Intelligence and Analysis at Darktrace:
“While there is very little data on this breach, likely because of potential impact on the Verizon merger, it could possibly serve as a herald to increasing ‘trust attacks’ – attacks that have the potential to degrade credibility or public confidence.
This could be the first time we see an attack aimed at directing economic influence vs political. Also, we may see, similar to the LinkedIn hack which happened a couple of months ago, major ramifications in terms of what’s good cyber hygiene. Ultimately, organisations need to accept that these hacks will only continue to happen. It is critical to adopt a fundamentally new approach to security.”
Justine Cross, Regional Director at Watchful Software:
“The unprecedented scale of the Yahoo breach should be a watershed moment in the way businesses protect customer data.
While it appears that customer passwords were encrypted, large amounts of other personally identifiable information, including names, email addresses, dates of both, and phone numbers were apparently unprotected. This is still more than enough information for cyber criminals to cause serious harm through fraud and phishing attacks.
If all customer data is classified and labelled as restricted, it will be encrypted and rendered unusable by any unauthorised user, greatly reducing the impact of a breach like this. Classification should be an automatic process the moment any personally identifiable data concerning a customer is created on the system. With this incident likely to cost millions of dollars, no organisation can afford to leave anything concerning their customer data to chance.”
Paul German, VP EMEA at Certes:
“As Yahoo deals with the fall out of the biggest cyber theft of customer information to date, this should set alarm bells ringing for businesses around the globe. Even heavyweights like Yahoo and LinkedIn have a problem protecting consumer data, pointing to an inherent flaw in the way cyber security is being approached.
The problem lies in the face that once hackers cross a company’s carefully laid out cyber defences, the network, and the treasure trove of data within it, is their oyster. Moving laterally, they are able to siphon off huge swathes of valuable information difficulty until they are detected, often months after the initial breach.
The problem lies in the current cyber security model which takes a, ‘protect’, ‘detect’, ‘react’ approach. There is a significant lag between the protection being sidestepped and the criminal being detected. Currently this leaves a hacker free rummage through a company’s most sensitive data, wreaking havoc. There is a fundamental step missing – at whatever point a hacker enters a network they must be contained, restricting the data they can access and the damage they can inflict before they are detected.
Most businesses now see a security breach as a ‘when’ rather than an ‘if’ situation, and it is vital that they take steps limit the damage and protect the data of thousands, if not millions of consumers.”
Richard Parris, CEO at Intercede:
“Given the numerous high profile data breaches already revealed this year, are we really surprised by the news from Yahoo? The real problem is not in the hack itself but in service providers like Yahoo relying on a fundamentally insecure, username and password based, user authentication. If a hack does happen, those details, and other identifying information, can be exposed and they are invariably used to access other services and defraud consumers.
In my view, we are fast reaching the point at which the industry will have to be compelled to take action. If the first duty of any government is to protect the public, establishing and protecting identity in a digital world ought to be high on the list of priorities. Solutions are available and it’s surely time we locked the stable door with secure authentication and identity management before the digital horse has bolted.”
Jeff Kukowski, COO at SecureAuth:
“Yahoo’s data breach is an important reminder for organizations to move beyond the simplistic username and password authentication model – as evidenced by the fact that the company itself is now asking users to implement Yahoo Account Key. We know the reality is that users not only keep passwords simple, they continue to reuse them across multiple sites and since these compromised passwords are also associated with an email address the threat of major data loss for consumers is very real.
Smart organisations are already moving to stronger methods of user authentication, including adaptive access control techniques and multi-factor authentication as a way of safeguarding credentials. It is imperative that more organizations take this lead and look to implement adaptive access in a way that, in addition to the credentials, performs risk-analysis as part of the authentication process. This helps render stolen credentials completely worthless across the breached site.”
