Another day, another Yahoo! breach. This time affecting 1 BILLION accounts and completely separate from the already disclosed 2014 breach.
The Guru was inundated with great comments and reactions from some of the world’s best cybersecurity experts.
Lee Munson, security researcher, Comparitech.com:
“When Yahoo admitted earlier this year that it had been attacked in 2013, there were suggestions that the number of compromised accounts could place the company somewhere near the top of the pile in terms of the biggest ever data breaches.
“Now, there is no doubt, after it emerged that more than one billion accounts were compromised in the same year, possibly in an entirely separate attack.
“The worrying part of this news is the fact that the communications company does not appear to have noticed this second breach until November of this year, giving the attackers plenty of time to make merry with the stolen credentials.
“Thus, it is imperative that everyone with a Yahoo account should change their password immediately. Not only that, they should also change passwords elsewhere on the web too, if they have reused the same one across several accounts.
“New passwords should be unique to every site and account used and should be strong – lengthy, using letters, numbers and symbols, but not including words or dates of birth.
“Given the fact that Yahoo has said security questions and answers may also have fallen into unfriendly hands, its customers should, in fact, review every aspect of their personal security across the internet, especially for the most sensitive of accounts, such as online banking and credit card accounts.
“Additionally, the leaking of email addresses also makes it likely that Yahoo customers could be targeted by phishing attacks, prompting them into changing their login credentials on fake sites that are designed to look like banks, etc. – so the advice here is to never click on links found in emails, unless absolutely certain that they have come from a legitimate source.”
Alex Mathews, Lead Security Evangelist at Positive Technologies:
“Yahoo must feel like it has a giant target on its back at the moment. Given its years of operation it has amassed a vast trove of people’s personal data, which seemingly draws hackers like moths to a flame. As the wholesale trading of stolen personal data continues online, the value of such a massive database of names, email addresses, phone numbers and passwords will have commanded a good price on dark online markets, especially when they were fresh.
“Forensic analysis will eventually determine the entry point for the attacker, but the fact it is not currently known will probably be causing much angst. It is only once this is found and fixed, that the brand can begin to pick up the pieces and truly reassure users.
“Yahoo users should be aware of increased phishing attempts, as well as being wary of unsolicited texts and phone calls, given that mobile numbers were stolen. Now would be a great time to change passwords across the board, on everything from social media to other online services.”
Brian Laing, VP at malware detection firm Lastline:
“The damage inflicted upon a big business from a well-orchestrated attack can exact costs for decades to come. These costs can range from the hard dollar costs of litigation, paying ransoms, investigations and infrastructure replacement to the soft-but-real losses of escalating customer churn and brand value decline.
“Companies too often fail to account for the magnitude of potential losses when resourcing preventative measures. Perhaps a Yahoo – Verizon deal adjustment may stand as a sober reminder how important it is to get a state-of-art cyber defence strategy in place.”
Javvad Malik, Security Advocate at AlienVault:
“Companies will always be targeted and breaches will occur. The larger the company, the more likely it will be targeted and breached. This statement should not come as a surprise to anyone.
However, it is vitally important to be able to detect a breach in a timely manner so as to either prevent the breach, to minimise the impact, or to forewarn users, customers, and shareholders so that steps can be taken to prevent being caught off guard.
“However, when a breach is disclosed after three years, it has almost zero value. The damage has been long done and people could have ended up victims without realising the source.
The lack of breach detection is extremely worrying, and should serve as a reminder to all organisations of all sizes that if you hold user data, you have a responsibility to secure it.”
Mark James, IT Security Specialist at ESET:
“Yahoo has announced overnight that yet another breach has happened involving more than 1 billion of their user accounts. As breaches seem to be happening more and more these days we can be forgiven for allowing data breach news to fall on deaf ears, but we need to get this in perspective here, this breach supposedly happened in 2013. According to the source “internetlivestats”, in 2013 the internet users worldwide amounted to just over 2.7 billion. Yahoo states over 1 billion user accounts were compromised, that’s over one third of the total internet users at the time. For perspective just imagine as you’re walking down the street every third person you see has had their details stolen and are now accessible on the internet.
