sb-as logo
Story image

Yahoo's colossal security breach - experts give their opinions

04 Oct 2017

The latest news from Yahoo is certainly nothing to cheer about.

The Internet giant has announced that it wasn’t some accounts that were hacked, it was every single one – all three billion of them.

To provide some reference, winding back to December 2016, Yahoo announced that based on its analysis of data files provided by law enforcement, the company believed that an unauthorised party stole data associated with certain user accounts in August 2013.

At the time this was staggering, as the number of hacked user accounts was put somewhere around one billion. This new eye-watering figure marks a three-fold increase over the initial estimate.

The disclosure comes just four months after Verizon acquired Yahoo's core internet assets for US$4.48 billion, which was already reduced thanks to the breach.

In a statement on its site, Yahoo says for affected accounts the stolen user information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.

A number of experts have stepped forward with commentary following Yahoo’s latest announcement, including:

Rich Campagna, CEO at Bitglass

“Back when the breach was first disclosed, we noted that many large enterprises lack the necessary controls to limit unauthorised access. While this remains the case, a breach where virtually all Yahoo users are affected is unprecedented.

It’s difficult to imagine any circumstance in which an organisation committed to security could have all network segmentation, policies, and security measures bypassed completely. Even over a prolonged period of time, it is exceedingly difficult to exfiltrate three billion records without setting off a single actionable alarm.

When the deal between Verizon and Yahoo was initially announced, we saw the direct impact that the breach had on the price of the acquisition. This goes to show that a seemingly small gap in security can be devastating and have prolonged business impacts.”

Thomas Fischer, global security advocate at Digital Guardian

“The issue here is that account details were compromised without the victims being alerted, leaving them vulnerable to phishing attacks and other forms of social engineering over the last four years.

Mass data breaches like this are a treasure trove for malicious attackers. Using the compromised login details, hackers may have attempted to hijack the email accounts to steal more data, or target the victims’ friends, family and place of work."

Ilia Kolochenko, CEO of High-Tech Bridge

“Taking into consideration that the integrity of Yahoo user accounts was compromised, one can reasonably infer that Yahoo ignored the fundamental principles of access segregation, continuous security monitoring and related security processes.

Therefore, it’s a bit hard to believe that sensitive information related to these accounts remained safe. Moreover, even hashed passwords can be bruteforced and then leveraged by the attackers. Information like date of birth or answer to secret question(s) can be a universal door-opener for cybercriminals. Anyway, Yahoo has already learned a very hard lesson and served an example to others that cybersecurity is pivotal for digital business.”

Stephen Moore, chief security strategist at Exabeam

“Large-scale breaches like this have driven a greater focus on behavioural analytics over the last couple of years. This is because it can help combat attempts to exfiltrate data by notifying the security team when someone is doing something that is unusual and risky – even when that activity is out of context, both on an individual basis and compared to peers.

With behavioural analytics combined with machine learning, this actionable information should be available in a couple clicks; not after an extended period of time."

Story image
Major firms disclose breaches in the wake of SolarWinds attack
Microsoft, Shell, GoDaddy, MobiKwik — these are just some of the high-profile company's on the receiving end of sophisticated attacks, writes Bitglass senior director of marketing Jonathan Andresen.More
Story image
Enterprises underutilising security tools, causing teams to burn out
The report unveiled a lack of meaningful ROI metrics when reporting on security progress, as well as disparate opinions on objectives, tool effectiveness and security awareness amongst the organisation between executives and operations on security teams.More
Link image
Virtual demo: Diagnose network cabling problems with the LinkIQ Cable+Network Tester
If you’re finding it difficult to install access points and cabling, or if you can’t pinpoint an issue with a video camera or end user, the LinkIQ Cable+Network Tester could be exactly what you need. Try a free, fully interactive demo now.More
Story image
Cloud services top threat vector for healthcare industry
"The coronavirus pandemic continues to highlight the unique cybersecurity needs of the healthcare industry, even as it has increased the number of threats these organisations face."More
Story image
FortiGuard appoints former cyber warfare officer
Former RAAF cyber warfare officer Mark Robson has been appointed as senior tactical threat analyst in FortiGuard’s managed detection and response team, FortiResponder.More
Story image
O365 a weak point ripe for exploit, say security professionals
71% of more than 1,000 security professionals have been on the receiving end of a Microsoft 365 account takeover, on average, seven times in the last year alone.More