Following hours of speculation, Yahoo has confirmed that it has suffered a massive data breach. IT security experts from Tenable Network Security, Cryptzone, Positive Technologies, AppRiver and Alert Logic commented below.
Gavin Millard, EMEA Technical Director at Tenable Network Security:
“If you have a Yahoo! account and have re-used the password anywhere, it would be wise to create new ones now to stop any further personal data from being exposed. To reduce the impact from the next inevitable breach of this type, users should protect themselves by having individual passwords per service rather than the one or two most use now. Modern browsers have the ability to generate and store complex passwords, as do the many password managers available.
“One of the most concerning aspects of this breach is the fact that the security questions and answers were unencrypted. Most users would have used valid responses to questions like mothers maiden name, first car, and first pet, which could lead to further exploitation and account misuse.”
Leo Taddeo, Chief Security Officer at Cryptzone:
.
.
Alex Mathews, EMEA Technical Manager at Positive Technologies:
“The elephant in the room is Yahoo’s admission that ‘encrypted or unencrypted security questions and answers’ might be amongst the hackers haul. If the investigation determines that this extremely sensitive information were stored unencrypted then serious questions need to be answered as this lack of security will highlight serious failings by Yahoo in its responsibility to protect customers.
“Any Yahoo customers would be prudent to change their passwords – although, given the fact that the breach occurred two years ago, it is a bit like closing the stable door after the horse has not only bolted but long since died of old age.
“Despite many warnings, millions of users will still use very simple passwords like 1111, “qwerty”, or their own names. According to Positive Technologies research, the password “123456” is quite popular even among corporative network administrators: it was used in 30% of corporate systems studied in 2014. Hackers use the dictionaries of these popular passwords to bruteforce the user accounts so perhaps now is the time to employ a little creativity.
“Yahoo! does offer additional protection in the form of Account Key and it would be prudent for any users that decide to continue using its service employ this as a matter of urgency.”
Troy Gill, Manager of Security Research at AppRiver:
“The fact that Yahoo has now confirmed the breach is no surprise – the scale however is. The sad reality is this is the latest in a long list of organisations that have been caught napping when it comes to protecting customers’ data, and I don’t think we’ve seen the last confession yet. In fact as technology infiltrates every facet of our lives, we are only opening the door for these types of events to be both more frequent and by all likelihood more impactful.
“Yahoo users should be particularly concerned that the stolen information includes security questions and answers as this could leave them open to far more than just their Yahoo email account being compromised. It raises the potential for accessing other accounts, including those with sensitive personal and financial information. Identity theft is a very valid concern for all the victims.
“I would be interested to know the findings by Yahoo when they allegedly investigated the 200million records that were for sale on the dark web. Where those able to be confirmed as valid? If so why did it take this long to inform users of the breach and why were no forced password resets issued prior?
“Keeping customers’ data secure should be a top priority for all enterprises. A determined hacker can be quite difficult to detect but organizations need to commit to hardening themselves to these types of attacks. This breach serves as a stark warning to all organizations that no company is too big or too small a target.
“Yahoo users should change their passwords immediately and monitor activity closely. Also, they need to make sure they are utilizing a new password that is complex, lengthy and most importantly “unique”. Since we know that password reuse across multiple accounts is very common, Yahoo users need to also ensure that they are not using the same password[as their Yahoo account} on other accounts as well.”
Richard Cassidy, UK Cyber Security Evangelist at Alert Logic:
“Without a doubt however, anyone who has ever signed up to Yahoo services, shouldn’t wait to hear from Yahoo on whether they may have been directly affected (or not), steps should be taken immediately to reset shared passwords across other online accounts and monitor financial transactions closely for signs of nefarious activity. Unfortunately, stopping every threat is a panacea that many argue is impossible to achieve. Regardless of organization size or security capabilities in-house, there needs to be a paradigm shift in how we view susceptibility to threats and how we architect our current security framework around threat detection and early warning of nefarious activity. Relying on legacy layered security solutions, with no correlation on activity from application to network layer, can leave organizations at greater risk of a data breach. It’s herein that we need to shift our thinking and architecture; organizations need to assess their risk status to data breaches, understand the market they operate in, their competitors and of course the threat vectors most likely to be seen, architecting security capabilities that reduce that risk profile and enable better trust relationships between 3rd parties and customers, all with the aim of keeping key data security assets as protected as current technology capabilities permit. Furthermore, reliance on automated security scanning functions can lead to key indicators of compromise going undetected; the human expert analysis approach ensures a level of assurance around protection from even the most advanced malware threats or zero day activity that may be targeted against the organization.
“If initial reports that Yahoo experienced this particular breach back in 2014, and its only now coming to light, then this raises serious concerns for consumers of Yahoo products or services, and questions need to be answered on why external communication has been withheld for so long. Overall what has to be learned from this event, is that data breaches can (and do) occur across organizations of all types and sizes. Well defined incident response plans that communicate the details of the breach in an effective, directed and reassuring manner both internally and externally, is the key to maintaining consumer and market confidence, not least providing users who have been affected, with the best possible chance of containing further breaches to other online accounts where passwords or usernames may have been similarly used.”