Yahoo is expected to confirm this week what Recode describes as a “widespread and serious” data breach affecting an estimated 200 million users. In light of this news, IT security experts commented below.
Peter Galvin, Vice President of Strategy at Thales e-Security:
“As a result of this hack, the personal data of millions of Yahoo! users has now been exposed on the dark web and made available to anyone who seeks it – most likely those with malicious intent. Once this data falls into the hands of these would-be criminals, users may worryingly find themselves as the victims of identity fraud or threats of ransom.
As data breaches of this scale continue to hit the headlines, it is critical that businesses change the way they think about data protection, and broaden their mind-set beyond the classic definition of what data is considered to be sensitive. It’s never been more critical for businesses to extend robust encryption policies to cover all personally identifiable information of customers so that the data is rendered unreadable and worthless to those with malicious intent.”
Kunal Anand, CTO at Prevoty:
“Protecting a massive trove of user data is one of the biggest challenges that all businesses running web applications face. In the case of Yahoo!, there’s a lot of interesting data aside from password hashes – potentially a lot of personally identifiable information (PII) per user. I think we have to remind ourselves how many properties and brands Yahoo! operates and multiply that by the number of data points the Internet company collects from its user base.”
Bert Rankin, CMO at Lastline:
“If the Yahoo hack is indeed confirmed, it only emphasizes the critical importance of maintaining strong authentication measures in both personal and professional web applications. With so many accounts potentially open for hacker use in distributing advanced malware, a data breach of this scale will no doubt have a far reaching impact on malware distribution worldwide. We recommend changing passwords immediately, and consider using a second factor authentication to ensure that accounts are not being used by malware spammers. Because enterprise assets such as laptops are used in blurred fashion between personal and professional everyday in our daily lives, it also underscores the criticality of protecting organizations from the network core to the outer edges against advanced persistent threats. A hack like the alleged Yahoo! one can provide a very large distribution hub through legitimate accounts on a huge scale and for years to come.”
Brad Bussie, CISSP, Director of Product Management at STEALTHbits Technologies:
“200 million user accounts is a significant breach. Since we don’t have the specifics yet, it will be hard to say how everything happened. What we do know is that accounts that have been breached have value. The reason they have value is that people use the same password for multiple sites. The industry has been warning users for years that they need different complex passwords for each account they use online. The problem is that many consumers have dozens of accounts and remembering that many passwords is hard.
“So again, what is the value of the breached accounts to the dark web and hacker community? The true value comes from the ability for attackers to socially engineer attacks specifically targeting breached victims. They have personal identifiable information most of the time, such as names, address, phone numbers, and email addresses. Some breaches have even included question and answer profiles for “I forgot my password” which can quickly allow an attacker to compromise victims’ email accounts. We may not realize it, but when an attacker gains control of your email, they in essence own your identity. The attacker that buys the breached credentials will dictate what level of mischief or flat out criminal activity that will ensue. Keep in mind, some attackers will design spoofing attacks to try and get at higher profile information within an organization, while others will directly attack other websites looking for the same username/password combination they obtained from the breach. The bottom line here is: if you have a current Yahoo account or have ever had a Yahoo account; change all of your passwords – pronto.”
Mark Wilson, Product Management Director at STEALTHbits Technologies:
“Unfortunately these large scale incidents against high profile organisations are becoming the norm. The reason is that all attackers want the same two things; credentials and data.
“Credentials are the mechanism to gain access to the data, and data because it has value. Therefore, it makes sense that organizations that hold vast amounts of credentials, such as Yahoo, are prime targets. Even if only 1% of the compromised credentials have access to data of any value, that’s still a full 2 million accounts worth of data.
“The breached credentials will provide access to data that likely contains personally identifiable information. This will allow the perpetrator access to bank accounts, credit facilities, maybe even private content such as we have seen with ‘celebrity’ home movies. All data that bad actors are prepared to pay large sums for.
“If you think about it, personal data may often have a larger dollar value than many businesses do.”