“So what can you do about the breach? NOTHING. There is nothing you can do about that particular breach but you can try and limit any further damage as a result of your data going missing. Whenever headlines like this make the news normally the first thing you read is “change your passwords”, it’s becoming the “go to” statement but it’s a very valid point and one that should be default for any account that’s involved in a breach. When your data is stolen, purchased, hacked or traded your details may be used to gain access to other accounts or logins, changing those compromised passwords and any other account that may be using the same passwords could limit access for the criminals. You also need to think about any secret questions and answers that were used. If you’re not already, be over cautious about emails or communications arriving out of the blue, especially any that require you to validate details or hand over further information and always take a few minutes to make separate enquiries before giving up more private data.
“If you have not already, now might be a good time to get a password manager, many versions exist both free and paid for that allow you to generate unique passwords for every site you visit as well as store all your existing ones and evaluate your current passwords to see how they good they are. Lastly, consider two factor or two step verification for your accounts that allow it. A really good site to see if your service uses or allows 2FA is https://twofactorauth.org/ this allows you an extra level of protection above your username and password that is very easy to use and will stop others accessing your details without your permission.”
Amichai Shulman, CTO of Imperva:
“If there’s one thing we learned in 2016, it is that breaches – and this latest Yahoo! one is of the largest ever – can go undetected for years. Troves of data apparently compromised as long ago as 2012 popped on the Dark Net in 2016, which likely means that at least some of this data has been circulating through the Dark Net for years. This Yahoo! breach and others before it from LinkedIn, Dropbox and Yahoo! itself teach us a couple of things:
– Attackers are still ahead of enterprises, even the larger companies when it comes to covering their tracks. (which we have pointed to at the end of 2015). The alleged breaches were only detected once the leaked information surfaced on the web.
– In these mega breaches, time is still a factor. While the passwords were not leaked in clear text, the time between leakage and detection allowed the attackers, using modern computing power, to crack most of the passwords. If the enterprises had promptly detected the breaches a lot of the potential damage could have been avoided.
We can expect these “ghost hacks” from 2013 and 2014 to continue to haunt us in 2017, and likely in even bigger numbers than we’ve seen so far (in terms of incidents, not in terms of records). While enterprises should attempt to avoid exfiltration of sensitive information– especially when the attack is entirely from remote sources. And while ideally we’d catch these attacks in real time, if we focus on “timely detection” where we identify the breach in a few days or even a month later, it is still better than three years.”
Ryan Kalember, SVP of cybersecurity strategy at Proofpoint:
“It’s critical that consumers and business alike realise that email credentials can be the gateway to more sensitive information than nearly anything else. News of the additional Yahoo breach is yet another indication that email accounts are a prime target among criminals. Email is the top way cybercriminals are breaking into the world’s most sophisticated organisations and they target personal inboxes and account information with the same aggressiveness.
“Email is a necessity in our digital society and attackers are constantly working to exploit it. When a hacker gets into your email account, they can also steal sensitive information like your name, date of birth, past passwords, and even your security questions and answers. The breach provides a direct link between an attacker and a victim.
“If your personal email is compromised, and an attacker assumes your identity, that exposes all of your contacts to an immediate threat and allow the attacker to reset all of your other account passwords. By taking advantage of email accounts, hackers are exploiting the digital trust that exists between the email sender and receiver. This trust is the basis for how our digital society operates. Whether it is personal or enterprise emails, the result is the same, trust is broken and information is at risk.
“With the level of information available, cyber criminals will continue to attack companies and they won’t stop while they’re still being rewarded. Today, one billion consumers were breached. What will happen tomorrow? Businesses have to take the necessary steps in order to ensure that they don’t become the next headline.”
David Gibson, VP of strategy and market development at Varonis:
“The fact that this is the second Yahoo! breach that has been disclosed in the last 3 months just goes to show how deep some of these major data breaches go. Many organisations are breached just as severely as Yahoo!, but may never know as they are not actively investigating.
“Bob Lord, Yahoo!’s CISO, said that steps have been taken to secure the accounts that have been breached. I am always sceptical of statements like this. How do you know? What if the remaining accounts were breached without any evidence left behind? We don’t know what we don’t know. You almost have to concede the worst: the entirety of our data has been compromised. Perhaps more worrying is that, according to a former security engineer, Yahoo! installed a backdoor that allowed the NSA to read ALL users’ emails behind their security teams backs. The thing about backdoors is that bad guys can find them too.
