Story image

Yahoo's colossal security breach - experts give their opinions

04 Oct 2017

The latest news from Yahoo is certainly nothing to cheer about.

The Internet giant has announced that it wasn’t some accounts that were hacked, it was every single one – all three billion of them.

To provide some reference, winding back to December 2016, Yahoo announced that based on its analysis of data files provided by law enforcement, the company believed that an unauthorised party stole data associated with certain user accounts in August 2013.

At the time this was staggering, as the number of hacked user accounts was put somewhere around one billion. This new eye-watering figure marks a three-fold increase over the initial estimate.

The disclosure comes just four months after Verizon acquired Yahoo's core internet assets for US$4.48 billion, which was already reduced thanks to the breach.

In a statement on its site, Yahoo says for affected accounts the stolen user information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.

A number of experts have stepped forward with commentary following Yahoo’s latest announcement, including:

Rich Campagna, CEO at Bitglass

“Back when the breach was first disclosed, we noted that many large enterprises lack the necessary controls to limit unauthorised access. While this remains the case, a breach where virtually all Yahoo users are affected is unprecedented.

It’s difficult to imagine any circumstance in which an organisation committed to security could have all network segmentation, policies, and security measures bypassed completely. Even over a prolonged period of time, it is exceedingly difficult to exfiltrate three billion records without setting off a single actionable alarm.

When the deal between Verizon and Yahoo was initially announced, we saw the direct impact that the breach had on the price of the acquisition. This goes to show that a seemingly small gap in security can be devastating and have prolonged business impacts.”

Thomas Fischer, global security advocate at Digital Guardian

“The issue here is that account details were compromised without the victims being alerted, leaving them vulnerable to phishing attacks and other forms of social engineering over the last four years.

Mass data breaches like this are a treasure trove for malicious attackers. Using the compromised login details, hackers may have attempted to hijack the email accounts to steal more data, or target the victims’ friends, family and place of work."

Ilia Kolochenko, CEO of High-Tech Bridge

“Taking into consideration that the integrity of Yahoo user accounts was compromised, one can reasonably infer that Yahoo ignored the fundamental principles of access segregation, continuous security monitoring and related security processes.

Therefore, it’s a bit hard to believe that sensitive information related to these accounts remained safe. Moreover, even hashed passwords can be bruteforced and then leveraged by the attackers. Information like date of birth or answer to secret question(s) can be a universal door-opener for cybercriminals. Anyway, Yahoo has already learned a very hard lesson and served an example to others that cybersecurity is pivotal for digital business.”

Stephen Moore, chief security strategist at Exabeam

“Large-scale breaches like this have driven a greater focus on behavioural analytics over the last couple of years. This is because it can help combat attempts to exfiltrate data by notifying the security team when someone is doing something that is unusual and risky – even when that activity is out of context, both on an individual basis and compared to peers.

With behavioural analytics combined with machine learning, this actionable information should be available in a couple clicks; not after an extended period of time."

Salesforce continues to stumble after critical outage
“To all of our Salesforce customers, please be aware that we are experiencing a major issue with our service and apologise for the impact it is having on you."
D-Link hooks up with Alexa and Assistant with new smart camera
The new camera is designed for outdoor use within a wireless smart home network.
Slack users urged to update to prevent security vulnerability
Businesses that use popular messaging platform Slack are being urged to update their Slack for Windows to version 3.4.0 immediately.
Secureworks Magic Quadrant Leader for Security Services
This is the 11th time Secureworks has been positioned as a Leader in the Gartner Magic Quadrant for Managed Security Services, Worldwide.
Google puts Huawei on the Android naughty list
Google has apparently suspended Huawei’s licence to use the full Android platform, according to media reports.
Using data science to improve threat prevention
With a large amount of good quality data and strong algorithms, companies can develop highly effective protective measures.
General staff don’t get tech jargon - expert says time to ditch it
There's a serious gap between IT pros and general staff, and this expert says it's on the people in IT to bridge it.
ZombieLoad: Another batch of flaws affect Intel chips
“This flaw can be weaponised in highly targeted attacks that would normally require system-wide privileges or a complete subversion of the operating system."