Close Menu
  • Home
  • Articles
    • Attacks
      • BEC
      • Data Breach
      • DDoS
      • Evasion Attacks
      • Injection
      • Malware
      • MITM
      • Phishing
      • Ransomware
      • RCE
      • Social Engineering
      • Spoofing
      • Spyware
    • Business and Policy
      • BCP and DRP
      • GRC
      • Regulations
    • Data Protection
      • DLP
      • DRM
      • Encryption
      • IAM
    • Future, Trends and Insight
      • AI
      • Events & Community
      • Emerging Tech
      • Expert Panel
      • Interviews With Experts
      • Insights
      • Study & Research
    • Resources
      • Guides
      • Tools
      • Training & Education
    • Security
      • API
      • Apps
      • Cloud
      • Critical Infrastructure
      • Endpoint
      • Hardware
      • IoT
      • Mobile
      • Network
      • OT
      • Port Security
      • Security Architecture
      • Software Development
      • Supply Chain
      • Zero Trust
    • Threats and Vulnerabilities
      • Emerging Threats
      • Insider Threats
      • Risk Management
      • Threat Intelligence
      • Zero Day
  • News and Exclusives
    • Latest News
    • ISB Exclusive
    • Positive News
  • Who We Are
    • About Us
    • Information Security Buzz Expert Panel​
    • Write for Us
    • Media Pack
  • Contact Us
  • Newsletter
Facebook X (Twitter) LinkedIn
Facebook X (Twitter) LinkedIn
Information Security BuzzInformation Security Buzz
  • Home
  • Articles
    • Attacks
      • BEC
      • Data Breach
      • DDoS
      • Evasion Attacks
      • Injection
      • Malware
      • MITM
      • Phishing
      • Ransomware
      • RCE
      • Social Engineering
      • Spoofing
      • Spyware
    • Business and Policy
      • BCP and DRP
      • GRC
      • Regulations
    • Data Protection
      • DLP
      • DRM
      • Encryption
      • IAM
    • Future, Trends and Insight
      • AI
      • Events & Community
      • Emerging Tech
      • Expert Panel
      • Interviews With Experts
      • Insights
      • Study & Research
    • Resources
      • Guides
      • Tools
      • Training & Education
    • Security
      • API
      • Apps
      • Cloud
      • Critical Infrastructure
      • Endpoint
      • Hardware
      • IoT
      • Mobile
      • Network
      • OT
      • Port Security
      • Security Architecture
      • Software Development
      • Supply Chain
      • Zero Trust
    • Threats and Vulnerabilities
      • Emerging Threats
      • Insider Threats
      • Risk Management
      • Threat Intelligence
      • Zero Day
  • News and Exclusives
    • Latest News
    • ISB Exclusive
    • Positive News
  • Who We Are
    • About Us
    • Information Security Buzz Expert Panel​
    • Write for Us
    • Media Pack
  • Contact Us
  • Newsletter
Subscribe
Information Security BuzzInformation Security Buzz
Home - News & Analysis - Yahoo Breach Hit 3 Billion Records
News & Analysis

Yahoo Breach Hit 3 Billion Records

ISBuzz TeamBy ISBuzz TeamOctober 4, 2017Updated:July 4, 20246 Mins Read
Share LinkedIn Twitter Facebook Copy Link Email
Share
Facebook Twitter LinkedIn Email Copy Link
Quick AI Summary
ChatGPTClaudeGeminiGrokPerplexityDeepSeekCopilot

Yahoo has announced that every customer account that existed at the time of the 2013 data breach was compromised; the new figure marks a three-fold increase over the estimate it disclosed previously. The disclosure comes four months after Verizon acquired Yahoo’s core internet assets for $4.48 billion, which was already reduced thanks to the breach. IT security experts commented below.

Stephen Moore, Chief Security Strategist at Exabeam:

Stephen Moore“Large-scale breaches like this have driven a greater focus on behavioural analytics over the last couple of years. This is because it can help combat attempts to exfiltrate data by notifying the security team when someone is doing something that is unusual and risky – even when that activity is out of context, both on an individual basis and compared to peers. With behavioural analytics combined with machine learning, this actionable information should be available in a couple clicks; not after an extended period of time.”

,

.

Rich Campagna, CEO at Bitglass:

“Back when the breach was first disclosed, we noted that many large enterprises lack the necessary controls to limit unauthorized access. While this remains the case, a breach where virtually all Yahoo users are affected is unprecedented.

It’s difficult to imagine any circumstance in which an organization committed to security could have all network segmentation, policies, and security measures bypassed completely. Even over a prolonged period of time, it is exceedingly difficult to exfiltrate 3 billion records without setting off a single actionable alarm.

When the deal between Verizon and Yahoo was initially announced, we saw the direct impact that the breach had on the price of the acquisition. This goes to show that a seemingly small gap in security can be devastating and have prolonged implications for any business.”

Carl Wright, CRO at AttackIQ:

“This is yet again an epic failure. It is time to try something new – seriously, find protection failures before the adversary does. Consumers worldwide and shareholders deserve better. It is one thing to deploy security controls, it is completely another thing to know that they are working correctly. This is why we believe the best defense is a good offensive – continuously testing your security stack the same way the adversary does.”

.