“However, organisations also have a responsibility to their partners, customers and employees to protect sensitive information and disclose breach activity. Quite often breaches are confirmed, not by an organisation’s security teams, but by discovery and confirmation of leaked data on the Dark Web.
“Organisations should be taking steps to, not only safeguard data, but also provide forensic evidence when the worst happens. The first step in a data security strategy should be to instrument your environment to be able to a.) see who is accessing data, when, and how b.) profile normal behaviour, and c.) alert on abuse. Step two should be to identify sensitive data and ensure that only the right people have access (i.e., the principle of least privilege). Step three is to implement automated processes and human checkpoints to verify that controls put in place stay in place so you don’t backslide to an insecure state.
“Interestingly, if Yahoo! hadn’t instrumented their environment to detect evidence of intrusion, they may never have “officially” discovered the recent two data breaches, which have been devastating to their brand and may have ultimately cost them their sale to Verizon.
“The upcoming breach notification requirements will also place a new burden on data controllers like Yahoo!. Under the GDPR, the IT security mantra is “always be monitoring”. You’ll need to spot unusual access patterns against files containing personal information, and promptly report an exposure to the local data authority. Failure to do so can lead to enormous fines, particularly for multinationals with large global revenues just like Yahoo!.
“Passwords leaked were hashed with a VERY weak algorithm (unsalted MD5), however, if users changed their password after the last reported breach, they should be safe since this one happened in 2013. Interestingly, when I attempt to change my Yahoo! account password via 1Password using a random 32 character string, I get a vague error message. Yet it lets me use “thisismypassword”
“Users can learn more about what makes the best password from the internet security basics course that we’re running with security expert, Troy Hunt.”
Oliver Pinson-Roxburgh, EMEA director at Alert Logic.
“The most critical part of an incident response process is lessons learnt. Organisations need to question how far the rabbit hole goes in all cases. As things are detected during an incident, work streams should be started to question where else data resides and how can it be accessed from the systems hacked. The lessons learnt is second only to how you respond to an incident in the first place to an incident. How to respond relies on what information you have, getting pertinent information when under extreme pressure is tough when you in this position.
“It seems that in this case the investigators are still uncovering information, which again supports the fact that on average an attacker will be in 205 days or more before detection. It also supports the fact that, in many cases, organisations are unable to self-detect. An over reliance on blocking technologies and the lack of expertise, as well as the lack of focus on detection coverage across the kill chain, is often the biggest challenge for organisations. In many cases for larger organisations the challenge of getting visibility is compounded by complexity, the fact the investigation is ongoing suggests that complexity is hampering them.”
Alez Cruz-Farmer, VP at NSFOCUS:
“This is another huge blow for Yahoo!, and an example of where adoption of the latest security methods have not been implemented. We all can learn from Yahoo!’s misfortune, teaching us how to pre-empt and react to [potential] breaches, because the tools are out there on the market to help. With Yahoo! being such a behemoth organisation, the question here is – did they invest in security and, if so, how did it go so wrong?”
Jason Hart, Chief Technology Officer, Gemalto:
“What’s concerning about this breach is that Yahoo still hasn’t been able to confirm the source of the intrusion yet, and the fact that it took them over 3 years to discover a breach of this magnitude speaks to the amount of work we in the security industry still need to do. If Yahoo, one of the largest tech companies in the world, is struggling with security, how can companies with less resources combat these bad actors?
“According to Gemalto’s Breach Level Index, over one billion records have been compromised in 2016.The BLI tracks data breaches and measures their severity based on multiple dimensions, including the number of records compromised, the type of data, the source of the breach, how the data was used, and whether or not the data was encrypted. By assigning a severity score to each breach, the Breach Level Index provides a comparative list of breaches, distinguishing data breaches that are a not serious versus those that are truly impactful. Using what we currently know about this latest Yahoo breach, this would be the largest data breach of all time.”