Paul Farrington, manager of EMEA solution architects at Veracode:
“2016 will live long in the memory of those who helped to create the Internet giant Yahoo. The company is being sold for a fraction of what it was once worth, and now is linked to one of the largest data breaches on record. The company tells us that hack was performed by a state-sponsored actor. It’s interesting that this is given prominence in the press release whilst other details remain undisclosed. Almost, a plea for clemency from the court of public opinion.
Regardless of the motives of the hacker in the Yahoo breach, businesses should take immediate action to safeguard assets and protect customer data. This means investing in encryption, testing apps for vulnerabilities and building a comprehensive security strategy for the long term. CIOs and CISOs should be ready to answer the question from above… could this happen to us? in way too many cases, we believe it could.”
David Navin, Corporate Security Specialist at Smoothwall:
“Data breaches are becoming increasingly common, with Yahoo the latest to suffer with the largest breach ever seen. This should be a wakeup call for companies as in today’s digital era; no one is immune and they need to be ‘Prepared’ for when a breach will happen. It is imperative that companies ensure that they have a robust security system in place to mitigate these risks and to safeguard their data should a breach occur.
“With recent research showing only 13% of businesses believe they could lose customers in the event of a breach, there is still clearly a naive mind-set from those who don’t think a breach will affect their reputation. It needs to be hammered home that every company is vulnerable and will suffer the repercussions should a breach occur.
“The importance of security needs to be at the top of every boardrooms agenda, with the CEO, CFO and CTO, ensuring they are educated to the risks and understand the importance of having strong enterprise grade security measures in place, beginning with firewalls, encryption and good security software. Security needs to be taken seriously at all points of the organisation, to ensure that all employees understand the risks of their actions and know the security processes in place should an incident occur, in order to mitigate the risks in the event of a breach.”
Chris Hodson, EMEA CISO at Zscaler:
“The most burning questions following the Yahoo hack disclosure is how and why? – how did they get in and what were the motives of these criminals?
With no technical details included in Yahoo’s report about how the data was exfiltrated, just that it was, it’s impossible to assess credibility of the ‘state sponsored’ claim without this. In this instance, we can only speculate that the ‘state sponsored actor’ claim was made with a view to placating the general public. The act of stealing heaps of personal information but leaving financial credentials untouched, also highlights the motives of the assumed ‘state sponsored actors’ was not immediate financial fraud.
It might well be that Yahoo has had support from government departments and that attribution has been possible but equally, ‘state-sponsored’ is often prefixed to ‘actor’ in an effort to suggest sophisticated and surreptitious means of data exfiltration. We simply do not know.
Fast forward to 2018 with the General Data Protection Regulation in place here in Europe, how would Yahoo have responded if such requirements were imposed on them? The timing of this revelation is poor from a business perspective – Verizon is in the process of purchasing Yahoo and this breach will not do anything to expedite the process and please customers.
To mitigate risks in the short term, consumers should avoid using the same password across multiple sites. Instead they should consider using a password vault to store a variety of different, and more complex passwords without becoming reliant on the security of corporate enterprises, such as Yahoo!”
John Madeline, CEO at RelianceACSN:
“Another signature event breaks as Yahoo! discloses a data breach thought to be the largest in history. Unfortunately, this will have resulted from the usual weaknesses in basic security hygiene, a result of “check box” exercises, poor product purchases, and the main decision makers not fully caring or understanding. However, the notable difference is the changing mood around this breach. The media and industry are holding CEO Marissa Meyer to account, questioning why she’s still in charge, making this one personal. In business, when things are personal, people start to care.
Secondly this breach has happened at an interesting time, in the window between the announcement of the acquisition from Verizon and its consummation. This will be an acid test for valuing the impact of an incident like this at a time when risk experts, lawyers, accountants and M&A specialists are engaged and scrutinising every detail with their pencil sharpeners out.”
