A former Yahoo engineer has confessed to breaking into as many as 6,000 email accounts belonging to Yahoo users.
- Once he had access to an email inbox, he scoured other online accounts belonging to his victims — who were primarily young women — for private photos and videos
- The photos and videos were gathered from other sites like Facebook, Gmail, iCloud, and Dropbox. Ruiz stored copies on a home computer
- He attempted to cover his tracks by destroying the computer and hard drive on which the stolen files had been stored
The story has been covered here:
The fact that Ruiz used the ‘cracked’ Yahoo passwords to gain access to users’ accounts on multiple other online services again highlights the dangers of password reuse. The scope of Ruiz’s exploits would have been curtailed if users followed password best practices and leveraged MFA on sites that offer it.
This incident once again highlights the importance of not only monitoring for threats coming from outside the organisation, but also those coming from within. Ruiz would have been able to gain access to user accounts by abusing his access privileges and unless Yahoo! was monitoring what he was accessing to identify unusual activity this would have gone unnoticed. The incident should also act as a lesson around password reuse. Ruiz was able to access people’s other online accounts by using the same password for their Yahoo! account. If people had followed advice around not using the same passwords across multiple online accounts, this could have been avoided.
This is an unfortunate case of insider threat, where an employee of a company abuses their position and access. It is one of the most difficult aspects to pick up, but it is why a culture of security within companies is important so that not only are systems created with security embedded, but any activity out of the ordinary can be picked up by technical controls, or by co-workers.
From the user side, this incident underscores the importance of having strong passwords, not reusing them across sites and enabling multi-factor authentication where possible.
This is another blemish against Yahoo’s cybersecurity reputation. The reason that insider threats are so dangerous is because insiders already know where the proverbial gold (valuable company data and IP) exists and how to get to it. They’re already far ahead of external attackers who must first break into the network and then search for valuable information – all while avoiding detection. Conventional, rules-based cybersecurity products cannot detect new threats, like malicious insiders. Basic cybersecurity hygiene, like frequent password changes and MFA into critical systems, are simple things that all organisations should use to slow down malicious insiders. Beyond that, organisations should also utilise user behaviour analytics technology that can find and flag unusual activities such as accessing a new resource for the first time, downloading information that the user has never before downloaded, logging in from new devices and at unusual times, etc. Such activities would be flagged as suspicious and action could be taken to mitigate the threat before anything bad happens.
Every employer has to deal with insider threat at one point or another. Often, company guidelines will stipulate the legal ramifications of insider threat behavior. However, as with this case, it doesn’t seem to be a deterrent. Companies should have clear divisions on what an employee can and cannot access, with breaches of those divisions monitored and recorded. Additionally, users have to be more aware of their accounts, the access to those accounts and make every effort to keep their credentials safe. This means strong passwords which cannot be guessed from simple user information. Without these measures, organisations and consumers are prone to brute force attacks, social engineering and password reset functions which often help attackers more than protect the users.
This gross intrusion of the privacy of thousands of individuals illustrates again the need for enterprise to invest more in detecting and preventing abuse of privilege. Investing in privilege pays dividends – it’s essential to protecting data from both insider and external threats. It’s also past time for companies to require two-factor authentication for sensitive services; it’s clear passwords aren’t enough and opt-in approaches only work for the already security-minded.
An internal threat from an engineer with access is one of the most difficult things to guard against, but companies like Yahoo need to do more than they are doing today. One area of exposure is doing testing on live or near-live user data, putting engineers into contact with vulnerable data. This needs to be rarely done and carefully guarded, with multiple eyes on the exercise. Another step is to limit access by job role and report any anomalies, which can be done with established technology, but it takes attention and resources to configure these controls correctly. Checks and balances exist which can limit the damage done by an insider, and enterprises need to take these steps, whether motivated by financial or regulatory reasons.
This is a stark reminder that privilege policies can be a blunt tool and that the behavior of administrative users and others granted escalated privileges need not only to be managed but their use monitored too. Trust but verify needs to be the maxim here.
There will always be misguided individuals, those who have poor judgment or are just plain bad or criminal. In cases where there are no prior convictions or criminal records, it can be challenging for potential employers to weed out such high-risk individuals. We see here the damage they can do to individuals, and their employer’s reputation when they are able to operate unchecked. I’m glad to see such abhorrent behavior will likely result in both custodial sentence and a significant fine plus restitution costs.