This evening, Yahoo revealed that information associated with at least 500 million user accounts was stolen in 2014 by, what is believed, a state-sponsored actor. The stolen data may include names, email addresses, telephone numbers, dates of birth and hashed passwords. According to Yahoo, it may not have also included payment card data or bank account information. IT security experts commented below.
Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS:
Yahoo users, who have not changed their passwords since then, really need to do so now. In addition, if users have used the same username/password combination on any other online accounts, they’re at risk of hackers gaining access to those other online accounts; if hackers can determine what other online accounts a user may have.
The Verizon purchase apparently comes with some “baggage” that they most likely do not want to be associated with. The likelihood of this beach affecting the purchase is however, quite small. The responsible thing to do it to force all users to update their passwords; however, that action most likely will not be well received by Yahoo’s user community for a breach that happened over four years ago.
Although the number of breaches on this scale have been reduced over the years, they are far from over. Today, organizations of all sizes are taking measures to ensure a breach does not happen to them. Unfortunately, it has not stopped hackers from succeeding on a global scale.
Enterprises must first assess what hackers would likely want to steal from them. Once identified, enterprises must use all measures at their disposal to protect that data – at all costs. If an organisation does not practice due diligence, then they can be accused of alleged negligence. Being found guilty of negligence is never good for anyone’s career.
You must protect your data. It is what hackers are after. This is all about monetary gain, and people will go to almost any length to achieve it. Hacker’s understand how to erode your defenses, consume your resources, control your systems, and eventually steal your data. Taking an Intelligent Hybrid Security approach will help protect what hackers are after.”
David Gibson, VP of Strategy and Market Development at Varonis:
It’s hard to say for sure whether the breach will upset the pending acquisition by Verizon—publishers of the renowned yearly Data Breach Investigation Report—but it certainly could. If witnessing a data breach capsizes a $4.8 billion acquisition doesn’t shock CEOs and CSOs into investing more in security, what will?
There will certainly be financial repercussions for Yahoo!, if not by way of fines and lawsuits, certainly in terms of time and effort to recover, perform an investigation, and further invest in bolstering security.
Breaches of this magnitude won’t slow until incentives are re-aligned. Dark Reading released a report recently stating that 80% of CSOs cite a lack of funding as being the #1 barrier preventing them from addressing cybersecurity challenges and 51% of CSOs cite a lack of available cybersecurity pros. The two go hand-in-hand. Until organisations are willing to invest more in security technology and pay a higher price tag to attract top security talent, they can expect similar results.
Organisations need to invest more in cybersecurity teams, follow security best practices and make security a top priority if they want to stop hacks on this scale.
The same lessons we learned from Target, Sony, OPM, etc. apply to Yahoo. It’s just too easy for hackers to get their hands on critical data.
Businesses – just like individuals – are still struggling to get the basics right when it comes to securing their data. There are so many basic vulnerabilities that organisations need to address – external and internal. The number of reported breaches will no doubt continue to increase. More companies are keeping more information from consumers and business partners, which increases the value of a potential breach. In order to be productive, company networks can’t be 100% isolated, and no matter how much time and money you spend on security tools, nothing is fool-proof, especially when the weakest links in the chain are the people who need access to data in order to do their jobs.
When you work under the assumption that your outer defences will be breached, it frames the data security challenge somewhat differently. Instead of pouring all of your energy into building a very high, very strong fence, spend more time securing what you truly need to protect: data. Make sure that once someone is inside, their activities will be observed and controlled. Just because you have a great lock on your front door doesn’t mean that cameras and motion sensors aren’t also a good idea. Similarly, monitoring user access and analysing it properly will help organisations identify attackers on their network and hopefully mitigate any damage.
Burying your head in the sand and hoping nothing bad will ever happen isn’t an option these days, so companies should absolutely have a plan for what happens after they discover a breach. Just like it would be silly to choose not to have a plan for a fire in the building, it doesn’t make sense not to have a response plan for a data breach. At a minimum, it’s critical for companies to identify what may have been stolen or deleted and what their obligations are to customers, partners, shareholders, etc. Different types of information have different disclosure requirements, therefore it’s important for companies to understand what kind of data they’re storing and what those obligations are so they can plan accordingly.”
Gubi Singh, Chief Operating Officer at Redscan:
Criminals will spend months planning and implementing attacks on companies of this size, with attackers biding their time to avoid detection.
For companies undergoing a merger or acquisition, a comprehensive cyber security assessment can reduce risk for all parties involved and has become a key part of the due diligence process.”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
.
Amichai Shulman, CTO and Co-Founder of Imperva:
Data from breaches is hot merchandise on both sides of the legitimacy fence, the security marketplace on one side and the dark market on the other.
To prevent brute force attacks, security officers should not rely on password policies only, but should take specific detection measures like rate limiting login attempts, detecting login attempts from automated browsers, treat with caution logins from unexpected countries and anonymous sources, and compare login data to popular passwords and stolen credentials.
As we point out in our blog, there is a concerning pattern of breaches which occurred in 2012, but their severity was underestimated and under reported. Organisations must not become complacent in the face of 2016’s lack of mega breaches. As it turns out, those who don’t carefully monitor their networks today may well regret it in 2020.”
Michael Patterson, CEO at Plixer:
Brian Laing, VP at Lastline:
Michael Callahan, VP at FireMon:
Mark James, Security Specialist at ESET:
Data breaches are on the up, it’s almost a daily occurrence but the damage it causes is massive. The data may be used for immediate financial gain or used later along with more information to enable identity theft or phishing attacks either way it could be very damaging for the victim.
As always in these cases it’s the end user that ultimately pays the price, of course from a PR point of view it’s never good for the company that was breached but for the individual it could have long term financial implications if things go badly wrong. It could also mean accounts may be temporally unavailable and for some, emails are a lifeline. Changing email address if you move to another provider is not as easy as it sounds because of the nature of how email works you still need access to the old email in case of older websites that may require password resets or account recovery with the original email address.
As Verizon are about to buy Yahoo, they will have to consider the backlash of future issues with compromised account data. Because the ramifications of data breaches are often felt in the future they will have to consider the implications of any customers who can prove identity issues caused as a result of this particular breach if they are the new owners.
Although it seems an easy task, stopping data breaches is not as easy as it sounds. Doing all you possibly can to stop it in the first place, ensuring that if it does happen then the data is stored in such a way it’s impossible to do anything with it and having a good contingency plan in case it happens is what organisations need to be doing.
What other businesses can learn from this is, where possible, being proactive with your user base; the users need to be kept in the loop. If there has been a breach then find out how, where and why. Ensure your systems are now clean if malware is involved, reset passwords, inform your users and keep them up-to-date. We all understand data breaches are a factor of modern day computing but the impact can be cushioned with the correct flow of information.”
Brian Spector, CEO at MIRACL:
It is still too early for more detailed analysis, but the attack vectors commonly used to initialize attacks of this magnitude are to gain access by stealing employee or insider credentials. The credentials are still all too often simply user name and password. What the attacker knows: when a password, irrelevant of how complex the password may be, is successfully stolen, the attacker can get access to internal systems and work their way to sensitive information – and steal it all.
The underlying issue is that the username and password system is old technology that is not up to the standard required to secure the deep information and private services that we as individuals store and access online today. By contrast, new, secure methods of multi-factor authentication can provide much stronger security, and make database hacks, password reuse, browser attacks and social engineering a thing of the past.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.