Reports are circulating about a huge data leak of 200 million Yahoo users. This data is being offered for sale on TheRealDeal dark web market by “peace_of_mind” (aka Peace). The batch of data is, apparently, being sold for 3 Bitcoins and contains usernames, passwords and dates of birth. For users based in the United States, the dump also includes backup email addresses and users’ ZIP codes. Rizzo, technical director EMEA at HPE Security – Data Security and Brian Spector, CEO at MIRACL commented below.
Brendan Rizzo, Technical Director EMEA at HPE Security – Data Security:
“Enterprises need to follow best practices of encrypting all sensitive personal data as it enters a system. Encryption stays with the data whether at rest, in motion or in use, so if an attacker accesses the data, they get nothing of value. The ability to neutralise a breach by rendering data useless if lost or stolen, through data-centric encryption, is an essential benefit to ensure data remains secure. Credentials that never need to be recovered in clear form should be strongly protected with state-of-the art methods, for example, strong standards based keyed hashing.
Hackers will steal anything of value and this story is no exception. Data has high value to attackers, and even though the information for sale on the black market is several years old, it can still be used for social engineering attacks for spear phishing to attempt to gain access to deeper systems with even more lucrative data that can be monetised directly if stolen.
We have a saying in security, it’s not a matter of if a breach will happen, but when. Beyond the threat to sensitive data, companies need to be concerned with the impact a data breach can have on their reputation and, ultimately, on their bottom line. A data-centric approach to security is the industry-accepted cornerstone needed to allow companies to mitigate the risk and impact of cyber attacks and other attempts to get this sensitive information.”
Brian Spector, CEO at MIRACL:
“This is a modern-day mega breach, and demonstrates how data theft and identity fraud is a multi-billion dollar business on the dark Web. Consumers must be vigilant about protecting and changing their passwords regularly so that historic data like this doesn’t come back to haunt their current activity online.
“It is still too early for more detailed analysis, but the attack vectors commonly used to initialize attacks of this magnitude are to gain access by stealing employee or insider credentials. The credentials are still all too often simply user name and password. What the attacker knows: when a password, irrelevant of how complex the password may be, is successfully stolen, the attacker can get access to internal systems and work their way to sensitive information – and steal it all.
“The underlying issue is that the username and password system is old technology that is not up to the standard required to secure the deep information and private services that we as individuals store and access online today. By contrast, new, secure methods of two-factor authentication can provide much stronger security, and make database hacks, password reuse, browser attacks and social engineering a thing of the past.”