John Bambenek, threat intelligence manager at Fidelis Cybersecurity:
“Yahoo! users have been kept on tenterhooks over the last few days with rumours circulating that their information may have been compromised. With Yahoo! now confirming the sheer scale of the breach, and that it happened back in 2014, millions of its users will likely feel extremely unsettled that their information – including names, email addresses, dates of birth, telephone numbers and encrypted passwords – has been in the wrong hands for some time now. What’s worrying is that additional data could have been compromised in the meantime. With this being the second data breach being investigated by Yahoo! within the last year, this will be a huge blow for the company in terms of reputation and user confidence.
Despite the sophistication and capabilities of those responsible, attacks such as the Yahoo! breach often involve relatively simple and well-known lures to trick users into giving attackers the foothold they need. For instance, many nation state-sponsored breaches involve ‘password reset’ emails to get users to give up their passwords. While there is very little an enterprise can do after sensitive information goes out the door, a system-wide password reset is a routine best-practice adopted almost everywhere to mitigate further damage. It certainly raised a few eyebrows when Yahoo! didn’t take that step the first time, but the fact it is reversing course is a good thing.
Ultimately, when it comes to email communication, it’s not only insecure, but its insecurable. To put it simply, the more sensitive the information is, the more likely it shouldn’t be put into an email.”
Chris Petersen, CTO and Co-Founder at LogRhythm:
“Breaches are damaging and expensive as Yahoo will soon find. The ramifications of a successful attack are far reaching, and could potentially impact their deal with Verizon. In addition, they’ll suffer from lost productivity, inconvenience to customers, and potentially the permanent loss of data and credibility. An organisation’s success in defending against a data breach is largely dependent on its level of preparation to respond to a successful intrusion. Attackers will successfully compromise systems, but a resulting data breach can be avoided if the company detects the intrusion quickly. For companies to do so, and avoid a data breach, they must invest in modern technology that optimally aligns people and process with advanced analytics and workflow automation Bottom line: Every organisation needs to prepare for a successful attack and be able to respond quickly. Every Yahoo user would be well advised to change their password and to be prepared for malicious emails coming their way.”
Jacob Ginsberg, Senior Director at Echoworx:
“Unfortunately, this yet again demonstrates that “good enough” is not good enough when it comes to security. Data persists, so even if you’ve taken steps to protect that information, hackers may have the tools to negate these defences six months, one year or three years down the line. If you do the bare minimum now, this won’t do you any good in six months’ time. Simple hashing of passwords isn’t enough – using strong encryption and salting passwords should be prerequisites for any organisation handling account information.”
Rob Norris, Director of Enterprise & Cyber Security in EMEIA at Fujitsu:
“It seems that not a week goes by that we don’t see a data breach of one type or another. Yahoo is once again under the spotlight for a breach that has been named the largest in history. The fact that 500 million users have been affected is worrying. But let’s not forget, it isn’t the first company to be affected. And it won’t be the last.
Many businesses, and consumers, are still failing to see the reality of the situation we are now facing. The effort required to combat breaches is industrial. Companies are no longer fighting against individuals, but a sophisticated criminal industry, designed solely to access and exploit their data.
To remain ahead of their competitors – and trusted in the eyes of the consumer –organisations need to take a proactive approach when it comes to security. Organisations should focus on the integration of threat intelligence and other information sources to provide the context necessary to deal with today’s advanced cyber criminals. There must also be a clear and well-rehearsed crisis management plan for a breach, addressing internal and external communication. Whereas consumers need to ensure they use different passwords for different applications and are aware of the security risks when using payment information. As the number of these threats continue to increase exponentially, no businesses nor consumer can afford for cyber-security not to be their number one priority.”
Tyler Moffitt, Senior Threat Research Analyst at Webroot:
“Half a billion records of just emails would be impressive but half a billion names, email addresses, telephone numbers, birthdays, hashed passwords, and (the icing on the cake) “unencrypted security questions and answers” is astounding. These constant breaches only prove that the connected world we live isn’t secure. It also reaffirms the need for one to heavily consider what info they hand off, regardless of how secure the site’s reputation is.
On the bright side, no financial data was breached.”