Yahoo has announced that every customer account that existed at the time of the 2013 data breach was compromised; the new figure marks a three-fold increase over the estimate it disclosed previously. The disclosure comes four months after Verizon acquired Yahoo’s core internet assets for $4.48 billion, which was already reduced thanks to the breach. IT security experts commented below.
Stephen Moore, Chief Security Strategist at Exabeam:
“Large-scale breaches like this have driven a greater focus on behavioural analytics over the last couple of years. This is because it can help combat attempts to exfiltrate data by notifying the security team when someone is doing something that is unusual and risky – even when that activity is out of context, both on an individual basis and compared to peers. With behavioural analytics combined with machine learning, this actionable information should be available in a couple clicks; not after an extended period of time.”
Rich Campagna, CEO at Bitglass:
“Back when the breach was first disclosed, we noted that many large enterprises lack the necessary controls to limit unauthorized access. While this remains the case, a breach where virtually all Yahoo users are affected is unprecedented.
It’s difficult to imagine any circumstance in which an organization committed to security could have all network segmentation, policies, and security measures bypassed completely. Even over a prolonged period of time, it is exceedingly difficult to exfiltrate 3 billion records without setting off a single actionable alarm.
When the deal between Verizon and Yahoo was initially announced, we saw the direct impact that the breach had on the price of the acquisition. This goes to show that a seemingly small gap in security can be devastating and have prolonged implications for any business.”
Carl Wright, CRO at AttackIQ:
“This is yet again an epic failure. It is time to try something new – seriously, find protection failures before the adversary does. Consumers worldwide and shareholders deserve better. It is one thing to deploy security controls, it is completely another thing to know that they are working correctly. This is why we believe the best defense is a good offensive – continuously testing your security stack the same way the adversary does.”
Willy Leichter, VP of Marketing at Virsec Systems:
“This news will add more fuel to fire for having legal standards on how quickly breach information is revealed and how much detail is required. As we’ve seen with the Equifax hearings, even conservatives are calling for legislation moving in the direction of the European GDPR.”
Lisa Baergen, Director of Marketing at NuData Security:
“The truth has come out – the 2013 Yahoo! data breach of over 3 billion is at this point the largest cyber-attack in history. As the new October 2017 Identity Proofing Platform Scorecard from Javelin Research reveals, there’s so much for boardrooms, CIO’s and security teams to learn. Here’s just five lessons that haven’t been learned and hardened into most cybersecurity policies and strategies.
- Anyone transacting online needs to know that they *can’t* determine consumer identity solely based on previously confidential consumer data and outdated authentication processes. Javelin Research notes: “Identity proofing — must be tailored to the risks inherent in the channel, market, product type, scenario, and threat environment. In the complex financial ecosystem of 2017, a bifurcated model of identity verification and authentication fails to meet the needs of accountholders or financial institutions. Accordingly, a much more holistic approach is needed to take into account a richer array of context around the identity and behavior of the consumer.”
- Stolen credentials are big business on the dark web, and with over ten billion data records lost or stolen since 2013, criminals have a tremendous amount of consumer data to work with – some of it is very likely yours.
- Given that the average employee or consumer is very likely to reuse their same usernames and passwords across many sites, maybe it’s time to mandate policies that prohibit them from using their work addresses as secondary email addresses for verification purposes? This practice substantially expands the organization’s susceptibility to and likelihood of a phishing attack.
- Authentication that moves beyond simple logins and passwords can’t introduce new friction to interactions, because a significant percentage of customers probably won’t use it. Javelin Research: “Assessing device input behavior can create insights into digital channel fraud, but provider adoption lags. Specifically looking for unique patterns of interaction with input devices, e.g. keyboard, mouse, or touchscreen, behaviometrics can assess everything from suspicious velocity — attempting multiple applications within minutes — to aberrant navigation patterns within an online banking portal, yet the capability is only supported by 41% of ID proofing platforms.”
- Phishing – one of the oldest tricks in the fraudster’s playbook – still works. In fact, with social data and compromised credentials, it works remarkably well. If your policies and training practices aren’t up to par, you’re only inviting needless risk. Many phishing campaigns are so personalized that they have a successful open rate as high as 30%. So it’s not a question of if, but when. Are your employees up to the challenge?
“The fact is that until the organizations that hold our data adopt a tighter layered approach including passive biometric authentication, the impacts of mega breaches will continue to tear at our financial systems and consumer confidence.”
Sam Curry, CSO at Cybereason:
“The raw number of compromised accounts increase verges on the ridiculous and loses meaning as we get numbers normally only seen in astronomy. 3 billion, 2 billion, 1 billion… how does this have personal meaning when it means half the population of the world?
“The biggest issue is that this is another blow to our collective privacy: the cost to gain information on anyone plummeted and should be at the forefront of the debate. This is effectively compounding the three real issues behind the Equifax breach. Today, everyone should have been working under the assumption that they were affected years ago but may need reminding to watch their identities and credit for abuse.”
Jeremiah Grossman, Chief of Security Strategy at SentinelOne:
“There will no doubt continue to be mega breaches, but in terms of personal records hacked, we’re unlikely to see anything larger anytime soon. And the reason is unfortunate — there really isn’t any bigger targets to go after. The real problem with hackers cracking our passwords lies in society’s general reuse of passwords. As a matter of convenience, millions of people tend to use same password across multiple accounts, which leaves them even more vulnerable when a breach of this scale occurs.”