Andersen Cheng, CEO, Post-Quantum:
“The latest Yahoo breach is catastrophic in numbers – easily the biggest data breach we have seen to date. Even more worrying is why this took so long to be disclosed, with the incident taking place nearly four years ago. It looks like these kinds of deals between companies will disclose even more of these historical incidents as we move forward.
“M&A and IPO activities are on the rise, and they will continue to gather pace in 2017, such is the sheer volume of, and the demand to invest in, the next tech ‘unicorn’. With this uptick in activity, there is a good chance that we will see data issues such as breaches or hacks uncovered as companies carry out their due diligence before deals are finalised. I expect there will be a few more unpleasant surprises uncovered next year.”
Jes Breslaw, EMEA director of strategy, Delphix:
“Time and time again we have seen that even the most basic of personal identifiable information puts consumers at risk. Names, addresses and contact information all hold money-making potential for opportunistic social engineers on the dark web.
“The latest Yahoo data loss reinforces why organisations need to prioritise the development of robust security measures. Not only did it take Yahoo three years to disclose the largest breach in history but it was using one of the least resilient security measures available. Had the EU’s General Data Protection Regulation (GDPR) already been in operation then Yahoo could be facing a fine in the region of $200 million for its failures in due diligence.
“The challenge has always been that more robust security measures, such as masking both production and test data, are an expensive and complex task that organisations have avoided. In order to overcome this barrier and be prepared for a post GDPR world then organisations need to start considering new technologies, such as data masking and data virtualisation, that pseudonymise data once and guarantee that all subsequent copies have the same protective policies applied. This will future proof the business from costly data breaches and ensure compliance while improving agility and time-to-market.”
Jovi Umawing, Malware Intelligence Researcher, Malwarebytes:
“It’s already tricky for people to keep track of the numerous Yahoo! breaches, and another report may likely be the last straw for those who were unsure of whether they’d keep using the company’s services or not. This, of course, may affect strategic decisions on Verizon’s side.
“Nothing is 100% secure, but companies must do their part in making it difficult for attackers to compromise their security perimeters while reminding others of safe computing practices. At this point, one has to wonder what advice is left for Yahoo! to give, and what embattled service users can do to keep themselves out of harm’s way.”
Raj Samani, CTO EMEA, Intel Security:
“With another Yahoo data breach coming to light, affecting more than one billion accounts, customers will understandably be concerned with finding out the extent to which their data has been compromised. Yahoo! has not yet identified the intrusion associated with this theft but, whatever the attack method used, this data breach is yet another sign that many organisations need to reject conventional defense paradigms and favor radical new thinking to really gain the upper hand in cybersecurity.
“Stolen user account information potentially includes names, email addresses, telephone numbers, dates of birth and even, in some cases, encrypted or unencrypted security questions and answers. Worryingly, much of this information will also be used by account holders across various other services, leaving other businesses at risk of being targeted with this stolen data. Our Hidden Data Economy report revealed that the marketplace for stolen data is thriving. Not only are huge amounts of stolen information readily available online, but buyers do not even have to delve into the darknet to access this information. Almost any information you can imagine can – and is – being sold online. A quick reaction is vital – recognising when a data breach has occurred and moving quickly to inform customers is key if they are going to stop cyber criminals from exploiting any stolen data.”
“With swathes of sensitive customer details now in the hands of criminals, this breach should serve as a warning to businesses. Organisations should be ensuring the right security measures are in place to effectively protect customer information. By rejecting old playbooks to be newly unpredictable, becoming collaborative instead of hoarding information and learning to prioritise cyber defence, companies can protect their data against the increasing threat landscape.”
David Mount, director, security solutions consulting EMEA, Micro Focus:
“As with most data breaches, news of this latest hack from Yahoo! is likely to spawn a host of articles questioning whether passwords are still fit for purpose, given up to a billion have been compromised here. But we shouldn’t rush to condemn passwords, because they can still be useful. They’re easy to use, simple to deploy, and relatively cheap to manage. That said, as the Yahoo! data breach shows, passwords are also too easy to steal and security strategies usually place too much emphasis on users sticking to good password hygiene. One of the reasons why username and password databases make such good targets for hackers is that users apply the same password across many different online services, opening themselves up to broader issues if even one service is compromised.
