Following hours of speculation, Yahoo has confirmed that it has suffered a massive data breach. IT security experts from Tenable Network Security, Cryptzone, Positive Technologies, AppRiver and Alert Logic commented below.
Gavin Millard, EMEA Technical Director at Tenable Network Security:
“With the complex, data rich, IT environments organisations run today, there is always a high possibility of yet another breach with customer data making its way onto the dark web. As we continue to add more technologies to our networks and as attackers become more sophisticated, it’s important that organisations have a rapid process for determining the impact of the breach and a robust approach in addressing the ensuing post-breach fallout.
“If you have a Yahoo! account and have re-used the password anywhere, it would be wise to create new ones now to stop any further personal data from being exposed. To reduce the impact from the next inevitable breach of this type, users should protect themselves by having individual passwords per service rather than the one or two most use now. Modern browsers have the ability to generate and store complex passwords, as do the many password managers available.
“One of the most concerning aspects of this breach is the fact that the security questions and answers were unencrypted. Most users would have used valid responses to questions like mothers maiden name, first car, and first pet, which could lead to further exploitation and account misuse.”
Leo Taddeo, Chief Security Officer at Cryptzone:
“The loss of unencrypted security questions and answers creates a risk for enterprises that rely on this technique to enhance security for traditional credentials. The best defense is to deploy access controls that examine multiple user attributes before allowing access. This type of “digital identity” makes it much harder for a hacker to take advantage of the type of information lost by Yahoo.”
Alex Mathews, EMEA Technical Manager at Positive Technologies:
“Almost every year we see reports of “millions of leaked accounts of Yahoo / Hotmail / Gmail / iTunes / etc”. We would even suspect that some of this news is “designed” especially for certain events. Yahoo’s sale to Verizon sounds like an interesting occasion to make such a brouhaha, but it would appear that this time the allegations were founded.
“The elephant in the room is Yahoo’s admission that ‘encrypted or unencrypted security questions and answers’ might be amongst the hackers haul. If the investigation determines that this extremely sensitive information were stored unencrypted then serious questions need to be answered as this lack of security will highlight serious failings by Yahoo in its responsibility to protect customers.
“Any Yahoo customers would be prudent to change their passwords – although, given the fact that the breach occurred two years ago, it is a bit like closing the stable door after the horse has not only bolted but long since died of old age.
“Despite many warnings, millions of users will still use very simple passwords like 1111, “qwerty”, or their own names. According to Positive Technologies research, the password “123456” is quite popular even among corporative network administrators: it was used in 30% of corporate systems studied in 2014. Hackers use the dictionaries of these popular passwords to bruteforce the user accounts so perhaps now is the time to employ a little creativity.
“Yahoo! does offer additional protection in the form of Account Key and it would be prudent for any users that decide to continue using its service employ this as a matter of urgency.”
Troy Gill, Manager of Security Research at AppRiver:
“The fact that Yahoo has now confirmed the breach is no surprise – the scale however is. The sad reality is this is the latest in a long list of organisations that have been caught napping when it comes to protecting customers’ data, and I don’t think we’ve seen the last confession yet. In fact as technology infiltrates every facet of our lives, we are only opening the door for these types of events to be both more frequent and by all likelihood more impactful.
“Yahoo users should be particularly concerned that the stolen information includes security questions and answers as this could leave them open to far more than just their Yahoo email account being compromised. It raises the potential for accessing other accounts, including those with sensitive personal and financial information. Identity theft is a very valid concern for all the victims.
“I would be interested to know the findings by Yahoo when they allegedly investigated the 200million records that were for sale on the dark web. Where those able to be confirmed as valid? If so why did it take this long to inform users of the breach and why were no forced password resets issued prior?
“Keeping customers’ data secure should be a top priority for all enterprises. A determined hacker can be quite difficult to detect but organizations need to commit to hardening themselves to these types of attacks. This breach serves as a stark warning to all organizations that no company is too big or too small a target.
“Yahoo users should change their passwords immediately and monitor activity closely. Also, they need to make sure they are utilizing a new password that is complex, lengthy and most importantly “unique”. Since we know that password reuse across multiple accounts is very common, Yahoo users need to also ensure that they are not using the same password[as their Yahoo account} on other accounts as well.”
Richard Cassidy, UK Cyber Security Evangelist at Alert Logic:
“Overall this is a considerable data breach, especially if initial reports citing circa 500million records leaked, are indeed accurate. Furthermore, the data seems to have already been monetized (in part) and firmly distributed via various cybercriminal networks. It is indeed very unfortunate; service providers such as Yahoo will always be a high-value target for bad actor groups on the DarkWeb, especially those looking to prove credibility and stamp their name in the data heist record books (per say). Naturally such a breach will cause concern at board level for those involved in the M&A process and eventual purchase of Yahoo; with IT systems to be integrated between both parties, this breach will add a considerable delay to convergence efforts between both parties’ infrastructures and ultimately affect operational capability. Furthermore, the knock on effect financially as worried shareholders seek to exit to safer stocks, will create short to medium term fiscal unrest, however, it’s how Yahoo now communicate the details of the breach, helping users (who have been identified as having had their data breached) put in place expedited account security measures, not just at Yahoo, but across all personal accounts where passwords and/or usernames may be similarly used.
“Without a doubt however, anyone who has ever signed up to Yahoo services, shouldn’t wait to hear from Yahoo on whether they may have been directly affected (or not), steps should be taken immediately to reset shared passwords across other online accounts and monitor financial transactions closely for signs of nefarious activity. Unfortunately, stopping every threat is a panacea that many argue is impossible to achieve. Regardless of organization size or security capabilities in-house, there needs to be a paradigm shift in how we view susceptibility to threats and how we architect our current security framework around threat detection and early warning of nefarious activity. Relying on legacy layered security solutions, with no correlation on activity from application to network layer, can leave organizations at greater risk of a data breach. It’s herein that we need to shift our thinking and architecture; organizations need to assess their risk status to data breaches, understand the market they operate in, their competitors and of course the threat vectors most likely to be seen, architecting security capabilities that reduce that risk profile and enable better trust relationships between 3rd parties and customers, all with the aim of keeping key data security assets as protected as current technology capabilities permit. Furthermore, reliance on automated security scanning functions can lead to key indicators of compromise going undetected; the human expert analysis approach ensures a level of assurance around protection from even the most advanced malware threats or zero day activity that may be targeted against the organization.
“If initial reports that Yahoo experienced this particular breach back in 2014, and its only now coming to light, then this raises serious concerns for consumers of Yahoo products or services, and questions need to be answered on why external communication has been withheld for so long. Overall what has to be learned from this event, is that data breaches can (and do) occur across organizations of all types and sizes. Well defined incident response plans that communicate the details of the breach in an effective, directed and reassuring manner both internally and externally, is the key to maintaining consumer and market confidence, not least providing users who have been affected, with the best possible chance of containing further breaches to other online accounts where passwords or usernames may have been similarly used.”