Yahoo has been hacked, again.
The company Wednesday disclosed that a newly discovered data breach had exposed the private information of more than one billion Yahoo users. It is believed that this breach is separate from the breach disclosed this September, where 500 million accounts were jeopardized. Regardless, the news means Yahoo has been the target for the two largest data breaches to date.
To make matters worse, Bob Lord, Yahoo’s Chief Information Security Officer, announced that the company hasn’t been able to determine where the intrusion came from and how the data from the 1 billion accounts was stolen.
(Related: Major retailers are still facing serious security problems)
The unknown answers are especially troubling for Verizon, which agreed to buy Yahoo for US$4.8 billion back in July, and the security incidents have left Verizon considering a “material change” in the deal—possibly a major discount of about $1 billion off its purchase price, according to a Market Watch report.
Verizon isn’t the only one troubled by Yahoo’s security problems. Compromised individuals were notified by Lord that stolen user account information may include e-mail addresses, telephone numbers, dates of birth, hashed passwords, and in some cases encrypted or unencrypted security questions. According to Ebba Blitz, CEO of Alertsec, these users will significantly lose trust in the brand, and it might be difficult for Yahoo to ever get them back.
Consumers concerned, slow to forgive Yahoo
In an AlertSec survey, the company found 97% of Americans find data breaches unsettling. One in three Americans said it would take them several months to begin trusting a company like Yahoo again following such a data breach, and 22% said it would only take them a month to forgive. Seventeen percent of men and 11% of women said their trust would be permanently lost.
According to the survey, “When Americans learn a company has had a data breach, 67% check to see if their information or identity has been compromised, and 35% worry about their information, even if they are not directly connected to the company.”
Twenty-nine percent said data breaches prompt them to focus on improving their own online security, and only 3% of Americans reported feeling “unfazed” by these data breaches.
Yahoo breach shows “colossal failure”
Despite the appropriate actions Yahoo is taking to enhance the safeguards and systems in place, experts suggested that the fact that Yahoo has not been able to preempt these attacks or identify their causes more quickly is a “colossal failure on their part,” said cybersecurity veteran and CEO of BigID, Dimitri Sirota.
Alex Farmer, vice president of cloud services at NSFOCUS, a network and application security company, called this latest breach “another huge blow for Yahoo,” and that it’s an example of where proper security methods need to be implemented.
“You could argue that funding or investment in security is not the challenge [with Yahoo], and it comes down to the sheer size of their operation and the possible lack of agility and execution,” said Farmer.
Sirota said that these breaches should remind the public that the exploits are no longer just about getting credit card information and bank accounts. The U.S. government recently showed the public that thieves and hackers are clearly looking for something (or someone) specific, he said, and whether it was to exploit them, blackmail them, or publicly embarrass them, the theft of data and personal information affects the individual in the end.
Sirota added that the combination of vulnerability and rich targets could be a reason Yahoo has been the subject of not one, but two large data breaches.
“Remember that the 1 billion number masks the likely intention of targeting individuals,” said Sirota. “Yahoo was one of the first Internet services so many of the people in government today likely were early users.”
Farmer said organizations can learn from Yahoo’s “misfortune” as it teaches them how to react to potential breaches promptly. Plus, he said there are tools on the market that can help. The question is, according to him, “Did Yahoo have them, and if so, why did they not work?”
Even if Yahoo had the right tools and systems in place, the company has apparently been a prime target for hackers for a long time, according to George Avetisov, CEO and cofounder of HYPR, who cited an investigative report by The New York Times. Part of Yahoo’s problem is the company continued to use an insecure hashing algorithm, and it has an old and relatively insecure infrastructure in general, he said.
Other companies can learn from these incidents, according to Avetisov, who said companies need to invest in their internal security infrastructure. He said if Yahoo had made those fundamental upgrades to their security systems, the breach likely would have been avoided.
Sirota also outlined some lessons learned from this experience, suggesting that other companies invest in detection. This includes investing in more prevention-and-response technologies, and investing in tools that monitor endpoints, databases and networks.
Organizations also need to better track high-value individuals and their data, so they need more intelligence around individuals, not just databases and endpoints.
“What’s missing is user context,” said Sirota. “You need to be able to track by users because that is what is under threat.”
Individuals that were exploited in this breach can take measures into their own hands to protect themselves, now and in the future. Sirota said that as a rule, users should not leave dormant accounts, and if “they stop using a service, they should delete info. And if they are using, it they should change the password and adopt a secondary authentication system like biometrics.”
Moving forward, compromised individuals should assume that all of their other Internet accounts are now at risk because of this breach, said Avetisov. The fact that hackers now have access to addresses and security questions will allow them to “initiate social engineering attacks and password resets on unsuspecting victims,” he said.
“People reuse passwords and answers to security questions,” said Avetisov. “For a breached user, their Yahoo password reset security answer from 2009 may just come back to haunt them. It will be months and years before we see the true extent of the damage caused by this breach.”