Willy Leichter, VP of Marketing at Virsec Systems:

“This news will add more fuel to fire for having legal standards on how quickly breach information is revealed and how much detail is required. As we’ve seen with the Equifax hearings, even conservatives are calling for legislation moving in the direction of the European GDPR.”

.

.

Lisa Baergen, Director of Marketing at NuData Security:

“The truth has come out  – the 2013 Yahoo! data breach of over 3 billion is at this point the largest cyber-attack in history. As the new October 2017 Identity Proofing Platform Scorecard from Javelin Research reveals, there’s so much for boardrooms, CIO’s and security teams to learn. Here’s just five lessons that haven’t been learned and hardened into most cybersecurity policies and strategies.

  1. Anyone transacting online needs to know that they *can’t* determine consumer identity solely based on previously confidential consumer data and outdated authentication processes.  Javelin Research notes: “Identity proofing — must be tailored to the risks inherent in the channel, market, product type, scenario, and threat environment. In the complex financial ecosystem of 2017, a bifurcated model of identity verification and authentication fails to meet the needs of accountholders or financial institutions. Accordingly, a much more holistic approach is needed to take into account a richer array of context around the identity and behavior of the consumer.”
  2. Stolen credentials are big business on the dark web, and with over ten billion data records lost or stolen since 2013, criminals have a tremendous amount of consumer data to work with – some of it is very likely yours.
  3. Given that the average employee or consumer is very likely to reuse their same usernames and passwords across many sites, maybe it’s time to mandate policies that prohibit them from using their work addresses as secondary email addresses for verification purposes? This practice substantially expands the organization’s susceptibility to and likelihood of a phishing attack.
  4. Authentication that moves beyond simple logins and passwords can’t introduce new friction to interactions, because a significant percentage of customers probably won’t use it. Javelin Research: “Assessing device input behavior can create insights into digital channel fraud, but provider adoption lags. Specifically looking for unique patterns of interaction with input devices, e.g. keyboard, mouse, or touchscreen, behaviometrics can assess everything from suspicious velocity — attempting multiple applications within minutes — to aberrant navigation patterns within an online banking portal, yet the capability is only supported by 41% of ID proofing platforms.”
  5. Phishing – one of the oldest tricks in the fraudster’s playbook – still works. In fact, with social data and compromised credentials, it works remarkably well. If your policies and training practices aren’t up to par, you’re only inviting needless risk.  Many phishing campaigns are so personalized that they have a successful open rate as high as 30%. So it’s not a question of if, but when. Are your employees up to the challenge?

“The fact is that until the organizations that hold our data  adopt a tighter layered approach including passive biometric authentication, the impacts of mega breaches will continue to tear at our financial systems and consumer confidence.”

Sam Curry, CSO at Cybereason: 

“The raw number of compromised accounts increase verges on the ridiculous and loses meaning as we get numbers normally only seen in astronomy. 3 billion, 2 billion, 1 billion… how does this have personal meaning when it means half the population of the world?

“The biggest issue is that this is another blow to our collective privacy: the cost to gain information on anyone plummeted and should be at the forefront of the debate. This is effectively compounding the three real issues behind the Equifax breach. Today, everyone should have been working under the assumption that they were affected years ago but may need reminding to watch their identities and credit for abuse.”

Jeremiah Grossman, Chief of Security Strategy at SentinelOne:

Jeremiah Grossman“There will no doubt continue to be mega breaches, but in terms of personal records hacked, we’re unlikely to see anything larger anytime soon. And the reason is unfortunate — there really isn’t any bigger targets to go after. The real problem with hackers cracking our passwords lies in society’s general reuse of passwords. As a matter of convenience, millions of people tend to use same password across multiple accounts, which leaves them even more vulnerable when a breach of this scale occurs.”

ISBuzz Team
  • ISBuzz Team
    Air Canada Data Breach: BianLian Extortion Group Claims A Massive Heist Contrary To Airline’s Earlier Statement
  • ISBuzz Team
    Unprecedented DDoS Attack Rocks The Web: Tech Giants Reveal A Digital Tsunami
  • ISBuzz Team
    CISA Flags High-Severity Adobe Acrobat Reader Flaw Amid Active Exploits
  • ISBuzz Team
    Curl Security Alert: Patching A Critical Bug Averting Potential Cyber Catastrophe

The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.

Share. Facebook Twitter LinkedIn Email Copy Link

Related Posts

New Phishing Kit Starkiller Defeats Multi-Factor Authentication

February 23, 20264 Mins Read

ReliaQuest Uncovers Social Media Phishing Campaign Built on Trusted Tools

January 22, 20266 Mins Read

What Happens after a Phishing Email Lands in Your Inbox?

January 5, 20266 Mins Read
ISB-Bora-Side-Bar

 
ISB-Bora-Side-Bar
Black ISB Logo

Information Security Buzz is an independent resource that provides the experts’ comments, analysis, and opinion on the latest Cybersecurity news and topics

X (Twitter) LinkedIn Facebook RSS

Working With Us

  • About Us
  • Advertise With Us
  • Contact Us

Write For Us

  • How To Contribute

The Pages

  • Privacy Policy
  • Cookie Policy
  • AI Policy
  • Terms & Conditions
  • Copyright Notice

Information Security Buzz and all its contents are copyright © 2014-2025. All rights reserved. All third-party trademarks are recognized.

Type above and press Enter to search. Press Esc to cancel.

Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}