We have all heard the oft repeated advice claiming that prompting your users to change their password every six months will help ensure their accounts stay safe and active, but the unfortunate truth is that malicious groups on the web have gotten more sophisticated in their pursuit of valuable personal data. Almost nothing illustrates this unfortunate fact than the latest news in the ongoing Yahoo! Security breach saga.
As of this week, Yahoo! leadership announced that they had discovered that the breaches they had originally reported in 2016 were considerably larger in scope than they had originally thought. In this update, which is the third since the original announcement in 2016, Yahoo! announced that they now believe that every one of their 3 billion user accounts had been compromised. The Yahoo! breach became the worst security breach in the history of the Internet in 2016, and with each update it has made that record even more notable.
Of particular note in the Yahoo! breach was the type of information gained by the hackers and the timing of the breach. Unfortunately for Yahoo! the breach occurred during acquisition negotiations with Verizon, which resulted in a $350 million reduction in the final price Verizon paid for Yahoo! in June, 2017. It is unknown as of yet how the latest revelation will affect Verizon corporation, which has now fully acquired Yahoo!
Worse yet for Yahoo! and Yahoo! users is that the data taken by the hackers included birth dates, names, email addresses, associated phone numbers, security questions and answers (which were unencrypted,) and passwords. Essentially, the hackers were able to get access to nearly all of the information users put into their profile under the assumption of security. While all passwords were hashed, many of the passwords were hashed using an out-of-date algorithm that is easily solved.
While Yahoo! has claimed that it believes the perpetrators of the hack to be sponsored by a foreign state, they have not indicated what foreign state they believe to be responsible. Yahoo! was largely criticized for holding onto information about the breach for so long, allowing users to be vulnerable for longer than was necessary. As a result, they are under significant investigation by government authorities, with whom they have promised to cooperate.
Government intelligence and investigative groups have been particularly involved in the investigation into the wave of hacks that were disclosed in the late 2016 update from Yahoo!, since it appears that one of the buyers of the stolen data was in contact with the data sellers looking specifically for the accounts of known government officials from the U.S. and E.U.
What Can Other Businesses Learn From the Yahoo! Breach?
The first lesson that online businesses should take from the Yahoo! breach is to disclose information about potential security breaches early, especially if you have many affiliates sites working with one. One of the biggest problems that came up in the breach was the fact that many users whose private information was compromised never learned that this was the case because they were not yet aware that they even owned a Yahoo! account. This lapse in communication occurred because Yahoo! rolled many sites belonging to companies they acquired into direct affiliations with Yahoo! mail and social media. Websites such as Flickr, for example, had their logins and passwords converted into Yahoo! accounts after the acquisition, but many Flickr users never knew this until years after their information had been compromised.
Announcing as soon as a breach is confirmed allows other partnered companies to investigate and contribute to preventing damage, and allows users to react to protect themselves as well. Additionally, the public at large sees delayed announcements of data breaches as dishonest, regardless of intent.
Companies should also realize that the basics of internet security are simply not enough anymore. Many of the Yahoo! accounts were compromised by taking advantage of an exploitable cookie, which could have been caught or prevented with better internet security policies and closer analysis of cookie design. Further accounts were accessed by utilizing social engineering, including phishing tactics. Accounts that were not fully compromised were contacted using phishing emails using information from the partial compromise to convince users that they were communicating with Yahoo! officials. Companies hoping to learn from Yahoo! should realize the power of user education in regards to preventing phishing attacks.
Another mistake Yahoo! leadership made was in resisting to utilize information provided to them by some of the foremost experts in cybersecurity. In severe breaches, calling upon specialists is remarkably important, especially when those experts have had significant success engaging and handling security breaches in the past.
If you would like to know more about methods of improving your company’s internet security policies, contact us today at www.nixa.ca!