“Examples like this Yahoo! breach show that we are probably reaching the end of the password as a useful single factor of authentication. We need a more effective way to securely prove who we are without relying solely on passwords. The answer could be tokens, smartphones, biometrics, behavioural indicators, or a blend of these measures – pinpointing the appropriate method always depends on the sensitivity of the information or service being secured. But what is clear is that relying on a user to devise (and remember) a sufficiently secure password is fundamentally flawed.”
Corey Williams, Senior Director, Products and Marketing at Centrify:
“Turns out the largest breach in history of 500M Yahoo! accounts in 2014 is only half as much as the new largest hack ever discovered – 1 billion Yahoo! accounts lost in 2013.
“Whether you stay with Yahoo! or switch to another provider, my advice is the same. Fasten your ‘cyber safety belt’ by turning on multifactor authentication. Maybe this large scale event will serve to raise awareness about the inadequacy of the common password and to introduce the “cyber safety belt” — two-factor authentication.
“Yahoo! is simply not safe to use unless you turn on Yahoo Account Key or another multifactor authentication solution.”
David Navin, Head of Corporate at Smoothwall:
“Cyber hacks are becoming an increasingly regular occurrence with this latest hack of Yahoo being the largest we’ve ever seen. No company is immune to the threats of cybercrime, and this should be yet another wake up call for businesses, pushing them to be prepared for when a breach will inevitably happen. It is imperative that companies ensure that they have a robust security system in place to mitigate these risks and to safeguard their data should a breach occur.
“Recent research revealed that 13% of businesses believe they could lose customers in the event of a breach, which demonstrates that there is still a naive mind-set from those that don’t think a breach will affect their reputation. It needs to be hammered home that every company is vulnerable and will suffer the repercussions should a breach occur.
“The importance of security needs to be at the top of every boardrooms agenda and across the C-suite. They need ensure that they are complying with regulation and build a layered security defence which spans encryption, firewalls, web filtering and ongoing threat monitoring as well as a proactive stance. Companies no matter how big or small all need to have all the measures and contingency plans in place so that if a breach does occur, they are able to recover and instil customer confidence as soon as possible.”
Mike Ahmadi, global director – critical systems security at Synopsys:
“It is rather interesting to see the issue of cybersecurity risks being used as leverage in an acquisition, even if it is only speculation. It seems like the market is ripe for a third party evaluation and certification as a way to demonstrate some level of due diligence.”
Paul Calatayud, CTO FireMon:
“The fact that Yahoo is not sure how the breach occurred is not uncommon. Often the forensic data is there but being able to shift through the complexities and scale of a large technology base is a challenge.
For all of us, this breach is a reminder that your online identities are always at risk. There is a lot of talk about making sure you have strong passwords but when those passwords are exposed in a breach, there is a different issue that arises – what else can the hackers do with knowledge of your password?
Other websites may share passwords because you have decided to remember one long strong password that is reused across other accounts.
Worse yet, your username is often the email account which is easily guessed or known to the hacker.
The best way to mitigate the impact of the Yahoo breach would be to ensure you use unique passwords across your web accounts. That way any breach does not expose additional data or information contained in other systems.
Breaches are very difficult to prevent but the explores and impact of a single breach is something you can manage with unique account practices.”
Philip Lieberman, CEO of Lieberman Software:
“The truth and lesson to be learned from this situation is that you must always be looking for intrusions, expect them, expect they will not be discoverable, and operate your infrastructure to minimize losses. If you are not constantly looking for intrusions and running your shop to minimize losses, you will always find yourself in a total loss of security as Yahoo now finds themselves. The competitors to Yahoo operate their shops looking for these types of intrusions and when they see personally identifiable information (PII) leakage, they shut it down. The key to the success of their competitors is the investment in people, processes and technology to mitigate losses.
The fact that the CISO cannot identify the source of the loss says everything: they are simply not operating their shop for an acceptable loss outcome. Simple salting of the user database (inclusion of special dummy records) could provide them with the visibility to the source of the loss, but even this simple technique was not used given the total lack of understanding of the loss. Security behind the protection of PII is a matter of culture and dedication, and is not necessarily a money issue. The core of this problem lays at the feet of the CEO and Board of Directors in this case in not managing and monitoring their most precious asset: their customers information and thereby damaging shareholder equity.”